The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

multiple empty sites hacked using filemanager

Discussion in 'Security' started by izghitu, Feb 3, 2013.

  1. izghitu

    izghitu Well-Known Member

    Joined:
    Aug 9, 2006
    Messages:
    45
    Likes Received:
    0
    Trophy Points:
    6
    Hi,

    I have 2 cpanel servers updated to latest stable.

    Suddenly I saw html files being uploaded to empty sites with no content. The files were owned by the FTP account of each domain. I have no weak passwords.

    I checked the cpanel access logs and I can see that those were uploaded using the filemanager:
    Code:
    82.178.109.88 - kiteshop [02/01/2013:21:58:26 -0000] "GET /cpsess2904220744/frontend/x3/filemanager/live_statfiles.xml?files=%2fhome%2fkiteshop%2fpublic_html%2fx_X.txt HTTP/1.1" 200 0 "https://ip:2083/cpsess2904220744/frontend/x3/filemanager/upload-ajax.html?file=&fileop=&dir=%2Fhome%2Fkiteshop%2Fpublic_html&dirop=&charset=&file_charset=&baseurl=&basedir=" "Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.57 Safari/537.17"
    82.178.109.88 - licorice [02/01/2013:21:59:50 -0000] "GET /cpsess9523827362/frontend/x3/filemanager/live_statfiles.xml?files=%2fhome%2flicorice%2fpublic_html%2fx_X.txt HTTP/1.1" 200 0 "https://ip:2083/cpsess9523827362/frontend/x3/filemanager/upload-ajax.html?file=&fileop=&dir=%2Fhome%2Flicorice%2Fpublic_html&dirop=&charset=&file_charset=&baseurl=&basedir=" "Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.57 Safari/537.17"
    82.178.109.88 - nexo [02/01/2013:22:01:12 -0000] "GET /cpsess710143686/frontend/x3/filemanager/live_statfiles.xml?files=%2fhome%2fnexo%2fpublic_html%2fx_X.txt HTTP/1.1" 200 0 "https://111.118.175.25:2083/cpsess710143686/frontend/x3/filemanager/upload-ajax.html?file=&fileop=&dir=%2Fhome%2Fnexo%2Fpublic_html&dirop=&charset=&file_charset=&baseurl=&basedir=" "Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.57 Safari/537.17"
    82.178.109.88 - nntrav [02/01/2013:22:03:38 -0000] "GET /cpsess5525121/frontend/x3/filemanager/live_statfiles.xml?files=%2fhome%2fnntrav%2fpublic_html%2fx_X.txt HTTP/1.1" 200 0 "https://ip:2083/cpsess5525121/frontend/x3/filemanager/upload-ajax.html?file=&fileop=&dir=%2Fhome%2Fnntrav%2Fpublic_html&dirop=&charset=&file_charset=&baseurl=&basedir=" "Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.57 Safari/537.17"
    82.178.109.88 - redback [02/01/2013:22:07:10 -0000] "GET /cpsess6428039253/frontend/x3/filemanager/live_statfiles.xml?files=%2fhome%2fredback%2fpublic_html%2fx_X.txt HTTP
    
    
    I have security tokens enabled and anything else related to security. I have CSF installed and server hardened to the maximum

    So my question is: how did this happen?

    Please help
     
  2. nospa

    nospa Well-Known Member

    Joined:
    Apr 23, 2012
    Messages:
    110
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Reseller Owner
    Are there any indications that those users were previously authenticated to cPanel to get token number? Or they are the only evidence of those users actions in cpanel access_log?
     
  3. izghitu

    izghitu Well-Known Member

    Joined:
    Aug 9, 2006
    Messages:
    45
    Likes Received:
    0
    Trophy Points:
    6
    There are no indications of the users being previously authenticated. Those are the only actions in cpanel access_log

    I saw this happening on about 5 cpanel servers. Everything is the same, one hit, files being uploaded
     
  4. nospa

    nospa Well-Known Member

    Joined:
    Apr 23, 2012
    Messages:
    110
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Reseller Owner
    This should be ASAP investigated by cPanel security team! Please send them a ticket via tickets.cpanel.net - it is very dangerous if those are the only entries in access_log about hacked accounts!

    Maybe someone from cPanel could say something here?
     
  5. LDHosting

    LDHosting Well-Known Member

    Joined:
    Jan 19, 2008
    Messages:
    93
    Likes Received:
    2
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    Agreed, if those are the only entries in access_log (ie there are no entries showing them log in), I would definitely get a ticket opened with cPanel to have them investigate.
     
  6. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,472
    Likes Received:
    200
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Assuming since these are "Empty sites", you have those strong passwords stored locally somewhere and can login to any of them yourself, have you checked your own computer for problems?

    The IP in your snip above, is listed here:
    /http://www.projecthoneypot.org/ip_82.178.109.88
     
  7. izghitu

    izghitu Well-Known Member

    Joined:
    Aug 9, 2006
    Messages:
    45
    Likes Received:
    0
    Trophy Points:
    6
    I did not store the passwords, those were autogenerated by cpanel when accounts were created. I login to those accounts via WHM.

    I have no problems on my PC. That IP is the attacker's IP

    I found today on another account some hacker scripts which contained traces of access to /etc/passwd and other scripts. What I believe happened is the attacker got the account names from /etc/passwd then somehow got the security tokens or whatever is used to login to cpanel and used those to upload the files.

    Is there any way to protect other cpanel accounts from these kind of attacks? What can be done to protect other accounts if one is hacked?
     
  8. Punked24

    Punked24 Registered

    Joined:
    Feb 8, 2013
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hi Izghitu any reply from cPanel regarding this issue ?
     
  9. niceboy

    niceboy Active Member

    Joined:
    Sep 29, 2011
    Messages:
    39
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Did you install rack911's sysmlink patch?
     
Loading...

Share This Page