The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

MyShell PHP Exploit with DEMO accounts

Discussion in 'General Discussion' started by tAzMaNiAc, Jun 29, 2003.

  1. tAzMaNiAc

    tAzMaNiAc Well-Known Member

    Joined:
    Feb 16, 2003
    Messages:
    559
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Sachse, TX
    Possible MyShell PHP Exploit with DEMO accounts or something else??

    I got our server exploited by a user trying to install PsyBNC on our server for IRC bot usage.

    He used MyShell (uploaded it using the demo account!!) and then apparently used it to run psyBNC and stuff....

    FYI..

    <?php
    /*
    **************************************************************
    * MyShell *
    **************************************************************
    $Id: shell.php,v 1.1.0 beta 2001/09/23 23:25:12 digitart Exp $
    ^M
    An interactive PHP-page that will execute any command entered.
    See the files README and INSTALL or http://www.digitart.net for
    further information.
    Copyright ©2001 Alejandro Vasquez <admin@digitart.com.mx>
    based on the original program phpShell by Martin Geisler
    ^M
    This program is free software; you can redistribute it and/or
    modify it under the terms of the GNU General Public License
    as published by the Free Software Foundation; either version 2
    of the License, or (at your option) any later version.
    ^M
    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
    GNU General Public License for more details.
    ^M
    You can get a copy of the GNU General Public License from this
    address: http://www.gnu.org/copyleft/gpl.html#SEC1
    You can also write to the Free Software Foundation, Inc., 59 Temple
    Place - Suite 330, Boston, MA 02111-1307, USA.
    */

    This is for all of your general knowledge. I am trying to find out how myshell could have been used to move into a !!root!! dir (/var/tmp) and put stuff in i.e. running psyBNC as a "fake" proftpd process.

    Brenden

    cPanel.net Support Ticket Number:
     
    #1 tAzMaNiAc, Jun 29, 2003
    Last edited: Jun 30, 2003
  2. Curious Too

    Curious Too Well-Known Member

    Joined:
    Aug 31, 2001
    Messages:
    427
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    I just tried uploading a file using my Demo account and this error message was returned:

    "Upload Status This feature cannot be used in demo mode"

    I also deleted the entry for the demo account from the proftpd.conf file.

    Are you sure they used your demo account?

    cPanel.net Support Ticket Number:
     
  3. tAzMaNiAc

    tAzMaNiAc Well-Known Member

    Joined:
    Feb 16, 2003
    Messages:
    559
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Sachse, TX
    One of them. I am not sure if this demo account was setup before every update I got since getting Cpanel in February. I have disabled it till I can find what caused this user to be able to get in and upload it with the demo account.

    They uploaded using the demo account via FTP, into some dir in the public_html dir for demo. Then apparently they used some hole to get it moved to root dirs and "get it to run".

    I am not sure if pureftpd incorrectly set security for the demo account, since I had it setup a long time ago (i.e. in february) so maybe things were a little insecure.

    it's just a warning of a potential exploit somewhere possibly to do with demo stuff, or some php/apache exploit which I can't figure out -- because stuff like that isn't really easy to find.

    Of course, if you run your own demo, they already know the login and password, so they can try whatever is possible with the login.

    Brenden

    cPanel.net Support Ticket Number:
     
  4. tAzMaNiAc

    tAzMaNiAc Well-Known Member

    Joined:
    Feb 16, 2003
    Messages:
    559
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Sachse, TX
    Aha

    Hey all, it happened again... :)

    I told you!

    I removed the old demo account right? Well, I left my CPDEMO in (for my hosting) to see if it would happen again. Well, it did.

    This was from europe.. and they did the exact same thing..

    They used FTP to put it in some dirs, for some reason. I am not sure how they changed the permissions, or whatever.. but here goes.. (and apparently they were able to execute index.pl to do stuff.. I am looking over index.pl and it seems to be another different type of script.. they may even be reading this forum..)

    62.248.17.7 - cpdemo [03/Jul/2003:17:30:16 -0600] "PUT /home/cpdemo/public_html/images/index.pl" 200 16102
    62.248.17.7 - cpdemo [03/Jul/2003:17:30:21 -0600] "GET /home/cpdemo/public_html/images/index.pl" 200 16102
    62.248.17.7 - cpdemo [03/Jul/2003:17:30:25 -0600] "GET /home/cpdemo/public_html/images/index.pl" 200 16102
    62.248.17.7 - cpdemo [03/Jul/2003:17:30:28 -0600] "GET /home/cpdemo/public_html/images/index.pl" 200 16102
    62.248.17.7 - cpdemo [03/Jul/2003:17:31:44 -0600] "GET /home/cpdemo/public_html/images/index.pl" 200 16102
    62.248.17.7 - cpdemo [03/Jul/2003:17:31:49 -0600] "PUT /home/cpdemo/public_html/images/images/psybnc.conf" 200 79

    This was from the demo account, ftping to those dirs.
    I am looking through the stuff again.. (that i moved to my home dir). They used a different program name this time agian -- webmail. I noticed something funny on processes -- and saw ./webmail.

    So, I closed and deleted my cpdemo account. No demo accounts are running now on my system..

    Brenden

    cPanel.net Support Ticket Number:
     
  5. paint

    paint Well-Known Member

    Joined:
    Nov 10, 2002
    Messages:
    53
    Likes Received:
    0
    Trophy Points:
    6
    I know there are some ways to protect yourself from the DEMO exploits so search on the board. The one that would help you the most is chmod -R 000 /home/<directoryofdemoaccount>

    which would stop people from uploading. Also blocking that user from proftpd would help.

    cPanel.net Support Ticket Number:
     
  6. tAzMaNiAc

    tAzMaNiAc Well-Known Member

    Joined:
    Feb 16, 2003
    Messages:
    559
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Sachse, TX
    true..

    Thanks for the hints, I'll go do it. Sometimes I wish I didn't have two kids, and a 3rd on the way. Concentration is at it's premium sometimes :)

    I will go play with whatever I can and then open and do a test session, watch, and kick some ass. Thanks! :)

    Brenden

    cPanel.net Support Ticket Number:
     
  7. hostultra

    hostultra Well-Known Member

    Joined:
    Aug 21, 2002
    Messages:
    167
    Likes Received:
    0
    Trophy Points:
    16
    To install something on demo mode account:

    Install the agora shopping cart
    Login to agora admin
    Theres an option in there to run shell commands you can use wget or whatever to download files from somewhere and chmod and execute them

    Heres how to make demo mode secure
    Login to SSH and run

    rm -rf /home/demo
    mkdir /home/demo
    chown root:root /home/demo
    chmod 0 /home/demo
    chattr +i /home/demo

    cPanel.net Support Ticket Number:
     
  8. mjm

    mjm BANNED

    Joined:
    Aug 1, 2003
    Messages:
    69
    Likes Received:
    0
    Trophy Points:
    6
    wouldnt running PHP out of safe mode not allow that shell thingy to run?

    cPanel.net Support Ticket Number:
     
  9. kris1351

    kris1351 Well-Known Member

    Joined:
    Apr 18, 2003
    Messages:
    963
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Lewisville, Tx
    Someone last night attempted to install shell.php and install psyBNC on one of our servers. Hate seeing things like this. He wasn't able to compile it since tmp was non-exec and he wasn't abel to install a pre-compiled version. Just don't get why people have so much time on their hands to try and abuse businesses like this.
     
  10. markie

    markie BANNED

    Joined:
    Oct 5, 2003
    Messages:
    143
    Likes Received:
    0
    Trophy Points:
    0
    I had a user purchase a reseller account. Upon account activation he uploads psybnc to his reseller account then he proceeds to active it. He also installs telnet-cgi. At 2am Cpanel sends me an email telling me that it just killed a psybnc process. I log into the box to find my new reseller has installed it. Im angry as hell and suspend his account. I send him an email that psybnc is not permitted on any of our servers. He appologises, i remove those pgms and give him back his account. Now im watching him very carefully.

    BTW anyone experienced telnet-cgi? This is one interesting pgm. I logged into his account using it but i didnt like what it could do.
     
  11. kris1351

    kris1351 Well-Known Member

    Joined:
    Apr 18, 2003
    Messages:
    963
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Lewisville, Tx
    Very interesting, we just had this happen by someone that signed up for a reseller account. Anything involving telnet you need to stay away from. It is a horribly insecure application. We have found another user using shell.php and then removing it. He is just using it to modify local files in his home directory it seems. The /tmp mounting saved the psybnc from being installed at least.
     
  12. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    18
    The sad thing is that although 'noexec' still stops most of these attacks now, this will slowly change as time goes by (I don't think I need to explain why)

    As long as CPanel doesn't offer the option to chroot users (like Ensim for example) the security issues with malicious users and people uploading files through insecure scripts will get worse and worse.
     
  13. damainman

    damainman Well-Known Member

    Joined:
    Nov 13, 2003
    Messages:
    515
    Likes Received:
    0
    Trophy Points:
    16
    How did you find out exactly who it was?
     
  14. damainman

    damainman Well-Known Member

    Joined:
    Nov 13, 2003
    Messages:
    515
    Likes Received:
    0
    Trophy Points:
    16
    I think cpanel should take some time off on feature additions, and put a priority on secruity. There's to many exploits availible........ I mean a demo mode is suppose to be just that a "DEMO" nothing in it should be working ...Whats the point of having a demo mode, to just have people comprimise your system with it.
     
  15. kris1351

    kris1351 Well-Known Member

    Joined:
    Apr 18, 2003
    Messages:
    963
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Lewisville, Tx
    Anytime there is a shell connection made support gets an email. We don't allows Cpanel Demo accounts just because of all the security holes.
     
  16. HostDime

    HostDime Well-Known Member
    PartnerNOC

    Joined:
    Mar 15, 2003
    Messages:
    81
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Orlando, Florida
    In reference to complaining to cpanel about this...

    Why dont you put your DEMO account in DEMO mode? This will restrict users from uploading files.

    Also, when you first create your demo acct, how about

    chattr +ai -R /home/demo

    Also you could secure your /tmp and make sure kernel is upgraded to 2.4.24 to secure yourself even if they get in.
     
  17. damainman

    damainman Well-Known Member

    Joined:
    Nov 13, 2003
    Messages:
    515
    Likes Received:
    0
    Trophy Points:
    16
    You would think Demo mode was exactly what it is.. a DEMO, not something that can be used to exploit systems.
     
  18. Curious Too

    Curious Too Well-Known Member

    Joined:
    Aug 31, 2001
    Messages:
    427
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    Demo Mode does not allow shell accounts:

    demover:x:32056:557::/home/demover:/usr/local/cpanel/bin/demoshell

    Maybe these people are not aware that there's an option to change the account to Demo mode?
     
  19. kris1351

    kris1351 Well-Known Member

    Joined:
    Apr 18, 2003
    Messages:
    963
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Lewisville, Tx
    Our tmps do run in secure mode and we do not utilize demo accounts just because all of the issues.
     
  20. RaveKnights

    RaveKnights Well-Known Member

    Joined:
    Nov 5, 2003
    Messages:
    81
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Some Where Out There!
    Hi Taz,

    you are not alone in this.

    I had a demo account up on one of our sites and recently had to take it down due to the same situation.

    This was back in December:

    Dec 27 06:43:44 server14 pure-ftpd[16797]: (?@62.248.16.170) [INFO] New connection from 62.248.16.170
    Dec 27 06:43:45 server14 pure-ftpd[16797]: (?@62.248.16.170) [INFO] demo is now logged in
    Dec 27 06:44:19 server14 pure-ftpd[16797]: (demo@62.248.16.170) [INFO] Can't change directory to /public_html/.images: No such file or directory
    Dec 27 06:44:30 server14 pure-ftpd[16797]: (demo@62.248.16.170) [NOTICE] /home/demo//public_html/.images/index.pl uploaded (16102 bytes, 2.72KB/sec)
    Dec 27 06:45:10 server14 pure-ftpd[16797]: (demo@62.248.16.170) [NOTICE] /home/demo//public_html/.images/index.pl downloaded (16102 bytes, 17.50KB/sec)
    Dec 27 06:45:18 server14 pure-ftpd[16797]: (demo@62.248.16.170) [NOTICE] /home/demo//public_html/.images/index.pl downloaded (16102 bytes, 16.51KB/sec)
    Dec 27 06:45:24 server14 pure-ftpd[16797]: (demo@62.248.16.170) [NOTICE] /home/demo//public_html/.images/index.pl downloaded (16102 bytes, 15.11KB/sec)
    Dec 27 06:45:30 server14 pure-ftpd[16821]: (?@127.0.0.1) [INFO] New connection from 127.0.0.1
    Dec 27 06:45:30 server14 pure-ftpd[16821]: (?@127.0.0.1) [INFO] Logout - CPU time spent: 0.000 seconds.
    Dec 27 06:53:50 server14 pure-ftpd[16929]: (?@127.0.0.1) [INFO] New connection from 127.0.0.1
    Dec 27 06:53:50 server14 pure-ftpd[16929]: (?@127.0.0.1) [INFO] Logout - CPU time spent: 0.010 seconds.
    Dec 27 06:58:49 server14 pure-ftpd[16797]: (demo@62.248.16.170) [INFO] Logout - CPU time spent: 0.030 seconds.


    Like you I had a strange process running in /.webmail

    Now this demo account was created in DEMO MODE "Inside WHM" and I had chmod the whole directory 000 to be on the safe side. I even removed the mail and ftp directory along with the cgi-bin so all the account had was an pupblic_html. All access to any scripts and cron have been removed as well.

    Now this demo account was created back in October of 2003
    and checked at least 4 times a day to make sure every thing was OK. This kinda helped the exploit from further continued damages.

    Now here is the what I don't get. With all percautions taken like every one here sais you should do. It still happened.

    The only thing I can think of is that their is an exploit in pureftp, since that is what I had running on this server.

    All I know is that all sugestions that every one has posted here did not work for this exploit, where ever it is.
     
    #20 RaveKnights, Jan 7, 2004
    Last edited: Jan 7, 2004
Loading...

Share This Page