Need help: Fixing and Preventing a 0day exploit of cPanel on Canaca servers.

Hi,

First, a short intro. I'm a photographer and designer for a small business with multiple domains, all of which are hosted at Canaca.com. I've always taken care of my own basic network and hosted files for home or private use but I've never dealt with anything that would require manual editing or updating of scripts such cPanel or Apache.

Last week our server was compromised, rooted and used to both send mass emails and host false bank pages as part of a phishing scam targetting multiple banks. The host company suspended our account, shutting down all of our web sites. 4 days later we finally got in touch with a real live person in order to have them reset our account passwords.

After 3 days of sifting through our servers and researching how we were compromised I stumbled upon this forum and I'm hoping I get some needed help.

On to the Exploit.

In the process of cleaning up the mess I've found 13 folders as well as 3 files in my "public_html" that are locked off with permissions set to 0000. One is a php script and the other 2 files are .zip files which are beyond a shadow of a doubt the attacker's compressed phishing websites. I can't do anything to these files or folders since I don't have access rights. I have no idea whether it's the hacker or the host company that set the permissions on those files or folders. Can I reclaim ownership of those files? How would I do that?

I've also uncovered 2 other scripts to which I have access rights however. The first one (named: cp1.php) seems like cPanel stack overflow. The second (named: mail.php) seems like an email server hack since our servers were used to send out hundreds of emails on the day the file was uploaded to our system.

So far the only solution we've been offered to fix the problem is the creation of a new account to which we would then have to upload all of our account and recreate all of our settings. Their explanation is that our account has been compromised to such an extent that they can't guarantee it's intergrity any longer. They haven't provided any kind of explanation as to how the attackers gainded access nor have they show any interest in my multiple emails about what I discovered through my own investigation of our files.

Canaca's system is currently running:

cPanel Version 11.25.0-RELEASE
MySQL version 5.0.89-community
cPanel Build 43473
Apache version 2.2.15
PHP version 5.2.13
cPanel Pro 1.0 (RC1)

And now for the questions

Can I claim ownership of the hacker's files and folders (the ones with permissions set to 0000)? How would I do that?

Seeing as how this exploit revealed a weakness int he version of cPanel our hosting company is using, and seeing as how they haven't demonstrated any knowldege of the specifics of the attack, is it possible for me to patch it myself? What would I need to do to determine the exact form of the counter-measure?

Finally, is it standard operating procedure in the case of such to attack to have to create a whole new account? Is this just revealing our hosting company's relative lack of knowledge? My gut reaction tells me that unless the Hosting Company's servers were themselves rooted they should have no problem eliminating any unwanted access but as I stated earlier, I'm not a network analyst.

Any help or advice would be much appreciated as I know I won't be getting any from Canaca's tech support.

Thanks in advance,

Marc-Andre Renaud
Aararat Consulting

 

It was seriously compromised. I know this because whoever broke in created a new domain in our account from which to host phishing pages. I can't say for certain if the server was rooted however as I'm still waiting on the host's tech support personnel to email me back. There are currently 13 folders and 3 files in our server that have their permissions set to 0000 and I can't do anything to them. Since I'm still waiting for the host's response, I have no idea whether these permissions were set by the sysadmins or the hackers.

As stated before, I'm no expert so bear with me. I'm just a designer who's recently been given the task of dealing with our web presence. I've been giving myselft a crash course over the last week and it turns out my predecessor had even less of an idea how to manage a web server because the permisssions were pretty much all still set to their default, unsecure levels.

We do not own own server, we are a shared hosting user with full control over our account. I can't paint a full picture because some of our domlogs seem to have tampered with, one in particular has about 14 days missing so even though the peak of activity happened from the the 14th to the 16th of April it's quite possible we'd been comprised further back.

From what I can tell thus far, the attacker was able to place a mass emailer script called mail.php our our server due to our lax permissions.

 

Thanks for all the replies guys,

Here's what I've done so far.

1- scan our computers with a good antivirus.

2- change the cpanel & ftp and email account passwords.

3- read up on how to secure a server due to the following point...

4- ask for help from your hosting company.

This is where it gets interesting. They're not providing any help whatsoever. Their one and only solution to the problem is to just create a whole new account where we are to then upload fresh copies of our websites. While it would be beneficial to start with a fresh account I don't see how this prevent this attack from happening again.

5-As for the reasons for my 0day theory, the file cp1.php was located in our root and it reads:

<?
/*||||||||||||||||||||||||||||||||||||||||||||*/
# Coded By Crazy_Hacker |
# Script: Cpanel + FTP Cracker |
# Site: www.bigcuck_69.com |
# Forums: http://forums.bigcuck_69.com/index.php |
/*|||||||||||||||||||||||||||||||||||||||||||*/


$auth = 2; // 1=on ,,,, 2=off
$name='441ae5118f87c9f621ef5d66c698e0a94'; //0day
$pass='41ae5118f87c9f621ef5d66c698e0a94'; //C-H

eval(base64_decode(' *****12732 characters removed***** '));
?>

I don't know how it got there but it was dated April 12th, which is also when the mass emails started being sent out of our account via "mail.php". No mention of the file shows up anywhere in our logs but as I mentioned in a previous, whoever got in also seems to have had the common sense to erase about 14 days from one of them.

6-If you are running outdated scripts on your account, then your login information may be compromised.

I wouldn't even know how to determine this (yet). Any suggestions to speed / narrow my research on how to secure a server woould be much appreciated.

7-If files exist on your account that are owned by root, you need to find out if your host changed the ownership of the files.

In regards to the files that are in my root and set to 0000, i've sent them multiple requests for information regarding who set them up that way. They haven't said a single thing other than:

"Please note that as I figured out all of your files and directories are now exposed and hit by the hacker".

Due to my current lack of knowledge with Unix (which I'm working on), and since Canaca isn't talking, I have no way of knowing who set the permissions that way.

8- They may have noted that the files were part of an exploit and changed the ownership/permission of the files to prevent them from running on the server.

That's what I figured since the last change to these files and folders dates to April 14th, which is the day our account was suspended, which was Canaca's way of informing us we had been hacked...

Therefore, judging from this past week I'm thinking we need a cPanel sysadmin to come and take for us because it's obvious our Host has no intention of helping (even for a fee). Does anyone know a talented admin working in the Vancouver BC area?