Need help: Fixing and Preventing a 0day exploit of cPanel on Canaca servers.

[dark_gear]

Hi,

First, a short intro. I'm a photographer and designer for a small business with multiple domains, all of which are hosted at Canaca.com. I've always taken care of my own basic network and hosted files for home or private use but I've never dealt with anything that would require manual editing or updating of scripts such cPanel or Apache.

Last week our server was compromised, rooted and used to both send mass emails and host false bank pages as part of a phishing scam targetting multiple banks. The host company suspended our account, shutting down all of our web sites. 4 days later we finally got in touch with a real live person in order to have them reset our account passwords.

After 3 days of sifting through our servers and researching how we were compromised I stumbled upon this forum and I'm hoping I get some needed help.

On to the Exploit.

In the process of cleaning up the mess I've found 13 folders as well as 3 files in my "public_html" that are locked off with permissions set to 0000. One is a php script and the other 2 files are .zip files which are beyond a shadow of a doubt the attacker's compressed phishing websites. I can't do anything to these files or folders since I don't have access rights. I have no idea whether it's the hacker or the host company that set the permissions on those files or folders. Can I reclaim ownership of those files? How would I do that?

I've also uncovered 2 other scripts to which I have access rights however. The first one (named: cp1.php) seems like cPanel stack overflow. The second (named: mail.php) seems like an email server hack since our servers were used to send out hundreds of emails on the day the file was uploaded to our system.

So far the only solution we've been offered to fix the problem is the creation of a new account to which we would then have to upload all of our account and recreate all of our settings. Their explanation is that our account has been compromised to such an extent that they can't guarantee it's intergrity any longer. They haven't provided any kind of explanation as to how the attackers gainded access nor have they show any interest in my multiple emails about what I discovered through my own investigation of our files.

Canaca's system is currently running:

cPanel Version 11.25.0-RELEASE
MySQL version 5.0.89-community
cPanel Build 43473
Apache version 2.2.15
PHP version 5.2.13
cPanel Pro 1.0 (RC1)

And now for the questions

Can I claim ownership of the hacker's files and folders (the ones with permissions set to 0000)? How would I do that?

Seeing as how this exploit revealed a weakness int he version of cPanel our hosting company is using, and seeing as how they haven't demonstrated any knowldege of the specifics of the attack, is it possible for me to patch it myself? What would I need to do to determine the exact form of the counter-measure?

Finally, is it standard operating procedure in the case of such to attack to have to create a whole new account? Is this just revealing our hosting company's relative lack of knowledge? My gut reaction tells me that unless the Hosting Company's servers were themselves rooted they should have no problem eliminating any unwanted access but as I stated earlier, I'm not a network analyst.

Any help or advice would be much appreciated as I know I won't be getting any from Canaca's tech support.

Thanks in advance,

Marc-Andre Renaud
Aararat Consulting

 

[sparek-3]

Was your server rooted (root compromised) or was just your account compromised? There is a difference.

Do you own the server in question? Do you have root access to the server in question? Or are you just a shared hosting user?

 

[dark_gear]

It was seriously compromised. I know this because whoever broke in created a new domain in our account from which to host phishing pages. I can't say for certain if the server was rooted however as I'm still waiting on the host's tech support personnel to email me back. There are currently 13 folders and 3 files in our server that have their permissions set to 0000 and I can't do anything to them. Since I'm still waiting for the host's response, I have no idea whether these permissions were set by the sysadmins or the hackers.

As stated before, I'm no expert so bear with me. I'm just a designer who's recently been given the task of dealing with our web presence. I've been giving myselft a crash course over the last week and it turns out my predecessor had even less of an idea how to manage a web server because the permisssions were pretty much all still set to their default, unsecure levels.

We do not own own server, we are a shared hosting user with full control over our account. I can't paint a full picture because some of our domlogs seem to have tampered with, one in particular has about 14 days missing so even though the peak of activity happened from the the 14th to the 16th of April it's quite possible we'd been comprised further back.

From what I can tell thus far, the attacker was able to place a mass emailer script called mail.php our our server due to our lax permissions.

 

[d_t]

0day exploit ... you don't even know how those file arrive on your account. It is possible that a virus stole your cpanel/ftp pass. Or a bad written php script.

What can you do:
- scan your computer with a good antivirus
- change the cpanel & ftp passwords
- ask for help from your hosting company. They can investigate the incident and if necessary, restore files from backup. If they cannot help you, maybe it's time to change the hosting

In my opinion is not a cpanel exploit (because if so, other reports should appear by now).

 

[sparek-3]

If only your account was hacked into, then your host may not be responsible for the hack at all, and especially cPanel would not be responsible.

If you are running outdated scripts on your account or if you have any hidden malware running on your computer or a computer that is used to FTP into your account or access your cPanel, then your login information may be compromised.

Your host can't be responsible for this. They cannot insure that you are keeping your anti-virus software, anti-malware software up-to-date and that you are always running the latest versions of any script or if you are running custom scripts that those scripts are written in a secure manner.

This is why it is important to distinguish between whether the compromise is just your account or if it is a complete server root compromise. This is still not exactly clear, but it is starting to sound more like just your account was compromised.

If files exist on your account that are owned by root, you need to find out if your host changed the ownership of the files or if this was done during the compromise. Your host should be concerned if they did not change the ownership of the files, because if someone (that is not them) has the ability to create and/or change ownership of files to root, then this would signify a root-level compromise on the server.

If you have files on your account that are owned by root (note, this is different from have 0000 permissions, any file can have permissions of 0000 even files owned by you) then you need to ask your host if they changed the ownership of the files. They may have noted that the files were part of an exploit and changed the ownership/permission of the files to prevent them from running on the server.

 

[dwykofka]

FYI
As a cpanel system admin the first thing I do when I see a mail spam script on an account account is to chmod 000 the offending files (to stop the attack) and change the password for the cpanel user. This allows the customers website to continue operating and gives me time to get in contact with the user.

Typically we find that the users account password was stolen by a trojan and we come to a resolution with the client.

It looks like your host might be doing the same thing, perhaps you should speak with them.

 

[dark_gear]

Thanks for all the replies guys,

Here's what I've done so far.

1- scan our computers with a good antivirus.

2- change the cpanel & ftp and email account passwords.

3- read up on how to secure a server due to the following point...

4- ask for help from your hosting company.

This is where it gets interesting. They're not providing any help whatsoever. Their one and only solution to the problem is to just create a whole new account where we are to then upload fresh copies of our websites. While it would be beneficial to start with a fresh account I don't see how this prevent this attack from happening again.

5-As for the reasons for my 0day theory, the file cp1.php was located in our root and it reads:

<?
/*||||||||||||||||||||||||||||||||||||||||||||*/
# Coded By Crazy_Hacker |
# Script: Cpanel + FTP Cracker |
# Site: www.bigcuck_69.com |
# Forums: http://forums.bigcuck_69.com/index.php |
/*|||||||||||||||||||||||||||||||||||||||||||*/


$auth = 2; // 1=on ,,,, 2=off
$name='441ae5118f87c9f621ef5d66c698e0a94'; //0day
$pass='41ae5118f87c9f621ef5d66c698e0a94'; //C-H

eval(base64_decode(' *****12732 characters removed***** '));
?>

I don't know how it got there but it was dated April 12th, which is also when the mass emails started being sent out of our account via "mail.php". No mention of the file shows up anywhere in our logs but as I mentioned in a previous, whoever got in also seems to have had the common sense to erase about 14 days from one of them.

6-If you are running outdated scripts on your account, then your login information may be compromised.

I wouldn't even know how to determine this (yet). Any suggestions to speed / narrow my research on how to secure a server woould be much appreciated.

7-If files exist on your account that are owned by root, you need to find out if your host changed the ownership of the files.

In regards to the files that are in my root and set to 0000, i've sent them multiple requests for information regarding who set them up that way. They haven't said a single thing other than:

"Please note that as I figured out all of your files and directories are now exposed and hit by the hacker".

Due to my current lack of knowledge with Unix (which I'm working on), and since Canaca isn't talking, I have no way of knowing who set the permissions that way.

8- They may have noted that the files were part of an exploit and changed the ownership/permission of the files to prevent them from running on the server.

That's what I figured since the last change to these files and folders dates to April 14th, which is the day our account was suspended, which was Canaca's way of informing us we had been hacked...

Therefore, judging from this past week I'm thinking we need a cPanel sysadmin to come and take for us because it's obvious our Host has no intention of helping (even for a fee). Does anyone know a talented admin working in the Vancouver BC area?

 

[sparek-3]

If the files were uploaded to your account via FTP, then your host should be able to review their server's FTP logs and find this information.

If the files were uploaded as part of script vulnerability, this can be a bit more harder to track, but assuming that the timestamps on the files are still valid or that the host noted the timestamps, they should be able track these.

The best thing you can do, without your host helping, is to identify any scripts you have installed on your website. For example, did you have Joomla! installed on your website? Were you keeping it up-to-date? Were you keeping all of your extensions up-to-date? Joomla! is just an example here, whatever scripts you have installed on your website, and you may have more than one, was it up-to-date and were any extensions/components/addons being kept up-todate?

If the scripts on your website were custom written, has the developer released any new code for these custom scripts? Do they know of any vulnerabilities in their scripts. This would be the most difficult possibility when it comes to trying to solve your issue. A developer may have custom written the script on your website, never releasing it for anyone else and never maintaining the code. The developer may have poorly written the code (which isn't a direct knock on the developer) and never released or been made aware of any need to update the code. For this, you would really need intervention from your host to identify what specific script is vulnerable so that the developer can review the code in that script.

If the exploit came about through an unauthorized FTP login, then this probably means that you (or someone you have given your account login details to) are leaking information. How many different computers have you (or, again, anyone that you have given your login information to) used to access your account's FTP account or cPanel? Are you reusing the same username and password for your website account with any other services? If so, how many different computers have you logged into those services with? If this exploit came about through an unauthorized FTP login, then it is likely that one of those computers is infected with malware/spyware/trojans/keyloggers/viruses that are stealing your account information. You'll need to identify this malware and resolve the issue. What is the best malware detector? I don't know. I would recommend using MalwareBytes, Spybot Search and Destroy, and Micrsoft Security Essentials one at a time to search your computer for malware. Although you may want to get other's advice regarding this because I really do not know what anti-malware solution is really the best.

All of this is really moot if the hosting account was rooted, i.e. the root user on the server was compromised. If the server was rooted, then this falls under the hosting company's fault. But a server being rooted is less likely than your account being exploit in some way.