The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Need help restoring template pages

Discussion in 'Security' started by luisgflores, May 11, 2016.

  1. luisgflores

    luisgflores Registered

    Joined:
    May 11, 2016
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Mexico
    cPanel Access Level:
    Root Administrator
    Hello all,

    We recently had one of our servers attacked and websites defaced. We believe this was related to the zero-day vulnerability fixed in
    [security] Fixed case CPANEL-5973: Update cpanel-ImageMagick to 6.9.0-4.cp1154.
    The attacked server had failed its automatic upgrade, and other VPSs which upgraded WHM/cPanel automatically were unaffected.

    We managed to restore the websites (.htaccess redirection / bogus index.htm files were used) but cPanel access for customers is also defaced (WHM access for root is unaffected). The cPanel page IS being loaded but there is some animation hovering over it which doesn't let you use anything. However my knowledge doesn't let me get past that.
    I found that in the (defaced) page you can access an option to change the theme, and if you select "paper lantern" (the defauilt is "x3"), you can access all options normally. If you then select "x3", the defaced page returns.
    The "suspended account" page is also defaced.

    Oddly, not all accounts are affected, but again my knowledge is not enough to determine what files/configurations are compromised. Unaffected accounts can access cPanel normally (even usign "x3" theme) and suspended account's pages display normally.

    How can I restore the defaced pages? Where are the corresponding files located?
     
  2. luisgflores

    luisgflores Registered

    Joined:
    May 11, 2016
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Mexico
    cPanel Access Level:
    Root Administrator
    UPDATE: Found the defaced "suspended account" template in /var/cpanel/webtemplates/<reseller_name>, after replacing them with the ones in /var/cpanel/webtemplates/root, it works fine.

    Still need to find files for cPanel landing page ("x3" theme at least).
     
  3. luisgflores

    luisgflores Registered

    Joined:
    May 11, 2016
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Mexico
    cPanel Access Level:
    Root Administrator
    UPDATE: I have learned some things that might be obvious to more experienced users.

    First, unaffected accounts belong to one particular reseller, so the attack must have been done using one reseller's account. That is why unaffected accounts "oddly" did not have defaced cPanel/suspended pages, and also why the compromised "suspended" template was in /var/cpanel/webtemplates/<reseller>

    Second, what I was referring to as the "paper_lantern and x3 themes" are, in fact the "basic" and "retro" STYLES for paper_lantern. So, the behaviour I described should be updated to:

    I found that in the (defaced) page you can access an option to change the style, and if you select "basic" (the defauilt is "retro"), you can access all options normally. If you then switch back to "retro", the defaced page returns.

    However, I cannot find the right file for the "retro" style that would deface all of this reseller's accounts' cPanel main pages (as in /var/cpanel/webtemplates/<reseller> for the suspended notice). Files in /usr/local/cpanel/base/frontend/paper_lantern/styled/retro and /usr/local/cpanel/base/frontend/paper_lantern/home/retro are not compromised. Any advice?
     
  4. cPTerrance

    cPTerrance *nix Technical Analyst II / Migrations Specialist
    Staff Member

    Joined:
    Jul 9, 2015
    Messages:
    72
    Likes Received:
    8
    Trophy Points:
    8
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    Twitter:
  5. luisgflores

    luisgflores Registered

    Joined:
    May 11, 2016
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Mexico
    cPanel Access Level:
    Root Administrator
    Thank you for answering.

    At first we thought so too, but after investigating we don't anymore:
    -The vulnerability only allows remote execution of code, which we think the attacker used to change that particular reseller's password and then access via whm. That's why only that reseller's accounts were affected.
    -There is an alarm set up to fire anytime the 'root' account logs on to WHM or SSH. It did not trigger.

    Anyway we finally found out that the attacker modified the "WHM & cPanel news" for that reseller. I could not find the actual files that do this, but by logging to WHM with that reseller's account we were able to delete the defacing code. I will leave this here in case someone else finds it useful.
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
Loading...

Share This Page