Need help restoring template pages

luisgflores

Registered
May 11, 2016
4
0
1
Mexico
cPanel Access Level
Root Administrator
Hello all,

We recently had one of our servers attacked and websites defaced. We believe this was related to the zero-day vulnerability fixed in
[security] Fixed case CPANEL-5973: Update cpanel-ImageMagick to 6.9.0-4.cp1154.
The attacked server had failed its automatic upgrade, and other VPSs which upgraded WHM/cPanel automatically were unaffected.

We managed to restore the websites (.htaccess redirection / bogus index.htm files were used) but cPanel access for customers is also defaced (WHM access for root is unaffected). The cPanel page IS being loaded but there is some animation hovering over it which doesn't let you use anything. However my knowledge doesn't let me get past that.
I found that in the (defaced) page you can access an option to change the theme, and if you select "paper lantern" (the defauilt is "x3"), you can access all options normally. If you then select "x3", the defaced page returns.
The "suspended account" page is also defaced.

Oddly, not all accounts are affected, but again my knowledge is not enough to determine what files/configurations are compromised. Unaffected accounts can access cPanel normally (even usign "x3" theme) and suspended account's pages display normally.

How can I restore the defaced pages? Where are the corresponding files located?
 

luisgflores

Registered
May 11, 2016
4
0
1
Mexico
cPanel Access Level
Root Administrator
UPDATE: Found the defaced "suspended account" template in /var/cpanel/webtemplates/<reseller_name>, after replacing them with the ones in /var/cpanel/webtemplates/root, it works fine.

Still need to find files for cPanel landing page ("x3" theme at least).
 

luisgflores

Registered
May 11, 2016
4
0
1
Mexico
cPanel Access Level
Root Administrator
UPDATE: I have learned some things that might be obvious to more experienced users.

First, unaffected accounts belong to one particular reseller, so the attack must have been done using one reseller's account. That is why unaffected accounts "oddly" did not have defaced cPanel/suspended pages, and also why the compromised "suspended" template was in /var/cpanel/webtemplates/<reseller>

Second, what I was referring to as the "paper_lantern and x3 themes" are, in fact the "basic" and "retro" STYLES for paper_lantern. So, the behaviour I described should be updated to:

I found that in the (defaced) page you can access an option to change the style, and if you select "basic" (the defauilt is "retro"), you can access all options normally. If you then switch back to "retro", the defaced page returns.

However, I cannot find the right file for the "retro" style that would deface all of this reseller's accounts' cPanel main pages (as in /var/cpanel/webtemplates/<reseller> for the suspended notice). Files in /usr/local/cpanel/base/frontend/paper_lantern/styled/retro and /usr/local/cpanel/base/frontend/paper_lantern/home/retro are not compromised. Any advice?
 

luisgflores

Registered
May 11, 2016
4
0
1
Mexico
cPanel Access Level
Root Administrator
Thank you for answering.

At first we thought so too, but after investigating we don't anymore:
-The vulnerability only allows remote execution of code, which we think the attacker used to change that particular reseller's password and then access via whm. That's why only that reseller's accounts were affected.
-There is an alarm set up to fire anytime the 'root' account logs on to WHM or SSH. It did not trigger.

Anyway we finally found out that the attacker modified the "WHM & cPanel news" for that reseller. I could not find the actual files that do this, but by logging to WHM with that reseller's account we were able to delete the defacing code. I will leave this here in case someone else finds it useful.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,237
463
Hello,

I'm happy to see you were able to address the issue. Thank you for updating us with the outcome.