Need help restoring template pages

[luisgflores]

Hello all,

We recently had one of our servers attacked and websites defaced. We believe this was related to the zero-day vulnerability fixed in
[security] Fixed case CPANEL-5973: Update cpanel-ImageMagick to 6.9.0-4.cp1154.
The attacked server had failed its automatic upgrade, and other VPSs which upgraded WHM/cPanel automatically were unaffected.

We managed to restore the websites (.htaccess redirection / bogus index.htm files were used) but cPanel access for customers is also defaced (WHM access for root is unaffected). The cPanel page IS being loaded but there is some animation hovering over it which doesn't let you use anything. However my knowledge doesn't let me get past that.
I found that in the (defaced) page you can access an option to change the theme, and if you select "paper lantern" (the defauilt is "x3"), you can access all options normally. If you then select "x3", the defaced page returns.
The "suspended account" page is also defaced.

Oddly, not all accounts are affected, but again my knowledge is not enough to determine what files/configurations are compromised. Unaffected accounts can access cPanel normally (even usign "x3" theme) and suspended account's pages display normally.

How can I restore the defaced pages? Where are the corresponding files located?

 

[luisgflores]

UPDATE: Found the defaced "suspended account" template in /var/cpanel/webtemplates/<reseller_name>, after replacing them with the ones in /var/cpanel/webtemplates/root, it works fine.

Still need to find files for cPanel landing page ("x3" theme at least).

 

[luisgflores]

UPDATE: I have learned some things that might be obvious to more experienced users.

First, unaffected accounts belong to one particular reseller, so the attack must have been done using one reseller's account. That is why unaffected accounts "oddly" did not have defaced cPanel/suspended pages, and also why the compromised "suspended" template was in /var/cpanel/webtemplates/<reseller>

Second, what I was referring to as the "paper_lantern and x3 themes" are, in fact the "basic" and "retro" STYLES for paper_lantern. So, the behaviour I described should be updated to:

I found that in the (defaced) page you can access an option to change the style, and if you select "basic" (the defauilt is "retro"), you can access all options normally. If you then switch back to "retro", the defaced page returns.

However, I cannot find the right file for the "retro" style that would deface all of this reseller's accounts' cPanel main pages (as in /var/cpanel/webtemplates/<reseller> for the suspended notice). Files in /usr/local/cpanel/base/frontend/paper_lantern/styled/retro and /usr/local/cpanel/base/frontend/paper_lantern/home/retro are not compromised. Any advice?

 

[TerranceR]

Hello,

It sounds like your server may have been root compromised, I do strongly suggest considering migrating to a New Clean Server ASAP. You can read more about why within our Documentation at Why can't I "clean" a hacked machine? - cPanel Knowledge Base - cPanel Documentation

 

[luisgflores]

Thank you for answering.

At first we thought so too, but after investigating we don't anymore:
-The vulnerability only allows remote execution of code, which we think the attacker used to change that particular reseller's password and then access via whm. That's why only that reseller's accounts were affected.
-There is an alarm set up to fire anytime the 'root' account logs on to WHM or SSH. It did not trigger.

Anyway we finally found out that the attacker modified the "WHM & cPanel news" for that reseller. I could not find the actual files that do this, but by logging to WHM with that reseller's account we were able to delete the defacing code. I will leave this here in case someone else finds it useful.

 

[cPanelMichael]

Hello,

I'm happy to see you were able to address the issue. Thank you for updating us with the outcome.