The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

New cPanel Exploit?? Long Post!!

Discussion in 'General Discussion' started by Tomas, Jul 3, 2006.

  1. Tomas

    Tomas Member

    Joined:
    Oct 31, 2003
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Santiago, Chile
    Hey Guys,

    I normally do not post that much in this forums but due to the severity of this I decided to do it. Everything started a couple of days ago when I upgraded my cPanel server to R119 (10.8.2). Everything was fine but the other day I discovered some unusual processes:

    nobody 7.74 0.00 0.0
    Top Process %CPU 98.5 perl udp.pl 208.101.49.235 3111 900
    Top Process %CPU 98.4 perl udp.pl 208.101.49.235 3111 900
    Top Process %CPU 98.3 perl udp.pl 208.101.49.235 3111 900

    I'm running suexec for CGI files so normally all CGI processes are shown with username instead of nobody. That was alert #1. Then the udp.pl process and those IPs were pretty strange. Went into google and found out that it was an exploit but it was too late as the processes were gone. I kept investigating for a few days, went through ALL access files for all my domains and still, not one sign of the attack. I waited another day and then there was again, this time I managed to get it while it was active so I issued:

    # kill -STOP PID

    That stopped the processes (there were 2) and gave me enough time to go through the /proc/PID file. I checked the environ file and got this:

    Code:
    root@nova [/proc/14870]# cat environ
    CPANEL=activePASS=SSL_PROTOCOL_VERSION=3HOST=xx.xx.xxx.xxx:2087OLDPWD=/home/account/public_htmlHTTP_USER_AGENT=Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.4SERVER_PORT=2087HTTP_HOST=xx.xx.xxx.xxxHTTP_STATUS=200ACCEPT_ENCODING=gzip,deflateUSER=rootHTTPS=onSUBID=REMOTE_HOS
    T=127.0.0.1REMOTE_USER=rootSCRIPT_URI=scripts/dosrvmngREMOTE_PORT=36001PATH=/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin:/usr/local/sbinWHM50=10.8.0PWD=/tmpLANG=en_US.UTF-8HTTP_REFERER=https://xx.xx.xxx.xxx:2087/scripts/srvmngUPLINK=REMOTE_ADDR=127.0.0.1SERVER_NAME=xx.xx.xxx.xxxHOME=/rootSHLVL=4CONTENT_LENGTH=QUERY_
    STRING=antirelayd=1&clamd=1&entropychat=1&exim=1&eximmonitor=1&eximstats=1&eximstatsmonitor=1&ftpd=1&ftpdmonitor=1&httpd=1&httpdmonitor=1&imap=1&imapmonitor=1&melange=1&mysql=1&mysqlmonitor=1&named=1&namedmonitor=1&pop=1&popmonitor=1&postgresql=1&postgresqlmonitor=1&spamd=1&spamdmonitor=1&syslogd=1&exim-altportnum=2
    6DNS=yourdomain.comSERVER_ADDR=127.0.0.1GATEWAY_INTERFACE=CGI/1.1SERVER_PROTOCOL=HTTP/1.0RESTARTSRV=1CONTENT_TYPE=REQUEST_METHOD=GETHTTP_COOKIE=whostmgrrelogin=no_=/usr/bin/perlroot@nova
    Code:
    root@nova [/proc/14865]# cat environ
    PASS=CPANEL=activeSSL_PROTOCOL_VERSION=3HOST=xx.xx.xxx.xxx:2087HTTP_USER_AGENT=Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.4HTTP_STATUS=200HTTP_HOST=xx.xx.xxx.xxxSERVER_PORT=2087ACCEPT_ENCODING=gzip,deflateUSER=rootHTTPS=onSUBID=REMOTE_HOST=127.0.0.1REMOTE_USER=rootSCRIPT
    _URI=scripts/dosrvmngREMOTE_PORT=36001PATH=/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin:/usr/local/sbinPWD=/usr/local/cpanel/whostmgr/docrootWHM50=10.8.0LANG=en_US.UTF-8HTTP_REFERER=https://xx.xx.xxx.xxx:2087/scripts/srvmngUPLINK=REMOTE_ADDR=127.0.0.1SHLVL=3HOME=/rootSERVER_NAME=xx.xx.xxx.xxxCONTENT_LENGTH=QUERY_STR
    ING=antirelayd=1&clamd=1&entropychat=1&exim=1&eximmonitor=1&eximstats=1&eximstatsmonitor=1&ftpd=1&ftpdmonitor=1&httpd=1&httpdmonitor=1&imap=1&imapmonitor=1&melange=1&mysql=1&mysqlmonitor=1&named=1&namedmonitor=1&pop=1&popmonitor=1&postgresql=1&postgresqlmonitor=1&spamd=1&spamdmonitor=1&syslogd=1&exim-altportnum=26SE
    RVER_ADDR=127.0.0.1DNS=yourdomain.comGATEWAY_INTERFACE=CGI/1.1RESTARTSRV=1SERVER_PROTOCOL=HTTP/1.0CONTENT_TYPE=HTTP_COOKIE=whostmgrrelogin=noREQUEST_METHOD=GET_=/usr/local/apache/bin/httpdroot@nova
    
    Pretty scary huh??

    Then I thought "OK, one of my accounts got exploited". Went into the account that the environ told me and shockingly there was nothing there (nor never has been so it was not deleted by the hacker). OK, that just added even more questions to the main one. I went then to the working directory and there was the freaking udp.pl file:

    -rw-r--r-- 1 nobody nobody 1.2K Jun 3 11:23 udp.pl

    That's a phpbb exploit but also a good udp flooder that can be used as part of a DDoS attack. So finally I checked what was the cwd in the process PID file and obvioulsy it was /tmp:

    Code:
    root@nova [/proc/14870]# ls -lah
    total 0
    dr-xr-xr-x    3 nobody nobody 0 Jul  3 22:20 ./
    dr-xr-xr-x  398 root   root   0 Jun 16 15:44 ../
    dr-xr-xr-x    2 nobody nobody 0 Jul  3 23:10 attr/
    -r--------    1 nobody nobody 0 Jul  3 23:00 auxv
    -r--r--r--    1 nobody nobody 0 Jul  3 22:20 cmdline
    lrwxrwxrwx    1 nobody nobody 0 Jul  3 23:00 cwd -> /tmp/
    -r--------    1 nobody nobody 0 Jul  3 23:00 environ
    lrwxrwxrwx    1 nobody nobody 0 Jul  3 22:20 exe -> /usr/bin/perl*
    dr-x------    2 nobody nobody 0 Jul  3 22:25 fd/
    -rw-r--r--    1 nobody nobody 0 Jul  3 23:00 loginuid
    -r--------    1 nobody nobody 0 Jul  3 23:00 maps
    -rw-------    1 nobody nobody 0 Jul  3 23:00 mem
    -r--r--r--    1 nobody nobody 0 Jul  3 23:00 mounts
    lrwxrwxrwx    1 nobody nobody 0 Jul  3 23:00 root -> //
    -r--r--r--    1 nobody nobody 0 Jul  3 22:20 stat
    -r--r--r--    1 nobody nobody 0 Jul  3 22:20 statm
    -r--r--r--    1 nobody nobody 0 Jul  3 22:20 status
    dr-xr-xr-x    3 nobody nobody 0 Jul  3 23:10 task/
    -r--r--r--    1 nobody nobody 0 Jul  3 23:00 wchan
    
    root@nova [/proc/14865]# ls -lah
    total 0
    dr-xr-xr-x    3 nobody nobody 0 Jul  3 22:20 ./
    dr-xr-xr-x  398 root   root   0 Jun 16 15:44 ../
    dr-xr-xr-x    2 nobody nobody 0 Jul  3 23:16 attr/
    -r--------    1 nobody nobody 0 Jul  3 23:15 auxv
    -r--r--r--    1 nobody nobody 0 Jul  3 22:20 cmdline
    lrwxrwxrwx    1 nobody nobody 0 Jul  3 23:15 cwd -> /tmp/
    -r--------    1 nobody nobody 0 Jul  3 23:15 environ
    lrwxrwxrwx    1 nobody nobody 0 Jul  3 22:25 exe -> /bin/bash*
    dr-x------    2 nobody nobody 0 Jul  3 22:25 fd/
    -rw-r--r--    1 nobody nobody 0 Jul  3 23:15 loginuid
    -r--------    1 nobody nobody 0 Jul  3 23:15 maps
    -rw-------    1 nobody nobody 0 Jul  3 23:15 mem
    -r--r--r--    1 nobody nobody 0 Jul  3 23:15 mounts
    lrwxrwxrwx    1 nobody nobody 0 Jul  3 23:15 root -> //
    -r--r--r--    1 nobody nobody 0 Jul  3 22:20 stat
    -r--r--r--    1 nobody nobody 0 Jul  3 22:20 statm
    -r--r--r--    1 nobody nobody 0 Jul  3 22:20 status
    dr-xr-xr-x    3 nobody nobody 0 Jul  3 23:16 task/
    -r--r--r--    1 nobody nobody 0 Jul  3 23:15 wchan
    So finally, what was this running? The following:

    Code:
    root@nova [/proc/14865]# cat cmdline
    sh-ccd /tmp;perl udp.pl xxx.xxx.xxx.xxx 3111 900 1> /tmp/phpshellABxvZg 2>&1; cat /tmp/phpshellABxvZg; rm /tmp/phpshellABxvZgroot@nova
    
    root@nova [/proc/14870]# cat cmdline
    perludp.plxxx.xxx.xxx.xxx3111900root@nova

    Can it be a new cPanel vulnerability? I checked the logs for the account and found this:

    Code:
    127.0.0.1 - root [03/Jul/2006:23:28:18 -0400] "GET /scripts2/listaccts?searchtype=domain&search=tecnoneet&acctp=30 HTTP/1.1" 200 0 "https://xxx.xxx.xxx.xxx:2087/scripts2/listaccts" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.4"
    Same hour that when I found the exploit.


    OK now, before you guys start jumping all over me, some considerations:

    1.- This is a perl file so it has nothing to do with what are my php.ini preferences though it's pretty secure with system, exec, and others disallowed.
    2.- My /tmp partition is mounted in noexec,rw state.
    3.- Those ports and links in the logs are just damn odd.


    So, I'd like to know your thoughts or if anyone has had this exploit before to shed some light here. Again, I went through all access logs for all domains and couldn't find anything other than this leading me to a cPanel exploit.

    Thanks for reading! :)
     
  2. avijit

    avijit Well-Known Member

    Joined:
    Jul 26, 2004
    Messages:
    116
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    India
    It seems that that the udp.pl was running as a result of a crafted url attack and it can be prevented by enforcing a decent mod_sec rule.

    Even if the /tmp is mounted as no exec it can be used to run perl scripts. It will not run './udp.pl' from there but it will easily run the 'perl /tmp/udp.pl'

    I am not quite sure about the cpanel exploit as I think those are the cPanel processes that are running.

    Will wait for the opinions of the cPanel geeks here on there opinion on this.
     
  3. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Looks like a perfectly normal PHP script compromise. If you're not running phpsuexec then anything uploaded througha a PHP script will be owned by and run under the nobody account. Clearly it's being done through a php shell script (it's even called thaty). So you have a compromised PHP script. You'll need to track down which one it is and remove it.
     
Loading...

Share This Page