Old account passwords STILL WORK!

[dansgalaxy]

I have a client which is getting very frustrated, as his old passwords still work (as well as new).

I have spoken to the company responsible for my server license and ended up changing password from command line and that seemed to wipe out old passwords, but now hes changed the password to his own one the problem remains and all his old passwords still work.

This is a urgent security issue for the client as he gave access to someone to do something and is now unable to revoke it.

Any ideas as to why and how the hell this is happening?

 

[cPanelDavidG]

I have a client which is getting very frustrated, as his old passwords still work (as well as new).

I have spoken to the company responsible for my server license and ended up changing password from command line and that seemed to wipe out old passwords, but now hes changed the password to his own one the problem remains and all his old passwords still work.

This is a urgent security issue for the client as he gave access to someone to do something and is now unable to revoke it.

Any ideas as to why and how the hell this is happening?

Can you provide me with detailed steps as to what the user is doing that is resulting in old passwords working? This will assist me in replicating this issue.

 

[dansgalaxy]

Can you provide me with detailed steps as to what the user is doing that is resulting in old passwords working? This will assist me in replicating this issue.

Changing password..

He has changed password using WHMCS (which obv does changes via API module).

I have personally change his password via WHM using both the sub form on the list accounts and the dedicated account password change page.

They would enable the new passwords to work but the old passwords still work (currently he can use 3 passwords to login).

I spoke with support for where i get my server/cpanel from their solution was to change password from command line using /scripts/chpass they did this and i did this and it appeared to stop the old passwords working.

The client then changed the random gen password which i changed it to to his own... but apparently now the 3 passwords still work and allow login to the account.

 

[cPanelDavidG]

Changing password..

He has changed password using WHMCS (which obv does changes via API module).

I have personally change his password via WHM using both the sub form on the list accounts and the dedicated account password change page.

They would enable the new passwords to work but the old passwords still work (currently he can use 3 passwords to login).

I spoke with support for where i get my server/cpanel from their solution was to change password from command line using /scripts/chpass they did this and i did this and it appeared to stop the old passwords working.

The client then changed the random gen password which i changed it to to his own... but apparently now the 3 passwords still work and allow login to the account.

I am unable to replicate this issue by using WHM's password modification feature.

Things to check for:
1. Is the customer closing their web browser after logging out? If you are using the default HTTP authentication, the user is logged in until they close their web browser.

2. When logging in as the customer with their password, do you ever see a message at the top indicating they're logged in as a reseller?

If the user is closing their browser and they aren't logging in with their username and a reseller's password (which can happen if a reseller has a weak or commonly used password), please submit a support ticket so we can see his happening on your server and determine the cause of this issue: http://tickets.cPanel.net/submit

 

[dansgalaxy]

I am unable to replicate this issue by using WHM's password modification feature.

Things to check for:
1. Is the customer closing their web browser after logging out? If you are using the default HTTP authentication, the user is logged in until they close their web browser.

2. When logging in as the customer with their password, do you ever see a message at the top indicating they're logged in as a reseller?

If the user is closing their browser and they aren't logging in with their username and a reseller's password (which can happen if a reseller has a weak or commonly used password), please submit a support ticket so we can see his happening on your server and determine the cause of this issue: http://tickets.cPanel.net/submit

I thought could be password override too but it isnt, I'm root (and root pass is random gen and full strength and i know the users passwords... so thats not it.

I have just logged in and out (and closed the browser between each try) with 3 different passwords on the account. No override notices shown so im fully confident this isn't a user side issue.

Is it even possible for one account to have many same level (eg, not override by reseller/root) passwords?

EDIT: Just submitted a ticket, Request id is: 454218

 

[InterServed]

Hint: If you are using raid and one or more hdd's crashed -> system will turn them as read-only (happens on vps'es mostly from what i seen in the past).

 

[dansgalaxy]

Hint: If you are using raid and one or more hdd's crashed -> system will turn them as read-only (happens on vps'es mostly from what i seen in the past).

Not sure how that relates to the issue?

 

[Spiral]

MySQL, Mail, and FTP would be one thing but am I correct in assuming
you are talking about Cpanel / WHM / SSH passwords?

For the later, the passwords are related to the server so it doesn't make
any sense that a changed password would still work unless an open session
were carried forward perhaps (See files in /tmp) or a new account were
created but then that would have a new login.

Does the user have duplicate entries in /etc/passwd?

(/etc/shadow .... same question)

Interserved may have made that side RAID comment thinking that perhaps
your user account files weren't getting updated but if that were the case
then the new passwords would not work and logins would only work with
the original unchanged passwords.

I don't know, it is is as you say, there is something definitely really screwy
going on with your server that does not make any logically sense without
seeing things and digging into it first hand.

 

[dansgalaxy]

Right ok...

Was on support ticket all yesterday with cPanel... think got it fixed.

It appears that some how the password algo for the server was changed from Md5 to DES so some passwords saved as md5 (presumably those which havent been changed in a while/since algo change)

So I was instructed to change algo via command line and re-changed the users password so saved as md5.

It appears the problem was because DES only allows a set number of characters and anything extra is ignored so when my client changed his password to something he was just changing the last few chars meaning the first x letters were the same.

Now been corrected so hopefully wont have the issue again, was certainly a mind boggler. lol