Password that is the same as your username?

[marcadrian]

Someone got our /etc/passwd file somehow (not hard).

Someone tried many FTP connections to the server, running through the userlist in the /etc/passwd file and trying to connect with a u/p combination of

u: username
p: username

ie. They were trying root/root, jun5746/jun5746, etc

They got THREE accounts! Three users were stupid enough to have their passwords the same as their username. HOWEVER when I tried to change my own password to be my username, Cpanel stopped me with a message "Sorry your password cannot contain your username".

How on earth did these users manage to do it?

 

[rusel]

shell access...

 

[marcadrian]

shell access?

these guys wouldn't know a bash shell from a turtle shell.

 

[HostMerit]

Quite Easy

Exploit A Shell or ANY PHP Script that can run a command, and just do cat /etc/passwd

or you can run cd%20/etc;cat%20passwd

Once from there, just modify your script, and try the combos.

This is why Cpanel boxes are so bloody easy to exploit / create into perl bots, its quite laughable.

I suggest looking into mod_security, and try my configuration, I've tried exploting my own server many times different styles while building / to block, and it's quite popular here on the Cpanel fourms

http://www.hostmerit.com/modsec.user.conf

In the meantime try chmod 000 /usr/bin/wget , kill all the processes and do the above.

Also in /tmp run : find ./ -user nobody|xargs rm -rf

Also run that in /dev/shm

And check /usr/local/apache/proxy for any files, NO files should be in /dev/shm or the proxy dir.

But that's how, once they can run a remote command to get your passwd file, and have your usernames, its quite easy.

 

[jackie46]

Yes, and if your going to use Hostmertis rules make sure you comment out this rules.

#SecFilterSelective THE_REQUEST "cp\x20"

Otherwise Vbulletin admins will not be able to log into their admin menu.

 

[marcadrian]

you have all missed my point...

I want to know if there is a way through ANY CPANEL\WHM OPTION to set your password to be the same as your username.

I *know* you can do it through shell with the 'passwd' command but these people did not do that.

Before they were hacked, they ALREADY had their password the same as their username. They must have done this way back when the account was created, before the domain was delegated to us or anyone knew about it.

 

[webignition]

WHM won't let you create an account where the password contains the username and cPanel enforces similar restrictions when changing the password.

The only feasible option is that this was done through shell however unlikely it may seem.

Were these accounts created by you, or were they transferred from another server? If they were transferred and weren't created by you it is possilbe that the password had been set the same as the username, through shell, prior to the transfer.

You say that these users couldn't tell a bash shell from a turtle shell, which would suggest that they wouldn't have clue about what they were really doing if they had tried to change their password via shell.

 

[marcadrian]

copied account

They must have been copied accounts, the only mention of a "passwd" command being issued was after the account was hacked. (They changed the password to keep the account in their back pocket no doubt).

Still a mystery to me. Oh well! I have implemented a few of your modsec.conf rules and i'll see if i catch anyone out..

 

[blade951875]

these guys wouldn't know a bash shell from a turtle shell.

How are oyu so sure?

 

[marcadrian]

logs

Well I have server logs telling me that they have never SSH'd in, and their bash_history was empty until it was hacked...

 

[nickn]

Well I have server logs telling me that they have never SSH'd in, and their bash_history was empty until it was hacked...

Do you use any billing software? Was the account created by cPanel?