The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Password that is the same as your username?

Discussion in 'General Discussion' started by marcadrian, Mar 23, 2006.

  1. marcadrian

    marcadrian Member

    Joined:
    Apr 7, 2005
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    Someone got our /etc/passwd file somehow (not hard).

    Someone tried many FTP connections to the server, running through the userlist in the /etc/passwd file and trying to connect with a u/p combination of

    u: username
    p: username

    ie. They were trying root/root, jun5746/jun5746, etc

    They got THREE accounts! Three users were stupid enough to have their passwords the same as their username. HOWEVER when I tried to change my own password to be my username, Cpanel stopped me with a message "Sorry your password cannot contain your username".

    How on earth did these users manage to do it?
     
  2. rusel

    rusel BANNED

    Joined:
    Aug 1, 2005
    Messages:
    28
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    Poland
    shell access...
     
  3. marcadrian

    marcadrian Member

    Joined:
    Apr 7, 2005
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    shell access?

    these guys wouldn't know a bash shell from a turtle shell.
     
  4. HostMerit

    HostMerit Well-Known Member

    Joined:
    Oct 24, 2004
    Messages:
    160
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    New Jersey, USA
    cPanel Access Level:
    DataCenter Provider
    Quite Easy

    Exploit A Shell or ANY PHP Script that can run a command, and just do cat /etc/passwd

    or you can run cd%20/etc;cat%20passwd

    Once from there, just modify your script, and try the combos.

    This is why Cpanel boxes are so bloody easy to exploit / create into perl bots, its quite laughable.

    I suggest looking into mod_security, and try my configuration, I've tried exploting my own server many times different styles while building / to block, and it's quite popular here on the Cpanel fourms :)

    http://www.hostmerit.com/modsec.user.conf

    In the meantime try chmod 000 /usr/bin/wget , kill all the processes and do the above.

    Also in /tmp run : find ./ -user nobody|xargs rm -rf

    Also run that in /dev/shm

    And check /usr/local/apache/proxy for any files, NO files should be in /dev/shm or the proxy dir.

    But that's how, once they can run a remote command to get your passwd file, and have your usernames, its quite easy.
     
  5. jackie46

    jackie46 BANNED

    Joined:
    Jul 25, 2005
    Messages:
    537
    Likes Received:
    0
    Trophy Points:
    0
    Yes, and if your going to use Hostmertis rules make sure you comment out this rules.

    #SecFilterSelective THE_REQUEST "cp\x20"

    Otherwise Vbulletin admins will not be able to log into their admin menu.
     
  6. marcadrian

    marcadrian Member

    Joined:
    Apr 7, 2005
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    you have all missed my point...

    I want to know if there is a way through ANY CPANEL\WHM OPTION to set your password to be the same as your username.

    I *know* you can do it through shell with the 'passwd' command but these people did not do that.

    Before they were hacked, they ALREADY had their password the same as their username. They must have done this way back when the account was created, before the domain was delegated to us or anyone knew about it.
     
  7. webignition

    webignition Well-Known Member

    Joined:
    Jan 22, 2005
    Messages:
    1,880
    Likes Received:
    0
    Trophy Points:
    36
    WHM won't let you create an account where the password contains the username and cPanel enforces similar restrictions when changing the password.

    The only feasible option is that this was done through shell however unlikely it may seem.

    Were these accounts created by you, or were they transferred from another server? If they were transferred and weren't created by you it is possilbe that the password had been set the same as the username, through shell, prior to the transfer.

    You say that these users couldn't tell a bash shell from a turtle shell, which would suggest that they wouldn't have clue about what they were really doing if they had tried to change their password via shell.
     
  8. marcadrian

    marcadrian Member

    Joined:
    Apr 7, 2005
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    copied account

    They must have been copied accounts, the only mention of a "passwd" command being issued was after the account was hacked. (They changed the password to keep the account in their back pocket no doubt).

    Still a mystery to me. Oh well! I have implemented a few of your modsec.conf rules and i'll see if i catch anyone out..
     
  9. blade951875

    blade951875 Member

    Joined:
    Mar 29, 2006
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    How are oyu so sure?
     
  10. marcadrian

    marcadrian Member

    Joined:
    Apr 7, 2005
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    logs

    Well I have server logs telling me that they have never SSH'd in, and their bash_history was empty until it was hacked...
     
  11. nickn

    nickn Well-Known Member
    PartnerNOC

    Joined:
    Jun 15, 2003
    Messages:
    619
    Likes Received:
    1
    Trophy Points:
    18
    Do you use any billing software? Was the account created by cPanel?
     
Loading...

Share This Page