Passwords reset on multiple accounts

DanielTud

Member
Feb 17, 2017
6
1
3
Romania
cPanel Access Level
Reseller Owner
Hi,

I have received multiple password reset confirmation emails for different cpanel accounts on the same server.

I have reseted all the cpanel passwords and the root. What should I do next?

Is there a whm/cpanel vulnerability?

This notice is the result of a request made by a computer with the IP address of “105.158.77.142” through the “cpanel” service on the server.
The remote computer’s location appears to be: Morocco (MA).

The remote computer’s IP address is assigned to the provider: “ADSL_Maroc_telecom”

The remote computer’s network link type appears to be: “DSL”.

The remote computer’s operating system appears to be: “Windows” with version “7 or 8”.

The system generated this notice on 2018-01-14 at 14:47:16 UTC.
 
Last edited:

DanielTud

Member
Feb 17, 2017
6
1
3
Romania
cPanel Access Level
Reseller Owner
All the accounts, even the ones for which I didn't receive a password reset email, have the database compromised! For example, on the wordpress websites all the login usernames were changed to admin.

Following this cpanel article it seems I should restore the backups on a fresh server...


LE 1: From the access_log I can see that the cpanel passwords have been reseted by login into each cpanel account.
 
Last edited:

cPWilliamL

cP Technical Analyst II
Staff member
May 15, 2017
258
30
103
America
cPanel Access Level
Root Administrator
Hi @DanielTud,

Sorry to hear you are having issues with compromised accounts/passwords. I believe the accounts may have already been compromised at the application level, and the hacker has likely used this application-level access to change the contact email for the account, then used the 'reset password' function to gain access to the cPanel interface. If this is the case, you may see reset attempts at `/var/cpanel/passreset/'. You'll also see the cPanel contact email address changed for the relevant users.

While restoring from a backup is a great idea, you'll also need to pinpoint how the hacker originally gained access to the application(i.e. wordpress) and patch/address that vulnerability so it doesn't occur on the new server.
 

DanielTud

Member
Feb 17, 2017
6
1
3
Romania
cPanel Access Level
Reseller Owner
Thank you for replying!

I have found a suspicious file in /var/cpanel/passreset/. It is called _fake_user_12 and it was created 8 hours ago.

Some other files from same path are like .floodprotect-[accountname]_default. I have replaced the account name with [].

I don't think it is wordpress related because he hacked also some fresh websites with everything updated and max 2 plugins.
 

cPWilliamL

cP Technical Analyst II
Staff member
May 15, 2017
258
30
103
America
cPanel Access Level
Root Administrator
I'd recommend reaching out to your host or a security professional to determine exactly how the account was compromised. If it's a fresh account/website, it should be fairly easy to track. Unfortunately, we don't provide any security services; however, if you believe there is a security flaw with cPanel, please do open a ticket and provide specific details about the flaw. We'll be happy to ensure the compromise was not made via cPanel, but we can't really assist in forensics with site-code vulnerabilities/compromises.
 
  • Like
Reactions: quizknows