Phishing subdomains constantly created

axel50397 · Apr 18, 2015

Hi there,
We are noticing it from a long time but can't find where it's from. Sometimes once a week, sometimes 3 or 4 the same day, we are receiving "abuse" emails from companies for hosting phishing websites (our IP has been blocked several times).

At the beginning it touched only few customers using Wordpress and mysterious plugins, we didn't care a lot and suspended the accounts until reactions. Now it seems to touch anyone. We (in the team) have created few accounts for our own usage, some are active, some were never used (nothing uploaded since the creation). Despite this, every week we see phishing subdomains created (containing phishing website) or sometimes only 1 .html is created with a JS redirection to another account.

We've noticed that sometimes it's the exact same IP in the .lastlogin, so when we grep it in cpanel logs, here is what we see:

root [~]# grep "197.X.X.X" /usr/local/cpanel/logs/login_log
197.X.X.X - bloodofj [04/18/2015:00:10:07 -0000] "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN cpaneld: invalid cpanel user bloodofj (loadcpdata failed)
197.X.X.X - artvinfo [04/18/2015:00:10:36 -0000] "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN cpaneld: invalid cpanel user artvinfo (loadcpdata failed)
197.X.X.X - nebuleus [04/18/2015:00:10:52 -0000] "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN cpaneld: invalid cpanel user nebuleus (loadcpdata failed)
197.X.X.X - producti [04/18/2015:00:22:05 -0000] "GET / HTTP/1.1" DEFERRED LOGIN cpaneld: security token missing
Click to expand...

At first sight, I understand that he is using the login form. It's like he has the passwords (hard to believe because we create users from WHMCS with generated passwords =/ )
Then:

root [~]# grep "197.X.X.X" /usr/local/cpanel/logs/access_log
197.X.X.X - - [04/18/2015:00:09:46 -0000] "GET / HTTP/1.1" 401 0 "" "Mozilla
/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.
2272.118 Safari/537.36" "-" "-"
197.X.X.X - - [04/18/2015:00:09:46 -0000] "GET /cPanel_magic_revision_1396130370/unprotected/cpanel/images/login-whisp.png HTTP/1.1" 200 0 "https://ssh.myserver.com:2083/" "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 Safari/537.36" "-" "-"
197.X.X.X - acct1 [04/18/2015:00:09:46 -0000] "POST /login/?login_only=1 HTTP/1.1" 401 0 "https://ssh.myserver.com:2083/" "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 Safari/537.36" "-" "-"
197.X.X.X - acct2 [04/18/2015:00:10:35 -0000] "POST /login/?login_only=1 HTTP/1.1" 401 0 "https://ssh.myserver.com:2083/" "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 Safari/537.36" "-" "-"
197.X.X.X - acct3 [04/18/2015:00:10:52 -0000] "POST /login/?login_only=1 HTTP/1.1" 401 0 "https://ssh.myserver.com:2083/" "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 Safari/537.36" "-" "-"
197.X.X.X - acct4 [04/18/2015:00:11:09 -0000] "POST /login/?login_only=1 HTTP/1.1" 301 0 "https://ssh.myserver.com:2083/" "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 Safari/537.36" "-" "-"
197.X.X.X - acct4 [04/18/2015:00:11:12 -0000] "GET /cpsess3987311672/ HTTP/1.1" 200 0 "https://ssh.myserver.com:2083/" "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 Safari/537.36" "-" "-"
197.X.X.X - acct4 [04/18/2015:00:11:13 -0000] "GET /cpsess3987311672/frontend/x3/index.html HTTP/1.1" 200 0 "https://ssh.myserver.com:2083/" "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 Safari/537.36" "-" "-"
[...]
197.X.X.X - acct4 [04/18/2015:00:11:31 -0000] "GET /cpsess3987311672/frontend/x3/subdomain/index.html HTTP/1.1" 200 0 "https://ssh.myserver.com:2083/cpsess3987311672/frontend/x3/index.html" "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 Safari/537.36" "-" "-"
197.X.X.X - acct4 [04/18/2015:00:12:17 -0000] "GET /cpsess3987311672/frontend/x3/subdomain/doadddomain.html?domain=ac.update.line.defap4527.lverificatiion.74463986dhuibnostr89.submit.43do.aad54f38655583lddsopa81089.edit7899787734534434556sdn28001&rootdomain=live.v-info.info&dir=public_html%2Fac.update.line.defap4527.lverificatiion.74463986dhuibnostr89.submit.43do.aad54f38655583lddsopa81089.edit7899787734534434556sdn28001&go=create HTTP/1.1" 200 0 "https://ssh.myserver.com:2083/cpsess3987311672/frontend/x3/subdomain/index.html" "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 Safari/537.36" "-" "-"
[...]
197.X.X.X - acct5 [04/18/2015:00:23:17 -0000] "GET /cPanel_magic_revision_1396129212/frontend/x3/filemanager/img/icons/codeEditorB.gif HTTP/1.1" 304 0 "https://ssh.myserver.com:2083/cpsess2073941840/frontend/x3/filemanager/editit.html?file=imdex.php&fileop=&dir=%2Fhome%2Facct5%2Fpublic_html&dirop=&charset=&file_charset=utf-8&baseurl=&basedir=&codeedit=1" "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 Safari/537.36" "-" "-"
197.X.X.X - acct5 [04/18/2015:00:23:20 -0000] "GET /cpsess2073941840/json-api/cpanel?cpanel_jsonapi_module=Encoding&cpanel_jsonapi_func=guess_file&cpanel_jsonapi_apiversion=2&file=%2Fhome%2Facct5%2Fpublic_html%2Finndex.php HTTP/1.1" 200 0 "https://ssh.myserver.com:2083/cpsess2073941840/frontend/x3/filemanager/index.html?dirselect=webroot&domainselect=acct5.com&dir=%2Fhome%2Facct5%2Fpublic_html" "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 Safari/537.36" "-" "-"
197.X.X.X - acct5 [04/18/2015:00:23:22 -0000] "GET /cpsess2073941840/frontend/x3/filemanager/editit.html?file=inndex.php&fileop=&dir=%2Fhome%2Facct5%2Fpublic_html&dirop=&charset=&file_charset=utf-8&baseurl=&basedir=&codeedit=1 HTTP/1.1" 200 0 "https://ssh.myserver.com:2083/cpsess2073941840/frontend/x3/filemanager/index.html?dirselect=webroot&domainselect=acct5.com&dir=%2Fhome%2Feolisodf%2Fpublic_html" "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 Safari/537.36" "-" "-"
Click to expand...

As you can see, in the first "block", he tries some accounts and fails but gains access to acct4... After that, in the second block, we see him creating the subdomains using the web panel (or a script using it), and in the third part he's using the file manager to create and modify some files on acct5...

Users capable of setting the same password everywhere, why not. But having this attack on multiple accounts including the team's websites, it's hard to believe. Moreover, the account password can be used to access the FTP directly...

I must say that we've run LMD and chkrootkit (and some other check scripts), but everything is negative. Has anyone encountered such an issue, or have an idea please?

Thank you for your help.

mtindor · Apr 19, 2015

axel50397 said: ↑

Hi there,
We are noticing it from a long time but can't find where it's from. Sometimes once a week, sometimes 3 or 4 the same day, we are receiving "abuse" emails from companies for hosting phishing websites (our IP has been blocked several times).

At the beginning it touched only few customers using Wordpress and mysterious plugins, we didn't care a lot and suspended the accounts until reactions. Now it seems to touch anyone. We (in the team) have created few accounts for our own usage, some are active, some were never used (nothing uploaded since the creation). Despite this, every week we see phishing subdomains created (containing phishing website) or sometimes only 1 .html is created with a JS redirection to another account.

We've noticed that sometimes it's the exact same IP in the .lastlogin, so when we grep it in cpanel logs, here is what we see:

At first sight, I understand that he is using the login form. It's like he has the passwords (hard to believe because we create users from WHMCS with generated passwords =/ )
Then:

As you can see, in the first "block", he tries some accounts and fails but gains access to acct4... After that, in the second block, we see him creating the subdomains using the web panel (or a script using it), and in the third part he's using the file manager to create and modify some files on acct5...

Users capable of setting the same password everywhere, why not. But having this attack on multiple accounts including the team's websites, it's hard to believe. Moreover, the account password can be used to access the FTP directly...

I must say that we've run LMD and chkrootkit (and some other check scripts), but everything is negative. Has anyone encountered such an issue, or have an idea please?

Thank you for your help.
Click to expand...

You might want to consider the possibility that your WHMCS install has been breached. If you don't have the latest 5.3.x version installed and are not adhering to all proper security practices with respect to the billing system, then the billing system ends up getting compromised.

Did you add your new "team" accounts through WHMCS? If somebody has control of your WHMCS install it would be trivial for them to go and fetch the login credentials for a particular hosting account.

M

axel50397 · Apr 19, 2015

mtindor said: ↑

You might want to consider the possibility that your WHMCS install has been breached. If you don't have the latest 5.3.x version installed and are not adhering to all proper security practices with respect to the billing system, then the billing system ends up getting compromised.
Click to expand...

This is indeed a vector. But we we've changed our WHMCS passwords and the database password at the same time. Concerning SSH, we receive an email anytime someone not whitelisted is connected, and we currently only have our IP listed. We often see SQL injections attempts (with AES_ENCRYPT strings) but as we're updated, it always fails. Strangely, these attempts are from USA while the successfully hacks are done from Tunisia. And of course, the ISP never answered our abuses.

mtindor said: ↑

Did you add your new "team" accounts through WHMCS? If somebody has control of your WHMCS install it would be trivial for them to go and fetch the login credentials for a particular hosting account.
Click to expand...

Yes we do, in order to keep a consistency in WHMCS. We also pay our personal hosting websites, so it's a must to use WHMCS.

Any other idea ?
Thank you for your help.

cPanelMichael · Apr 21, 2015

Hello,

While it's a slightly different issue reported, you may find this thread helpful:

https://forums.cpanel.net/threads/exploits-somehow-getting-on-server.380372/

Thank you.

Forums

The Community Forums

Interact with an entire community of cPanel & WHM users!

Phishing subdomains constantly created

axel50397 Member

mtindor Well-Known Member

axel50397 Member

cPanelMichael Forums Analyst
Staff Member

Phishing using the /.well-known/ directory

Phishing Activity on Website

How can I report a phishing email?

Reseller - Phishing Accounts

Full Backup Excludes Subdomains?

Share This Page

Useful Searches

The Community Forums

Interact with an entire community of cPanel & WHM users!

Phishing subdomains constantly created

axel50397 Member

mtindor Well-Known Member

axel50397 Member

cPanelMichael Forums Analyst Staff Member

Phishing using the /.well-known/ directory

Phishing Activity on Website

How can I report a phishing email?

Reseller - Phishing Accounts

Full Backup Excludes Subdomains?

Share This Page

cPanelMichael Forums Analyst
Staff Member