Possible mysql root password hacked

Vladimir Šebez

Member
PartnerNOC
May 5, 2016
11
0
1
Belgrade, Serbia
cPanel Access Level
Root Administrator
Recently I was looking into an issue where a cpanel user could not access his MySQL Databases page. When checking the cpanel error logs I found the following:

Code:
Use of uninitialized value in string ne at /usr/local/cpanel/Cpanel/MysqlUtils.pm line 1178, <STDIN> line 1.
Cpanel::Exception::InvalidCharacters/(XID n2p543) This value may not contain a line feed.
at /usr/local/cpanel/Cpanel/Exception/CORE.pm line 77, <STDIN> line 1.
        Cpanel::Exception::create("InvalidCharacters", "This value may not contain a line feed.", HASH(0x24f5f28)) called at /usr/local/cpanel/Cpanel/Exception.pm line 30
        Cpanel::Exception::__ANON__(__CPANEL_HIDDEN__, __CPANEL_HIDDEN__, HASH(0x24f5f28)) called at /usr/local/cpanel/Cpanel/Validate/LineTerminatorFree.pm line 50
        Cpanel::Validate::LineTerminatorFree::validate_or_die("'<html>\x{d}\x{a}<head>\x{d}\x{a}<title>hacked</title>\x{d}\x{a}</head>\x{d}\x{a}<body>\x{d}\x{a}<cen'") called at /usr/local/cpanel/Cpanel/MysqlUtils/Grants.pm line 248
        Cpanel::MysqlUtils::Grants::__ANON__() called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/Try/Tiny.pm line 80
        eval {...} called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/Try/Tiny.pm line 71
        Try::Tiny::try(CODE(0x24f61e0), Try::Tiny::Catch=REF(0x24f67c8)) called at /usr/local/cpanel/Cpanel/MysqlUtils/Grants.pm line 252
        Cpanel::MysqlUtils::Grants::_init(Cpanel::MysqlUtils::Grants=HASH(0x24f6870), "GRANT USAGE ON *.* TO 'cpses_isdmOL3VWx'\@'<html>\x{d}\x{a}<head>\x{d}\x{a}<ti"...) called at /usr/local/cpanel/Cpanel/MysqlUtils/Grants.pm line 176
        Cpanel::MysqlUtils::Grants::new("Cpanel::MysqlUtils::Grants", "GRANT USAGE ON *.* TO 'cpses_isdmOL3VWx'\@'<html>\x{d}\x{a}<head>\x{d}\x{a}<ti"...) called at /usr/local/cpanel/Cpanel/MysqlUtils.pm line 1168
        Cpanel::MysqlUtils::__ANON__() called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/Try/Tiny.pm line 80
        eval {...} called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/Try/Tiny.pm line 71
        Try::Tiny::try(CODE(0x24edbe0), Try::Tiny::Catch=REF(0x11b6648)) called at /usr/local/cpanel/Cpanel/MysqlUtils.pm line 1180
        Cpanel::MysqlUtils::show_grants_for_user(Cpanel::DBI::Mysql::db=HASH(0x24d70b8), "cpses_isdmOL3VWx") called at /usr/local/cpanel/Cpanel/Mysql.pm line 623
        Cpanel::Mysql::_dbowner_to_all_without_ownership_checks(Cpanel::Mysql=HASH(0x24b7348), "method", "GRANT", "users", HASH(0x11aa660), "database", undef) called at /usr/local/cpanel/Cpanel/Mysql.pm line 592
        Cpanel::Mysql::_dbowner_to_all_with_ownership_checks(Cpanel::Mysql=HASH(0x24b7348), "method", "GRANT", "users", HASH(0x11aa660)) called at /usr/local/cpanel/Cpanel/Mysql.pm line 791
        Cpanel::Mysql::updateprivs(Cpanel::Mysql=HASH(0x24b7348)) called at /usr/local/cpanel/Cpanel/Mysql.pm line 1644
        Cpanel::Mysql::dbcache(Cpanel::Mysql=HASH(0x24b7348), "") called at bin/admin/Cpanel/cpmysql.pl line 458
: GRANT USAGE ON *.* TO 'cpses_isdmOL3VWx'@'<html>
<head>
<title>hacked</title>
</head>
<body>
<cen' IDENTIFIED BY PASSWORD '*3A856FF10ECC09A96418B8815E2996DF705D1D0D'
[2016-11-14 16:53:00 +0100] warn [cpanel] Cpanel::Wrap::send_cpwrapd_request The adminbin “cpmysql” in the “Cpanel” namespace call to function “DBCACHE” ended prematurely: The subprocess reported error number 255 when it ended.: namespace=[Cpanel] module=[cpmysql] function=[DBCACHE]: set error in context mysql: raw_response=[{"exit_code":65280,"timeout":0,"action":"run","mode":"simple","data":"","version":"2.4","status":1,"statusmsg":"The adminbin “cpmysql” in the “Cpanel” namespace call to function “DBCACHE” ended prematurely: The subprocess reported error number 255 when it ended.","error":1}] at /usr/local/cpanel/Cpanel/Wrap.pm line 120, <$socket> line 1.
        Cpanel::Wrap::send_cpwrapd_request("namespace", "Cpanel", "module", "cpmysql", "function", "DBCACHE", "data", "", "action", ...) called at /usr/local/cpanel/Cpanel/AdminBin.pm line 58
        Cpanel::AdminBin::adminrun("cpmysql", "DBCACHE", "") called at cpanel.pl line 2791
        cpanel::cpanel::domysql("initcache", ARRAY(0x5010c20)) called at cpanel.pl line 2095
        eval {...} called at cpanel.pl line 2095
        cpanel::cpanel::_api1("Mysql", "mysql", "initcache()", "initcache", ARRAY(0x5010c20), "safe_html_encode") called at /usr/local/cpanel/Cpanel/Template/Plugin/Api1.pm line 93
        eval {...} called at /usr/local/cpanel/Cpanel/Template/Plugin/Api1.pm line 93
        Cpanel::Template::Plugin::Api1::_api1_exec(0, "Mysql", "initcache", ARRAY(0x5010c20)) called at /usr/local/cpanel/Cpanel/Template/Plugin/Api1.pm line 45
        Cpanel::Template::Plugin::Api1::_captured_api1_exec("Mysql", "initcache", ARRAY(0x5010c20)) called at /usr/local/cpanel/base/frontend/paper_lantern/sql/index.html.tt line 3
        eval {...} called at /usr/local/cpanel/base/frontend/paper_lantern/sql/index.html.tt line 3
        eval {...} called at /usr/local/cpanel/base/frontend/paper_lantern/sql/index.html.tt line 16
        Template::Provider::__ANON__(Template::Context=HASH(0x5024278)) called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/x86_64-linux-64int/Template/Document.pm line 163
        eval {...} called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/x86_64-linux-64int/Template/Document.pm line 161
        Template::Document::process(Template::Document=HASH(0x50c62d8), Template::Context=HASH(0x5024278)) called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/x86_64-linux-64int/Template/Context.pm line 351
        eval {...} called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/x86_64-linux-64int/Template/Context.pm line 321
        Template::Context::process(Template::Context=HASH(0x5024278), Template::Document=HASH(0x50c62d8)) called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/x86_64-linux-64int/Template/Service.pm line 94
        eval {...} called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/x86_64-linux-64int/Template/Service.pm line 91
        Template::Service::process(Template::Service=HASH(0x5023ea0), "/usr/local/cpanel/base/frontend/paper_lantern/sql/index.html.tt", HASH(0x5023798)) called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/x86_64-linux-64int/Template.pm line 66
        Template::process(Template=HASH(0x5023b88), "/usr/local/cpanel/base/frontend/paper_lantern/sql/index.html.tt", HASH(0x5023798), SCALAR(0x28cde60)) called at /usr/local/cpanel/Cpanel/Template.pm line 427
        Cpanel::Template::process_template("cpanel", HASH(0x5023798), HASH(0x5023690)) called at cpanel.pl line 1221
        cpanel::cpanel::cptt_exectag("/usr/local/cpanel/base/frontend/paper_lantern/sql/index.html.tt", 1) called at cpanel.pl line 5224
        cpanel::cpanel::run_standard_mode() called at cpanel.pl line 847
        cpanel::cpanel::script("cpanel::cpanel", "./frontend/paper_lantern/sql/index.html.tt") called at cpanel.pl line 306
[2016-11-14 16:53:00 +0100] warn [cpanel] Cpanel::Wrap::send_cpwrapd_request error: namespace=[Cpanel] module=[cpmysql] function=[DBCACHE]: set error in context mysql: statusmsg=[The adminbin “cpmysql” in the “Cpanel” namespace call to function “DBCACHE” ended prematurely: The subprocess reported error number 255 when it ended.] at /usr/local/cpanel/Cpanel/Wrap.pm line 129, <$socket> line 1.
        Cpanel::Wrap::send_cpwrapd_request("namespace", "Cpanel", "module", "cpmysql", "function", "DBCACHE", "data", "", "action", ...) called at /usr/local/cpanel/Cpanel/AdminBin.pm line 58
        Cpanel::AdminBin::adminrun("cpmysql", "DBCACHE", "") called at cpanel.pl line 2791
        cpanel::cpanel::domysql("initcache", ARRAY(0x5010c20)) called at cpanel.pl line 2095
        eval {...} called at cpanel.pl line 2095
        cpanel::cpanel::_api1("Mysql", "mysql", "initcache()", "initcache", ARRAY(0x5010c20), "safe_html_encode") called at /usr/local/cpanel/Cpanel/Template/Plugin/Api1.pm line 93
        eval {...} called at /usr/local/cpanel/Cpanel/Template/Plugin/Api1.pm line 93
        Cpanel::Template::Plugin::Api1::_api1_exec(0, "Mysql", "initcache", ARRAY(0x5010c20)) called at /usr/local/cpanel/Cpanel/Template/Plugin/Api1.pm line 45
        Cpanel::Template::Plugin::Api1::_captured_api1_exec("Mysql", "initcache", ARRAY(0x5010c20)) called at /usr/local/cpanel/base/frontend/paper_lantern/sql/index.html.tt line 3
        eval {...} called at /usr/local/cpanel/base/frontend/paper_lantern/sql/index.html.tt line 3
        eval {...} called at /usr/local/cpanel/base/frontend/paper_lantern/sql/index.html.tt line 16
        Template::Provider::__ANON__(Template::Context=HASH(0x5024278)) called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/x86_64-linux-64int/Template/Document.pm line 163
        eval {...} called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/x86_64-linux-64int/Template/Document.pm line 161
        Template::Document::process(Template::Document=HASH(0x50c62d8), Template::Context=HASH(0x5024278)) called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/x86_64-linux-64int/Template/Context.pm line 351
        eval {...} called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/x86_64-linux-64int/Template/Context.pm line 321
        Template::Context::process(Template::Context=HASH(0x5024278), Template::Document=HASH(0x50c62d8)) called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/x86_64-linux-64int/Template/Service.pm line 94
        eval {...} called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/x86_64-linux-64int/Template/Service.pm line 91
        Template::Service::process(Template::Service=HASH(0x5023ea0), "/usr/local/cpanel/base/frontend/paper_lantern/sql/index.html.tt", HASH(0x5023798)) called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/x86_64-linux-64int/Template.pm line 66
        Template::process(Template=HASH(0x5023b88), "/usr/local/cpanel/base/frontend/paper_lantern/sql/index.html.tt", HASH(0x5023798), SCALAR(0x28cde60)) called at /usr/local/cpanel/Cpanel/Template.pm line 427
        Cpanel::Template::process_template("cpanel", HASH(0x5023798), HASH(0x5023690)) called at cpanel.pl line 1221
        cpanel::cpanel::cptt_exectag("/usr/local/cpanel/base/frontend/paper_lantern/sql/index.html.tt", 1) called at cpanel.pl line 5224
        cpanel::cpanel::run_standard_mode() called at cpanel.pl line 847
        cpanel::cpanel::script("cpanel::cpanel", "./frontend/paper_lantern/sql/index.html.tt") called at cpanel.pl line 306
[2016-11-14 16:53:00 +0100] warn [Mysql::initcache] Encountered error in Mysql::initcache: Mysql::initcache() failed: The adminbin “cpmysql” in the “Cpanel” namespace call to function “DBCACHE” ended prematurely: The subprocess reported error number 255 when it ended.
After I found this I deleted all the cpses_ mysql users.

This got me worried so I checked the mysql.user and found more users with the same host:
Code:
user    host
agrodend_milan  <html>\n<head>\n<title>Hacked</title>\n</head>\n<body>\n<cen
deltahmc_dbdcloy        <html>\n<head>\n<title>Hacked</title>\n</head>\n<body>\n<cen
deltahmc_dbhpbgd        <html>\n<head>\n<title>Hacked</title>\n</head>\n<body>\n<cen
deltahmc_dbnacbg        <html>\n<head>\n<title>Hacked</title>\n</head>\n<body>\n<cen
deltahmc_dbnbgp <html>\n<head>\n<title>Hacked</title>\n</head>\n<body>\n<cen
iso2_temaso     <html>\n<head>\n<title>Hacked</title>\n</head>\n<body>\n<cen
agrodend        <html>\n<head>\n<title>hacked</title>\n</head>\n<body>\n<cen
agrodend_atuser <html>\n<head>\n<title>hacked</title>\n</head>\n<body>\n<cen
cpses_ag2PoYfuqU        <html>\n<head>\n<title>hacked</title>\n</head>\n<body>\n<cen
cpses_agq6FUU3r7        <html>\n<head>\n<title>hacked</title>\n</head>\n<body>\n<cen
cpses_deA8aBqdou        <html>\n<head>\n<title>hacked</title>\n</head>\n<body>\n<cen
cpses_def47MSaQo        <html>\n<head>\n<title>hacked</title>\n</head>\n<body>\n<cen
cpses_dekG0TbfQF        <html>\n<head>\n<title>hacked</title>\n</head>\n<body>\n<cen
cpses_delditJE1D        <html>\n<head>\n<title>hacked</title>\n</head>\n<body>\n<cen
cpses_isTvpyRCbQ        <html>\n<head>\n<title>hacked</title>\n</head>\n<body>\n<cen
cpses_isVV5QwNzB        <html>\n<head>\n<title>hacked</title>\n</head>\n<body>\n<cen
cpses_isyUUwSzzQ        <html>\n<head>\n<title>hacked</title>\n</head>\n<body>\n<cen
deltahmc        <html>\n<head>\n<title>hacked</title>\n</head>\n<body>\n<cen
iso2        <html>\n<head>\n<title>hacked</title>\n</head>\n<body>\n<cen
iso2_asdf       <html>\n<head>\n<title>hacked</title>\n</head>\n<body>\n<cen
iso2_hrana      <html>\n<head>\n<title>hacked</title>\n</head>\n<body>\n<cen
iso2_navy       <html>\n<head>\n<title>hacked</title>\n</head>\n<body>\n<cen
iso2_platinum   <html>\n<head>\n<title>hacked</title>\n</head>\n<body>\n<cen
iso2_tepotel    <html>\n<head>\n<title>hacked</title>\n</head>\n<body>\n<cen
Remote mysql and ssh and whm access has been blocked on the network level before the server was even in production. The only way I have been able to recreate this as the user is with the mysql root password. Have any of you had a similar situation? Is there a way to recreate this whithout mysql root? What should I check for next?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,912
2,241
363
Hello,

Temporary cpses* MySQL users are created when you access a cPanel account by clicking the cPanel icon next to the account in "WHM >> Account Functions >> List Accounts", or by directly accessing the cPanel account with the account username and root password. Could you verify if that's the behavior you are noticing?

Thank you.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,912
2,241
363
Hello,

Could you open a support ticket using the link in my signature so we can take a closer look? You can post the ticket number here and we will update this thread with the outcome.

Thank you.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,912
2,241
363
I'm happy to see the issue is now resolved. Thank you for updating us with the outcome.