Possible mysql root password hacked

Recently I was looking into an issue where a cpanel user could not access his MySQL Databases page. When checking the cpanel error logs I found the following:

Code:

Use of uninitialized value in string ne at /usr/local/cpanel/Cpanel/MysqlUtils.pm line 1178, <STDIN> line 1.
Cpanel::Exception::InvalidCharacters/(XID n2p543) This value may not contain a line feed.
at /usr/local/cpanel/Cpanel/Exception/CORE.pm line 77, <STDIN> line 1.
        Cpanel::Exception::create("InvalidCharacters", "This value may not contain a line feed.", HASH(0x24f5f28)) called at /usr/local/cpanel/Cpanel/Exception.pm line 30
        Cpanel::Exception::__ANON__(__CPANEL_HIDDEN__, __CPANEL_HIDDEN__, HASH(0x24f5f28)) called at /usr/local/cpanel/Cpanel/Validate/LineTerminatorFree.pm line 50
        Cpanel::Validate::LineTerminatorFree::validate_or_die("'<html>\x{d}\x{a}<head>\x{d}\x{a}<title>hacked</title>\x{d}\x{a}</head>\x{d}\x{a}<body>\x{d}\x{a}<cen'") called at /usr/local/cpanel/Cpanel/MysqlUtils/Grants.pm line 248
        Cpanel::MysqlUtils::Grants::__ANON__() called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/Try/Tiny.pm line 80
        eval {...} called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/Try/Tiny.pm line 71
        Try::Tiny::try(CODE(0x24f61e0), Try::Tiny::Catch=REF(0x24f67c8)) called at /usr/local/cpanel/Cpanel/MysqlUtils/Grants.pm line 252
        Cpanel::MysqlUtils::Grants::_init(Cpanel::MysqlUtils::Grants=HASH(0x24f6870), "GRANT USAGE ON *.* TO 'cpses_isdmOL3VWx'\@'<html>\x{d}\x{a}<head>\x{d}\x{a}<ti"...) called at /usr/local/cpanel/Cpanel/MysqlUtils/Grants.pm line 176
        Cpanel::MysqlUtils::Grants::new("Cpanel::MysqlUtils::Grants", "GRANT USAGE ON *.* TO 'cpses_isdmOL3VWx'\@'<html>\x{d}\x{a}<head>\x{d}\x{a}<ti"...) called at /usr/local/cpanel/Cpanel/MysqlUtils.pm line 1168
        Cpanel::MysqlUtils::__ANON__() called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/Try/Tiny.pm line 80
        eval {...} called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/Try/Tiny.pm line 71
        Try::Tiny::try(CODE(0x24edbe0), Try::Tiny::Catch=REF(0x11b6648)) called at /usr/local/cpanel/Cpanel/MysqlUtils.pm line 1180
        Cpanel::MysqlUtils::show_grants_for_user(Cpanel::DBI::Mysql::db=HASH(0x24d70b8), "cpses_isdmOL3VWx") called at /usr/local/cpanel/Cpanel/Mysql.pm line 623
        Cpanel::Mysql::_dbowner_to_all_without_ownership_checks(Cpanel::Mysql=HASH(0x24b7348), "method", "GRANT", "users", HASH(0x11aa660), "database", undef) called at /usr/local/cpanel/Cpanel/Mysql.pm line 592
        Cpanel::Mysql::_dbowner_to_all_with_ownership_checks(Cpanel::Mysql=HASH(0x24b7348), "method", "GRANT", "users", HASH(0x11aa660)) called at /usr/local/cpanel/Cpanel/Mysql.pm line 791
        Cpanel::Mysql::updateprivs(Cpanel::Mysql=HASH(0x24b7348)) called at /usr/local/cpanel/Cpanel/Mysql.pm line 1644
        Cpanel::Mysql::dbcache(Cpanel::Mysql=HASH(0x24b7348), "") called at bin/admin/Cpanel/cpmysql.pl line 458
: GRANT USAGE ON *.* TO 'cpses_isdmOL3VWx'@'<html>
<head>
<title>hacked</title>
</head>
<body>
<cen' IDENTIFIED BY PASSWORD '*3A856FF10ECC09A96418B8815E2996DF705D1D0D'
[2016-11-14 16:53:00 +0100] warn [cpanel] Cpanel::Wrap::send_cpwrapd_request The adminbin “cpmysql” in the “Cpanel” namespace call to function “DBCACHE” ended prematurely: The subprocess reported error number 255 when it ended.: namespace=[Cpanel] module=[cpmysql] function=[DBCACHE]: set error in context mysql: raw_response=[{"exit_code":65280,"timeout":0,"action":"run","mode":"simple","data":"","version":"2.4","status":1,"statusmsg":"The adminbin “cpmysql” in the “Cpanel” namespace call to function “DBCACHE” ended prematurely: The subprocess reported error number 255 when it ended.","error":1}] at /usr/local/cpanel/Cpanel/Wrap.pm line 120, <$socket> line 1.
        Cpanel::Wrap::send_cpwrapd_request("namespace", "Cpanel", "module", "cpmysql", "function", "DBCACHE", "data", "", "action", ...) called at /usr/local/cpanel/Cpanel/AdminBin.pm line 58
        Cpanel::AdminBin::adminrun("cpmysql", "DBCACHE", "") called at cpanel.pl line 2791
        cpanel::cpanel::domysql("initcache", ARRAY(0x5010c20)) called at cpanel.pl line 2095
        eval {...} called at cpanel.pl line 2095
        cpanel::cpanel::_api1("Mysql", "mysql", "initcache()", "initcache", ARRAY(0x5010c20), "safe_html_encode") called at /usr/local/cpanel/Cpanel/Template/Plugin/Api1.pm line 93
        eval {...} called at /usr/local/cpanel/Cpanel/Template/Plugin/Api1.pm line 93
        Cpanel::Template::Plugin::Api1::_api1_exec(0, "Mysql", "initcache", ARRAY(0x5010c20)) called at /usr/local/cpanel/Cpanel/Template/Plugin/Api1.pm line 45
        Cpanel::Template::Plugin::Api1::_captured_api1_exec("Mysql", "initcache", ARRAY(0x5010c20)) called at /usr/local/cpanel/base/frontend/paper_lantern/sql/index.html.tt line 3
        eval {...} called at /usr/local/cpanel/base/frontend/paper_lantern/sql/index.html.tt line 3
        eval {...} called at /usr/local/cpanel/base/frontend/paper_lantern/sql/index.html.tt line 16
        Template::Provider::__ANON__(Template::Context=HASH(0x5024278)) called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/x86_64-linux-64int/Template/Document.pm line 163
        eval {...} called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/x86_64-linux-64int/Template/Document.pm line 161
        Template::Document::process(Template::Document=HASH(0x50c62d8), Template::Context=HASH(0x5024278)) called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/x86_64-linux-64int/Template/Context.pm line 351
        eval {...} called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/x86_64-linux-64int/Template/Context.pm line 321
        Template::Context::process(Template::Context=HASH(0x5024278), Template::Document=HASH(0x50c62d8)) called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/x86_64-linux-64int/Template/Service.pm line 94
        eval {...} called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/x86_64-linux-64int/Template/Service.pm line 91
        Template::Service::process(Template::Service=HASH(0x5023ea0), "/usr/local/cpanel/base/frontend/paper_lantern/sql/index.html.tt", HASH(0x5023798)) called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/x86_64-linux-64int/Template.pm line 66
        Template::process(Template=HASH(0x5023b88), "/usr/local/cpanel/base/frontend/paper_lantern/sql/index.html.tt", HASH(0x5023798), SCALAR(0x28cde60)) called at /usr/local/cpanel/Cpanel/Template.pm line 427
        Cpanel::Template::process_template("cpanel", HASH(0x5023798), HASH(0x5023690)) called at cpanel.pl line 1221
        cpanel::cpanel::cptt_exectag("/usr/local/cpanel/base/frontend/paper_lantern/sql/index.html.tt", 1) called at cpanel.pl line 5224
        cpanel::cpanel::run_standard_mode() called at cpanel.pl line 847
        cpanel::cpanel::script("cpanel::cpanel", "./frontend/paper_lantern/sql/index.html.tt") called at cpanel.pl line 306
[2016-11-14 16:53:00 +0100] warn [cpanel] Cpanel::Wrap::send_cpwrapd_request error: namespace=[Cpanel] module=[cpmysql] function=[DBCACHE]: set error in context mysql: statusmsg=[The adminbin “cpmysql” in the “Cpanel” namespace call to function “DBCACHE” ended prematurely: The subprocess reported error number 255 when it ended.] at /usr/local/cpanel/Cpanel/Wrap.pm line 129, <$socket> line 1.
        Cpanel::Wrap::send_cpwrapd_request("namespace", "Cpanel", "module", "cpmysql", "function", "DBCACHE", "data", "", "action", ...) called at /usr/local/cpanel/Cpanel/AdminBin.pm line 58
        Cpanel::AdminBin::adminrun("cpmysql", "DBCACHE", "") called at cpanel.pl line 2791
        cpanel::cpanel::domysql("initcache", ARRAY(0x5010c20)) called at cpanel.pl line 2095
        eval {...} called at cpanel.pl line 2095
        cpanel::cpanel::_api1("Mysql", "mysql", "initcache()", "initcache", ARRAY(0x5010c20), "safe_html_encode") called at /usr/local/cpanel/Cpanel/Template/Plugin/Api1.pm line 93
        eval {...} called at /usr/local/cpanel/Cpanel/Template/Plugin/Api1.pm line 93
        Cpanel::Template::Plugin::Api1::_api1_exec(0, "Mysql", "initcache", ARRAY(0x5010c20)) called at /usr/local/cpanel/Cpanel/Template/Plugin/Api1.pm line 45
        Cpanel::Template::Plugin::Api1::_captured_api1_exec("Mysql", "initcache", ARRAY(0x5010c20)) called at /usr/local/cpanel/base/frontend/paper_lantern/sql/index.html.tt line 3
        eval {...} called at /usr/local/cpanel/base/frontend/paper_lantern/sql/index.html.tt line 3
        eval {...} called at /usr/local/cpanel/base/frontend/paper_lantern/sql/index.html.tt line 16
        Template::Provider::__ANON__(Template::Context=HASH(0x5024278)) called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/x86_64-linux-64int/Template/Document.pm line 163
        eval {...} called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/x86_64-linux-64int/Template/Document.pm line 161
        Template::Document::process(Template::Document=HASH(0x50c62d8), Template::Context=HASH(0x5024278)) called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/x86_64-linux-64int/Template/Context.pm line 351
        eval {...} called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/x86_64-linux-64int/Template/Context.pm line 321
        Template::Context::process(Template::Context=HASH(0x5024278), Template::Document=HASH(0x50c62d8)) called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/x86_64-linux-64int/Template/Service.pm line 94
        eval {...} called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/x86_64-linux-64int/Template/Service.pm line 91
        Template::Service::process(Template::Service=HASH(0x5023ea0), "/usr/local/cpanel/base/frontend/paper_lantern/sql/index.html.tt", HASH(0x5023798)) called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/x86_64-linux-64int/Template.pm line 66
        Template::process(Template=HASH(0x5023b88), "/usr/local/cpanel/base/frontend/paper_lantern/sql/index.html.tt", HASH(0x5023798), SCALAR(0x28cde60)) called at /usr/local/cpanel/Cpanel/Template.pm line 427
        Cpanel::Template::process_template("cpanel", HASH(0x5023798), HASH(0x5023690)) called at cpanel.pl line 1221
        cpanel::cpanel::cptt_exectag("/usr/local/cpanel/base/frontend/paper_lantern/sql/index.html.tt", 1) called at cpanel.pl line 5224
        cpanel::cpanel::run_standard_mode() called at cpanel.pl line 847
        cpanel::cpanel::script("cpanel::cpanel", "./frontend/paper_lantern/sql/index.html.tt") called at cpanel.pl line 306
[2016-11-14 16:53:00 +0100] warn [Mysql::initcache] Encountered error in Mysql::initcache: Mysql::initcache() failed: The adminbin “cpmysql” in the “Cpanel” namespace call to function “DBCACHE” ended prematurely: The subprocess reported error number 255 when it ended.

After I found this I deleted all the cpses_ mysql users.

This got me worried so I checked the mysql.user and found more users with the same host:

Code:

user    host
agrodend_milan  <html>\n<head>\n<title>Hacked</title>\n</head>\n<body>\n<cen
deltahmc_dbdcloy        <html>\n<head>\n<title>Hacked</title>\n</head>\n<body>\n<cen
deltahmc_dbhpbgd        <html>\n<head>\n<title>Hacked</title>\n</head>\n<body>\n<cen
deltahmc_dbnacbg        <html>\n<head>\n<title>Hacked</title>\n</head>\n<body>\n<cen
deltahmc_dbnbgp <html>\n<head>\n<title>Hacked</title>\n</head>\n<body>\n<cen
iso2_temaso     <html>\n<head>\n<title>Hacked</title>\n</head>\n<body>\n<cen
agrodend        <html>\n<head>\n<title>hacked</title>\n</head>\n<body>\n<cen
agrodend_atuser <html>\n<head>\n<title>hacked</title>\n</head>\n<body>\n<cen
cpses_ag2PoYfuqU        <html>\n<head>\n<title>hacked</title>\n</head>\n<body>\n<cen
cpses_agq6FUU3r7        <html>\n<head>\n<title>hacked</title>\n</head>\n<body>\n<cen
cpses_deA8aBqdou        <html>\n<head>\n<title>hacked</title>\n</head>\n<body>\n<cen
cpses_def47MSaQo        <html>\n<head>\n<title>hacked</title>\n</head>\n<body>\n<cen
cpses_dekG0TbfQF        <html>\n<head>\n<title>hacked</title>\n</head>\n<body>\n<cen
cpses_delditJE1D        <html>\n<head>\n<title>hacked</title>\n</head>\n<body>\n<cen
cpses_isTvpyRCbQ        <html>\n<head>\n<title>hacked</title>\n</head>\n<body>\n<cen
cpses_isVV5QwNzB        <html>\n<head>\n<title>hacked</title>\n</head>\n<body>\n<cen
cpses_isyUUwSzzQ        <html>\n<head>\n<title>hacked</title>\n</head>\n<body>\n<cen
deltahmc        <html>\n<head>\n<title>hacked</title>\n</head>\n<body>\n<cen
iso2        <html>\n<head>\n<title>hacked</title>\n</head>\n<body>\n<cen
iso2_asdf       <html>\n<head>\n<title>hacked</title>\n</head>\n<body>\n<cen
iso2_hrana      <html>\n<head>\n<title>hacked</title>\n</head>\n<body>\n<cen
iso2_navy       <html>\n<head>\n<title>hacked</title>\n</head>\n<body>\n<cen
iso2_platinum   <html>\n<head>\n<title>hacked</title>\n</head>\n<body>\n<cen
iso2_tepotel    <html>\n<head>\n<title>hacked</title>\n</head>\n<body>\n<cen

Remote mysql and ssh and whm access has been blocked on the network level before the server was even in production. The only way I have been able to recreate this as the user is with the mysql root password. Have any of you had a similar situation? Is there a way to recreate this whithout mysql root? What should I check for next?

 

I understand the generation of temporary cpses* users. What I want to know is how were they generated with the following hostname "<html>\n<head>\n<title>hacked</title>\n</head>\n<body>\n<cen" ?

 

The ticket id is 7992711 .

 

The issue is resolved. It appears the suspicious hostname was added by the user during the restoration of the mysql database.