Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Possible mysql root password hacked

Discussion in 'Security' started by Vladimir Šebez, Nov 15, 2016.

Tags:
  1. Vladimir Šebez

    PartnerNOC

    Joined:
    May 5, 2016
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Belgrade, Serbia
    cPanel Access Level:
    Root Administrator
    Recently I was looking into an issue where a cpanel user could not access his MySQL Databases page. When checking the cpanel error logs I found the following:

    Code:
    Use of uninitialized value in string ne at /usr/local/cpanel/Cpanel/MysqlUtils.pm line 1178, <STDIN> line 1.
    Cpanel::Exception::InvalidCharacters/(XID n2p543) This value may not contain a line feed.
    at /usr/local/cpanel/Cpanel/Exception/CORE.pm line 77, <STDIN> line 1.
            Cpanel::Exception::create("InvalidCharacters", "This value may not contain a line feed.", HASH(0x24f5f28)) called at /usr/local/cpanel/Cpanel/Exception.pm line 30
            Cpanel::Exception::__ANON__(__CPANEL_HIDDEN__, __CPANEL_HIDDEN__, HASH(0x24f5f28)) called at /usr/local/cpanel/Cpanel/Validate/LineTerminatorFree.pm line 50
            Cpanel::Validate::LineTerminatorFree::validate_or_die("'<html>\x{d}\x{a}<head>\x{d}\x{a}<title>hacked</title>\x{d}\x{a}</head>\x{d}\x{a}<body>\x{d}\x{a}<cen'") called at /usr/local/cpanel/Cpanel/MysqlUtils/Grants.pm line 248
            Cpanel::MysqlUtils::Grants::__ANON__() called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/Try/Tiny.pm line 80
            eval {...} called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/Try/Tiny.pm line 71
            Try::Tiny::try(CODE(0x24f61e0), Try::Tiny::Catch=REF(0x24f67c8)) called at /usr/local/cpanel/Cpanel/MysqlUtils/Grants.pm line 252
            Cpanel::MysqlUtils::Grants::_init(Cpanel::MysqlUtils::Grants=HASH(0x24f6870), "GRANT USAGE ON *.* TO 'cpses_isdmOL3VWx'\@'<html>\x{d}\x{a}<head>\x{d}\x{a}<ti"...) called at /usr/local/cpanel/Cpanel/MysqlUtils/Grants.pm line 176
            Cpanel::MysqlUtils::Grants::new("Cpanel::MysqlUtils::Grants", "GRANT USAGE ON *.* TO 'cpses_isdmOL3VWx'\@'<html>\x{d}\x{a}<head>\x{d}\x{a}<ti"...) called at /usr/local/cpanel/Cpanel/MysqlUtils.pm line 1168
            Cpanel::MysqlUtils::__ANON__() called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/Try/Tiny.pm line 80
            eval {...} called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/Try/Tiny.pm line 71
            Try::Tiny::try(CODE(0x24edbe0), Try::Tiny::Catch=REF(0x11b6648)) called at /usr/local/cpanel/Cpanel/MysqlUtils.pm line 1180
            Cpanel::MysqlUtils::show_grants_for_user(Cpanel::DBI::Mysql::db=HASH(0x24d70b8), "cpses_isdmOL3VWx") called at /usr/local/cpanel/Cpanel/Mysql.pm line 623
            Cpanel::Mysql::_dbowner_to_all_without_ownership_checks(Cpanel::Mysql=HASH(0x24b7348), "method", "GRANT", "users", HASH(0x11aa660), "database", undef) called at /usr/local/cpanel/Cpanel/Mysql.pm line 592
            Cpanel::Mysql::_dbowner_to_all_with_ownership_checks(Cpanel::Mysql=HASH(0x24b7348), "method", "GRANT", "users", HASH(0x11aa660)) called at /usr/local/cpanel/Cpanel/Mysql.pm line 791
            Cpanel::Mysql::updateprivs(Cpanel::Mysql=HASH(0x24b7348)) called at /usr/local/cpanel/Cpanel/Mysql.pm line 1644
            Cpanel::Mysql::dbcache(Cpanel::Mysql=HASH(0x24b7348), "") called at bin/admin/Cpanel/cpmysql.pl line 458
    : GRANT USAGE ON *.* TO 'cpses_isdmOL3VWx'@'<html>
    <head>
    <title>hacked</title>
    </head>
    <body>
    <cen' IDENTIFIED BY PASSWORD '*3A856FF10ECC09A96418B8815E2996DF705D1D0D'
    [2016-11-14 16:53:00 +0100] warn [cpanel] Cpanel::Wrap::send_cpwrapd_request The adminbin “cpmysql” in the “Cpanel” namespace call to function “DBCACHE” ended prematurely: The subprocess reported error number 255 when it ended.: namespace=[Cpanel] module=[cpmysql] function=[DBCACHE]: set error in context mysql: raw_response=[{"exit_code":65280,"timeout":0,"action":"run","mode":"simple","data":"","version":"2.4","status":1,"statusmsg":"The adminbin “cpmysql” in the “Cpanel” namespace call to function “DBCACHE” ended prematurely: The subprocess reported error number 255 when it ended.","error":1}] at /usr/local/cpanel/Cpanel/Wrap.pm line 120, <$socket> line 1.
            Cpanel::Wrap::send_cpwrapd_request("namespace", "Cpanel", "module", "cpmysql", "function", "DBCACHE", "data", "", "action", ...) called at /usr/local/cpanel/Cpanel/AdminBin.pm line 58
            Cpanel::AdminBin::adminrun("cpmysql", "DBCACHE", "") called at cpanel.pl line 2791
            cpanel::cpanel::domysql("initcache", ARRAY(0x5010c20)) called at cpanel.pl line 2095
            eval {...} called at cpanel.pl line 2095
            cpanel::cpanel::_api1("Mysql", "mysql", "initcache()", "initcache", ARRAY(0x5010c20), "safe_html_encode") called at /usr/local/cpanel/Cpanel/Template/Plugin/Api1.pm line 93
            eval {...} called at /usr/local/cpanel/Cpanel/Template/Plugin/Api1.pm line 93
            Cpanel::Template::Plugin::Api1::_api1_exec(0, "Mysql", "initcache", ARRAY(0x5010c20)) called at /usr/local/cpanel/Cpanel/Template/Plugin/Api1.pm line 45
            Cpanel::Template::Plugin::Api1::_captured_api1_exec("Mysql", "initcache", ARRAY(0x5010c20)) called at /usr/local/cpanel/base/frontend/paper_lantern/sql/index.html.tt line 3
            eval {...} called at /usr/local/cpanel/base/frontend/paper_lantern/sql/index.html.tt line 3
            eval {...} called at /usr/local/cpanel/base/frontend/paper_lantern/sql/index.html.tt line 16
            Template::Provider::__ANON__(Template::Context=HASH(0x5024278)) called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/x86_64-linux-64int/Template/Document.pm line 163
            eval {...} called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/x86_64-linux-64int/Template/Document.pm line 161
            Template::Document::process(Template::Document=HASH(0x50c62d8), Template::Context=HASH(0x5024278)) called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/x86_64-linux-64int/Template/Context.pm line 351
            eval {...} called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/x86_64-linux-64int/Template/Context.pm line 321
            Template::Context::process(Template::Context=HASH(0x5024278), Template::Document=HASH(0x50c62d8)) called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/x86_64-linux-64int/Template/Service.pm line 94
            eval {...} called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/x86_64-linux-64int/Template/Service.pm line 91
            Template::Service::process(Template::Service=HASH(0x5023ea0), "/usr/local/cpanel/base/frontend/paper_lantern/sql/index.html.tt", HASH(0x5023798)) called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/x86_64-linux-64int/Template.pm line 66
            Template::process(Template=HASH(0x5023b88), "/usr/local/cpanel/base/frontend/paper_lantern/sql/index.html.tt", HASH(0x5023798), SCALAR(0x28cde60)) called at /usr/local/cpanel/Cpanel/Template.pm line 427
            Cpanel::Template::process_template("cpanel", HASH(0x5023798), HASH(0x5023690)) called at cpanel.pl line 1221
            cpanel::cpanel::cptt_exectag("/usr/local/cpanel/base/frontend/paper_lantern/sql/index.html.tt", 1) called at cpanel.pl line 5224
            cpanel::cpanel::run_standard_mode() called at cpanel.pl line 847
            cpanel::cpanel::script("cpanel::cpanel", "./frontend/paper_lantern/sql/index.html.tt") called at cpanel.pl line 306
    [2016-11-14 16:53:00 +0100] warn [cpanel] Cpanel::Wrap::send_cpwrapd_request error: namespace=[Cpanel] module=[cpmysql] function=[DBCACHE]: set error in context mysql: statusmsg=[The adminbin “cpmysql” in the “Cpanel” namespace call to function “DBCACHE” ended prematurely: The subprocess reported error number 255 when it ended.] at /usr/local/cpanel/Cpanel/Wrap.pm line 129, <$socket> line 1.
            Cpanel::Wrap::send_cpwrapd_request("namespace", "Cpanel", "module", "cpmysql", "function", "DBCACHE", "data", "", "action", ...) called at /usr/local/cpanel/Cpanel/AdminBin.pm line 58
            Cpanel::AdminBin::adminrun("cpmysql", "DBCACHE", "") called at cpanel.pl line 2791
            cpanel::cpanel::domysql("initcache", ARRAY(0x5010c20)) called at cpanel.pl line 2095
            eval {...} called at cpanel.pl line 2095
            cpanel::cpanel::_api1("Mysql", "mysql", "initcache()", "initcache", ARRAY(0x5010c20), "safe_html_encode") called at /usr/local/cpanel/Cpanel/Template/Plugin/Api1.pm line 93
            eval {...} called at /usr/local/cpanel/Cpanel/Template/Plugin/Api1.pm line 93
            Cpanel::Template::Plugin::Api1::_api1_exec(0, "Mysql", "initcache", ARRAY(0x5010c20)) called at /usr/local/cpanel/Cpanel/Template/Plugin/Api1.pm line 45
            Cpanel::Template::Plugin::Api1::_captured_api1_exec("Mysql", "initcache", ARRAY(0x5010c20)) called at /usr/local/cpanel/base/frontend/paper_lantern/sql/index.html.tt line 3
            eval {...} called at /usr/local/cpanel/base/frontend/paper_lantern/sql/index.html.tt line 3
            eval {...} called at /usr/local/cpanel/base/frontend/paper_lantern/sql/index.html.tt line 16
            Template::Provider::__ANON__(Template::Context=HASH(0x5024278)) called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/x86_64-linux-64int/Template/Document.pm line 163
            eval {...} called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/x86_64-linux-64int/Template/Document.pm line 161
            Template::Document::process(Template::Document=HASH(0x50c62d8), Template::Context=HASH(0x5024278)) called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/x86_64-linux-64int/Template/Context.pm line 351
            eval {...} called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/x86_64-linux-64int/Template/Context.pm line 321
            Template::Context::process(Template::Context=HASH(0x5024278), Template::Document=HASH(0x50c62d8)) called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/x86_64-linux-64int/Template/Service.pm line 94
            eval {...} called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/x86_64-linux-64int/Template/Service.pm line 91
            Template::Service::process(Template::Service=HASH(0x5023ea0), "/usr/local/cpanel/base/frontend/paper_lantern/sql/index.html.tt", HASH(0x5023798)) called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/x86_64-linux-64int/Template.pm line 66
            Template::process(Template=HASH(0x5023b88), "/usr/local/cpanel/base/frontend/paper_lantern/sql/index.html.tt", HASH(0x5023798), SCALAR(0x28cde60)) called at /usr/local/cpanel/Cpanel/Template.pm line 427
            Cpanel::Template::process_template("cpanel", HASH(0x5023798), HASH(0x5023690)) called at cpanel.pl line 1221
            cpanel::cpanel::cptt_exectag("/usr/local/cpanel/base/frontend/paper_lantern/sql/index.html.tt", 1) called at cpanel.pl line 5224
            cpanel::cpanel::run_standard_mode() called at cpanel.pl line 847
            cpanel::cpanel::script("cpanel::cpanel", "./frontend/paper_lantern/sql/index.html.tt") called at cpanel.pl line 306
    [2016-11-14 16:53:00 +0100] warn [Mysql::initcache] Encountered error in Mysql::initcache: Mysql::initcache() failed: The adminbin “cpmysql” in the “Cpanel” namespace call to function “DBCACHE” ended prematurely: The subprocess reported error number 255 when it ended.
    After I found this I deleted all the cpses_ mysql users.

    This got me worried so I checked the mysql.user and found more users with the same host:
    Code:
    user    host
    agrodend_milan  <html>\n<head>\n<title>Hacked</title>\n</head>\n<body>\n<cen
    deltahmc_dbdcloy        <html>\n<head>\n<title>Hacked</title>\n</head>\n<body>\n<cen
    deltahmc_dbhpbgd        <html>\n<head>\n<title>Hacked</title>\n</head>\n<body>\n<cen
    deltahmc_dbnacbg        <html>\n<head>\n<title>Hacked</title>\n</head>\n<body>\n<cen
    deltahmc_dbnbgp <html>\n<head>\n<title>Hacked</title>\n</head>\n<body>\n<cen
    iso2_temaso     <html>\n<head>\n<title>Hacked</title>\n</head>\n<body>\n<cen
    agrodend        <html>\n<head>\n<title>hacked</title>\n</head>\n<body>\n<cen
    agrodend_atuser <html>\n<head>\n<title>hacked</title>\n</head>\n<body>\n<cen
    cpses_ag2PoYfuqU        <html>\n<head>\n<title>hacked</title>\n</head>\n<body>\n<cen
    cpses_agq6FUU3r7        <html>\n<head>\n<title>hacked</title>\n</head>\n<body>\n<cen
    cpses_deA8aBqdou        <html>\n<head>\n<title>hacked</title>\n</head>\n<body>\n<cen
    cpses_def47MSaQo        <html>\n<head>\n<title>hacked</title>\n</head>\n<body>\n<cen
    cpses_dekG0TbfQF        <html>\n<head>\n<title>hacked</title>\n</head>\n<body>\n<cen
    cpses_delditJE1D        <html>\n<head>\n<title>hacked</title>\n</head>\n<body>\n<cen
    cpses_isTvpyRCbQ        <html>\n<head>\n<title>hacked</title>\n</head>\n<body>\n<cen
    cpses_isVV5QwNzB        <html>\n<head>\n<title>hacked</title>\n</head>\n<body>\n<cen
    cpses_isyUUwSzzQ        <html>\n<head>\n<title>hacked</title>\n</head>\n<body>\n<cen
    deltahmc        <html>\n<head>\n<title>hacked</title>\n</head>\n<body>\n<cen
    iso2        <html>\n<head>\n<title>hacked</title>\n</head>\n<body>\n<cen
    iso2_asdf       <html>\n<head>\n<title>hacked</title>\n</head>\n<body>\n<cen
    iso2_hrana      <html>\n<head>\n<title>hacked</title>\n</head>\n<body>\n<cen
    iso2_navy       <html>\n<head>\n<title>hacked</title>\n</head>\n<body>\n<cen
    iso2_platinum   <html>\n<head>\n<title>hacked</title>\n</head>\n<body>\n<cen
    iso2_tepotel    <html>\n<head>\n<title>hacked</title>\n</head>\n<body>\n<cen
    Remote mysql and ssh and whm access has been blocked on the network level before the server was even in production. The only way I have been able to recreate this as the user is with the mysql root password. Have any of you had a similar situation? Is there a way to recreate this whithout mysql root? What should I check for next?
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,419
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Temporary cpses* MySQL users are created when you access a cPanel account by clicking the cPanel icon next to the account in "WHM >> Account Functions >> List Accounts", or by directly accessing the cPanel account with the account username and root password. Could you verify if that's the behavior you are noticing?

    Thank you.
     
  3. Vladimir Šebez

    PartnerNOC

    Joined:
    May 5, 2016
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Belgrade, Serbia
    cPanel Access Level:
    Root Administrator
    I understand the generation of temporary cpses* users. What I want to know is how were they generated with the following hostname "<html>\n<head>\n<title>hacked</title>\n</head>\n<body>\n<cen" ?
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,419
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Could you open a support ticket using the link in my signature so we can take a closer look? You can post the ticket number here and we will update this thread with the outcome.

    Thank you.
     
  5. Vladimir Šebez

    PartnerNOC

    Joined:
    May 5, 2016
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Belgrade, Serbia
    cPanel Access Level:
    Root Administrator
    The ticket id is 7992711 .
     
  6. Vladimir Šebez

    PartnerNOC

    Joined:
    May 5, 2016
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Belgrade, Serbia
    cPanel Access Level:
    Root Administrator
    The issue is resolved. It appears the suspicious hostname was added by the user during the restoration of the mysql database.
     
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,419
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    I'm happy to see the issue is now resolved. Thank you for updating us with the outcome.
     
Loading...

Share This Page