Recently I was looking into an issue where a cpanel user could not access his MySQL Databases page. When checking the cpanel error logs I found the following:
After I found this I deleted all the cpses_ mysql users.
This got me worried so I checked the mysql.user and found more users with the same host:
Remote mysql and ssh and whm access has been blocked on the network level before the server was even in production. The only way I have been able to recreate this as the user is with the mysql root password. Have any of you had a similar situation? Is there a way to recreate this whithout mysql root? What should I check for next?
Code:
Use of uninitialized value in string ne at /usr/local/cpanel/Cpanel/MysqlUtils.pm line 1178, <STDIN> line 1.
Cpanel::Exception::InvalidCharacters/(XID n2p543) This value may not contain a line feed.
at /usr/local/cpanel/Cpanel/Exception/CORE.pm line 77, <STDIN> line 1.
Cpanel::Exception::create("InvalidCharacters", "This value may not contain a line feed.", HASH(0x24f5f28)) called at /usr/local/cpanel/Cpanel/Exception.pm line 30
Cpanel::Exception::__ANON__(__CPANEL_HIDDEN__, __CPANEL_HIDDEN__, HASH(0x24f5f28)) called at /usr/local/cpanel/Cpanel/Validate/LineTerminatorFree.pm line 50
Cpanel::Validate::LineTerminatorFree::validate_or_die("'<html>\x{d}\x{a}<head>\x{d}\x{a}<title>hacked</title>\x{d}\x{a}</head>\x{d}\x{a}<body>\x{d}\x{a}<cen'") called at /usr/local/cpanel/Cpanel/MysqlUtils/Grants.pm line 248
Cpanel::MysqlUtils::Grants::__ANON__() called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/Try/Tiny.pm line 80
eval {...} called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/Try/Tiny.pm line 71
Try::Tiny::try(CODE(0x24f61e0), Try::Tiny::Catch=REF(0x24f67c8)) called at /usr/local/cpanel/Cpanel/MysqlUtils/Grants.pm line 252
Cpanel::MysqlUtils::Grants::_init(Cpanel::MysqlUtils::Grants=HASH(0x24f6870), "GRANT USAGE ON *.* TO 'cpses_isdmOL3VWx'\@'<html>\x{d}\x{a}<head>\x{d}\x{a}<ti"...) called at /usr/local/cpanel/Cpanel/MysqlUtils/Grants.pm line 176
Cpanel::MysqlUtils::Grants::new("Cpanel::MysqlUtils::Grants", "GRANT USAGE ON *.* TO 'cpses_isdmOL3VWx'\@'<html>\x{d}\x{a}<head>\x{d}\x{a}<ti"...) called at /usr/local/cpanel/Cpanel/MysqlUtils.pm line 1168
Cpanel::MysqlUtils::__ANON__() called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/Try/Tiny.pm line 80
eval {...} called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/Try/Tiny.pm line 71
Try::Tiny::try(CODE(0x24edbe0), Try::Tiny::Catch=REF(0x11b6648)) called at /usr/local/cpanel/Cpanel/MysqlUtils.pm line 1180
Cpanel::MysqlUtils::show_grants_for_user(Cpanel::DBI::Mysql::db=HASH(0x24d70b8), "cpses_isdmOL3VWx") called at /usr/local/cpanel/Cpanel/Mysql.pm line 623
Cpanel::Mysql::_dbowner_to_all_without_ownership_checks(Cpanel::Mysql=HASH(0x24b7348), "method", "GRANT", "users", HASH(0x11aa660), "database", undef) called at /usr/local/cpanel/Cpanel/Mysql.pm line 592
Cpanel::Mysql::_dbowner_to_all_with_ownership_checks(Cpanel::Mysql=HASH(0x24b7348), "method", "GRANT", "users", HASH(0x11aa660)) called at /usr/local/cpanel/Cpanel/Mysql.pm line 791
Cpanel::Mysql::updateprivs(Cpanel::Mysql=HASH(0x24b7348)) called at /usr/local/cpanel/Cpanel/Mysql.pm line 1644
Cpanel::Mysql::dbcache(Cpanel::Mysql=HASH(0x24b7348), "") called at bin/admin/Cpanel/cpmysql.pl line 458
: GRANT USAGE ON *.* TO 'cpses_isdmOL3VWx'@'<html>
<head>
<title>hacked</title>
</head>
<body>
<cen' IDENTIFIED BY PASSWORD '*3A856FF10ECC09A96418B8815E2996DF705D1D0D'
[2016-11-14 16:53:00 +0100] warn [cpanel] Cpanel::Wrap::send_cpwrapd_request The adminbin “cpmysql” in the “Cpanel” namespace call to function “DBCACHE” ended prematurely: The subprocess reported error number 255 when it ended.: namespace=[Cpanel] module=[cpmysql] function=[DBCACHE]: set error in context mysql: raw_response=[{"exit_code":65280,"timeout":0,"action":"run","mode":"simple","data":"","version":"2.4","status":1,"statusmsg":"The adminbin “cpmysql” in the “Cpanel” namespace call to function “DBCACHE” ended prematurely: The subprocess reported error number 255 when it ended.","error":1}] at /usr/local/cpanel/Cpanel/Wrap.pm line 120, <$socket> line 1.
Cpanel::Wrap::send_cpwrapd_request("namespace", "Cpanel", "module", "cpmysql", "function", "DBCACHE", "data", "", "action", ...) called at /usr/local/cpanel/Cpanel/AdminBin.pm line 58
Cpanel::AdminBin::adminrun("cpmysql", "DBCACHE", "") called at cpanel.pl line 2791
cpanel::cpanel::domysql("initcache", ARRAY(0x5010c20)) called at cpanel.pl line 2095
eval {...} called at cpanel.pl line 2095
cpanel::cpanel::_api1("Mysql", "mysql", "initcache()", "initcache", ARRAY(0x5010c20), "safe_html_encode") called at /usr/local/cpanel/Cpanel/Template/Plugin/Api1.pm line 93
eval {...} called at /usr/local/cpanel/Cpanel/Template/Plugin/Api1.pm line 93
Cpanel::Template::Plugin::Api1::_api1_exec(0, "Mysql", "initcache", ARRAY(0x5010c20)) called at /usr/local/cpanel/Cpanel/Template/Plugin/Api1.pm line 45
Cpanel::Template::Plugin::Api1::_captured_api1_exec("Mysql", "initcache", ARRAY(0x5010c20)) called at /usr/local/cpanel/base/frontend/paper_lantern/sql/index.html.tt line 3
eval {...} called at /usr/local/cpanel/base/frontend/paper_lantern/sql/index.html.tt line 3
eval {...} called at /usr/local/cpanel/base/frontend/paper_lantern/sql/index.html.tt line 16
Template::Provider::__ANON__(Template::Context=HASH(0x5024278)) called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/x86_64-linux-64int/Template/Document.pm line 163
eval {...} called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/x86_64-linux-64int/Template/Document.pm line 161
Template::Document::process(Template::Document=HASH(0x50c62d8), Template::Context=HASH(0x5024278)) called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/x86_64-linux-64int/Template/Context.pm line 351
eval {...} called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/x86_64-linux-64int/Template/Context.pm line 321
Template::Context::process(Template::Context=HASH(0x5024278), Template::Document=HASH(0x50c62d8)) called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/x86_64-linux-64int/Template/Service.pm line 94
eval {...} called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/x86_64-linux-64int/Template/Service.pm line 91
Template::Service::process(Template::Service=HASH(0x5023ea0), "/usr/local/cpanel/base/frontend/paper_lantern/sql/index.html.tt", HASH(0x5023798)) called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/x86_64-linux-64int/Template.pm line 66
Template::process(Template=HASH(0x5023b88), "/usr/local/cpanel/base/frontend/paper_lantern/sql/index.html.tt", HASH(0x5023798), SCALAR(0x28cde60)) called at /usr/local/cpanel/Cpanel/Template.pm line 427
Cpanel::Template::process_template("cpanel", HASH(0x5023798), HASH(0x5023690)) called at cpanel.pl line 1221
cpanel::cpanel::cptt_exectag("/usr/local/cpanel/base/frontend/paper_lantern/sql/index.html.tt", 1) called at cpanel.pl line 5224
cpanel::cpanel::run_standard_mode() called at cpanel.pl line 847
cpanel::cpanel::script("cpanel::cpanel", "./frontend/paper_lantern/sql/index.html.tt") called at cpanel.pl line 306
[2016-11-14 16:53:00 +0100] warn [cpanel] Cpanel::Wrap::send_cpwrapd_request error: namespace=[Cpanel] module=[cpmysql] function=[DBCACHE]: set error in context mysql: statusmsg=[The adminbin “cpmysql” in the “Cpanel” namespace call to function “DBCACHE” ended prematurely: The subprocess reported error number 255 when it ended.] at /usr/local/cpanel/Cpanel/Wrap.pm line 129, <$socket> line 1.
Cpanel::Wrap::send_cpwrapd_request("namespace", "Cpanel", "module", "cpmysql", "function", "DBCACHE", "data", "", "action", ...) called at /usr/local/cpanel/Cpanel/AdminBin.pm line 58
Cpanel::AdminBin::adminrun("cpmysql", "DBCACHE", "") called at cpanel.pl line 2791
cpanel::cpanel::domysql("initcache", ARRAY(0x5010c20)) called at cpanel.pl line 2095
eval {...} called at cpanel.pl line 2095
cpanel::cpanel::_api1("Mysql", "mysql", "initcache()", "initcache", ARRAY(0x5010c20), "safe_html_encode") called at /usr/local/cpanel/Cpanel/Template/Plugin/Api1.pm line 93
eval {...} called at /usr/local/cpanel/Cpanel/Template/Plugin/Api1.pm line 93
Cpanel::Template::Plugin::Api1::_api1_exec(0, "Mysql", "initcache", ARRAY(0x5010c20)) called at /usr/local/cpanel/Cpanel/Template/Plugin/Api1.pm line 45
Cpanel::Template::Plugin::Api1::_captured_api1_exec("Mysql", "initcache", ARRAY(0x5010c20)) called at /usr/local/cpanel/base/frontend/paper_lantern/sql/index.html.tt line 3
eval {...} called at /usr/local/cpanel/base/frontend/paper_lantern/sql/index.html.tt line 3
eval {...} called at /usr/local/cpanel/base/frontend/paper_lantern/sql/index.html.tt line 16
Template::Provider::__ANON__(Template::Context=HASH(0x5024278)) called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/x86_64-linux-64int/Template/Document.pm line 163
eval {...} called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/x86_64-linux-64int/Template/Document.pm line 161
Template::Document::process(Template::Document=HASH(0x50c62d8), Template::Context=HASH(0x5024278)) called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/x86_64-linux-64int/Template/Context.pm line 351
eval {...} called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/x86_64-linux-64int/Template/Context.pm line 321
Template::Context::process(Template::Context=HASH(0x5024278), Template::Document=HASH(0x50c62d8)) called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/x86_64-linux-64int/Template/Service.pm line 94
eval {...} called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/x86_64-linux-64int/Template/Service.pm line 91
Template::Service::process(Template::Service=HASH(0x5023ea0), "/usr/local/cpanel/base/frontend/paper_lantern/sql/index.html.tt", HASH(0x5023798)) called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/x86_64-linux-64int/Template.pm line 66
Template::process(Template=HASH(0x5023b88), "/usr/local/cpanel/base/frontend/paper_lantern/sql/index.html.tt", HASH(0x5023798), SCALAR(0x28cde60)) called at /usr/local/cpanel/Cpanel/Template.pm line 427
Cpanel::Template::process_template("cpanel", HASH(0x5023798), HASH(0x5023690)) called at cpanel.pl line 1221
cpanel::cpanel::cptt_exectag("/usr/local/cpanel/base/frontend/paper_lantern/sql/index.html.tt", 1) called at cpanel.pl line 5224
cpanel::cpanel::run_standard_mode() called at cpanel.pl line 847
cpanel::cpanel::script("cpanel::cpanel", "./frontend/paper_lantern/sql/index.html.tt") called at cpanel.pl line 306
[2016-11-14 16:53:00 +0100] warn [Mysql::initcache] Encountered error in Mysql::initcache: Mysql::initcache() failed: The adminbin “cpmysql” in the “Cpanel” namespace call to function “DBCACHE” ended prematurely: The subprocess reported error number 255 when it ended.
This got me worried so I checked the mysql.user and found more users with the same host:
Code:
user host
agrodend_milan <html>\n<head>\n<title>Hacked</title>\n</head>\n<body>\n<cen
deltahmc_dbdcloy <html>\n<head>\n<title>Hacked</title>\n</head>\n<body>\n<cen
deltahmc_dbhpbgd <html>\n<head>\n<title>Hacked</title>\n</head>\n<body>\n<cen
deltahmc_dbnacbg <html>\n<head>\n<title>Hacked</title>\n</head>\n<body>\n<cen
deltahmc_dbnbgp <html>\n<head>\n<title>Hacked</title>\n</head>\n<body>\n<cen
iso2_temaso <html>\n<head>\n<title>Hacked</title>\n</head>\n<body>\n<cen
agrodend <html>\n<head>\n<title>hacked</title>\n</head>\n<body>\n<cen
agrodend_atuser <html>\n<head>\n<title>hacked</title>\n</head>\n<body>\n<cen
cpses_ag2PoYfuqU <html>\n<head>\n<title>hacked</title>\n</head>\n<body>\n<cen
cpses_agq6FUU3r7 <html>\n<head>\n<title>hacked</title>\n</head>\n<body>\n<cen
cpses_deA8aBqdou <html>\n<head>\n<title>hacked</title>\n</head>\n<body>\n<cen
cpses_def47MSaQo <html>\n<head>\n<title>hacked</title>\n</head>\n<body>\n<cen
cpses_dekG0TbfQF <html>\n<head>\n<title>hacked</title>\n</head>\n<body>\n<cen
cpses_delditJE1D <html>\n<head>\n<title>hacked</title>\n</head>\n<body>\n<cen
cpses_isTvpyRCbQ <html>\n<head>\n<title>hacked</title>\n</head>\n<body>\n<cen
cpses_isVV5QwNzB <html>\n<head>\n<title>hacked</title>\n</head>\n<body>\n<cen
cpses_isyUUwSzzQ <html>\n<head>\n<title>hacked</title>\n</head>\n<body>\n<cen
deltahmc <html>\n<head>\n<title>hacked</title>\n</head>\n<body>\n<cen
iso2 <html>\n<head>\n<title>hacked</title>\n</head>\n<body>\n<cen
iso2_asdf <html>\n<head>\n<title>hacked</title>\n</head>\n<body>\n<cen
iso2_hrana <html>\n<head>\n<title>hacked</title>\n</head>\n<body>\n<cen
iso2_navy <html>\n<head>\n<title>hacked</title>\n</head>\n<body>\n<cen
iso2_platinum <html>\n<head>\n<title>hacked</title>\n</head>\n<body>\n<cen
iso2_tepotel <html>\n<head>\n<title>hacked</title>\n</head>\n<body>\n<cen