The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Potential Cpanel security risk?

Discussion in 'Security' started by Frankc, Apr 2, 2007.

  1. Frankc

    Frankc Well-Known Member

    Joined:
    Jun 18, 2005
    Messages:
    98
    Likes Received:
    0
    Trophy Points:
    16
    Anyone knows whether the following might be an security risk?

    After a hacker somehow changed the index.php, index.htm and index.html pages of several users, even completely inactive users with just a single default page, I sniffed and sniffed and at last got a very suspicious file named. .wysiwygPro_edit_index_htm.php

    This file have some coded data as well as references to the following files.

    /usr/local/cpanel/base/frontend/x/files/savehtmlfile.html
    (Actually http: //domain.com: 2082/frontend/x/files/savehtmlfile.html

    /usr/local/cpanel/base/3rdparty/WysiwygPro/editor_files/config.php

    /usr/local/cpanel/base/3rdparty/WysiwygPro/editor_files/editor_class.php

    If interested I can send the file to be checked for potential security risks.
     
    #1 Frankc, Apr 2, 2007
    Last edited: Apr 2, 2007
  2. nyjimbo

    nyjimbo Well-Known Member

    Joined:
    Jan 25, 2003
    Messages:
    1,125
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    New York
    WysiwygPro (a script that allows online editing) has been known to be exploitable in the past however I think the exploit was closed/fixed/removed in Cpanel.

    What version of WHM/Cpanel are you running ?
     
  3. Frankc

    Frankc Well-Known Member

    Joined:
    Jun 18, 2005
    Messages:
    98
    Likes Received:
    0
    Trophy Points:
    16
    WHM 10.8.0 cPanel 10.9.0-C8800

    It is the current tree.

    Please also see my post at bottom of

    http://forums.cpanel.net/showthread.php?t=62821

    By the way. I installed the configserver security tools as well as rkhunter and chkrootkit without any security warning.

    I am busy to close the security as tight as possible until I found what happened but some files was again changed on 30 the. Not as many as last time but still.... (On the one server without many accounts I changed ALL the passwords to 10 digit passwords with 98 bit quality)
     
    #3 Frankc, Apr 2, 2007
    Last edited: Apr 2, 2007
  4. tAzMaNiAc

    tAzMaNiAc Well-Known Member

    Joined:
    Feb 16, 2003
    Messages:
    559
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Sachse, TX
    I have been having the same problem so you are not the only one.

    I am at C8800 and someone stil thinks its funny to put virus and spamvertisements.. and there are NO ROOT KITS or anything suspicious.. only the ability to ftp or enter those directories at will...

    its as if the master password list for cpanel and pure-ftpd is compromised (i.e. there is some "master" password cpanel left in that the hacker uses to enter any username at will...)
     
  5. tAzMaNiAc

    tAzMaNiAc Well-Known Member

    Joined:
    Feb 16, 2003
    Messages:
    559
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Sachse, TX
    You may also wanna check /var/log/xferlog

    to see if the file was modified by ftp instead.
     
  6. gorilla

    gorilla Well-Known Member

    Joined:
    Feb 3, 2004
    Messages:
    699
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Sydney / Australia
    have the same suspicion like u guys and just disabled it now, as i m sick of cleaning up those stupid iframes :rolleyes:

    chmod 000 /usr/local/cpanel/base/3rdparty/WysiwygPro/

    hopefully this will prevent this annoyance

    BTW: interesstingly enough there is always a .smilies/ directory in those accounts
     
    #6 gorilla, Apr 11, 2007
    Last edited: Apr 11, 2007
  7. nyjimbo

    nyjimbo Well-Known Member

    Joined:
    Jan 25, 2003
    Messages:
    1,125
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    New York
    Hate to bring up such an old thread but we just discovered this same kind of hack on one of our accounts. The attack appears to have been done in November of 2009, same issues, weird wysiwygpro .php files, weird .smilies folders, etc.

    Anyone know why this is happening, especially now, two years after something like this is reported. I cannot tell if the exploit is still there.

    Does anyone else know anything about this ?
     
  8. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,453
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Are you sure the user didn't just stop an upload in progress or the page (File Manager) timed out and the upload failed? Something like that might result in wierd files I would think. You'd have to look closer to see if you can piece together what the files are/were.
     
  9. nyjimbo

    nyjimbo Well-Known Member

    Joined:
    Jan 25, 2003
    Messages:
    1,125
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    New York
    Looks like all ".htm" files in the public_html directory had a one line script call inserted at the bottom right before the end "body" tag. But if I look at the wysiwyg php files they are date/time stamped the same as the exploited web pages. Looking in the php files I see the code there too as if it was part of the edit. Just wondering if the editor is the culprit or there was some other way they got in. Checked all the other accounts on the server and they are clean.
     
Loading...

Share This Page