Potential Cpanel security risk?

[Frankc]

Anyone knows whether the following might be an security risk?

After a hacker somehow changed the index.php, index.htm and index.html pages of several users, even completely inactive users with just a single default page, I sniffed and sniffed and at last got a very suspicious file named. .wysiwygPro_edit_index_htm.php

This file have some coded data as well as references to the following files.

/usr/local/cpanel/base/frontend/x/files/savehtmlfile.html
(Actually http: //domain.com: 2082/frontend/x/files/savehtmlfile.html

/usr/local/cpanel/base/3rdparty/WysiwygPro/editor_files/config.php

/usr/local/cpanel/base/3rdparty/WysiwygPro/editor_files/editor_class.php

If interested I can send the file to be checked for potential security risks.

 

[nyjimbo]

WysiwygPro (a script that allows online editing) has been known to be exploitable in the past however I think the exploit was closed/fixed/removed in Cpanel.

What version of WHM/Cpanel are you running ?

 

[Frankc]

WHM 10.8.0 cPanel 10.9.0-C8800

It is the current tree.

Please also see my post at bottom of

http://forums.cpanel.net/showthread.php?t=62821

By the way. I installed the configserver security tools as well as rkhunter and chkrootkit without any security warning.

I am busy to close the security as tight as possible until I found what happened but some files was again changed on 30 the. Not as many as last time but still.... (On the one server without many accounts I changed ALL the passwords to 10 digit passwords with 98 bit quality)

 

[tAzMaNiAc]

I have been having the same problem so you are not the only one.

I am at C8800 and someone stil thinks its funny to put virus and spamvertisements.. and there are NO ROOT KITS or anything suspicious.. only the ability to ftp or enter those directories at will...

its as if the master password list for cpanel and pure-ftpd is compromised (i.e. there is some "master" password cpanel left in that the hacker uses to enter any username at will...)

 

[tAzMaNiAc]

You may also wanna check /var/log/xferlog

to see if the file was modified by ftp instead.

 

[gorilla]

have the same suspicion like u guys and just disabled it now, as i m sick of cleaning up those stupid iframes

chmod 000 /usr/local/cpanel/base/3rdparty/WysiwygPro/

hopefully this will prevent this annoyance

BTW: interesstingly enough there is always a .smilies/ directory in those accounts

 

[nyjimbo]

have the same suspicion like u guys and just disabled it now, as i m sick of cleaning up those stupid iframes

chmod 000 /usr/local/cpanel/base/3rdparty/WysiwygPro/

hopefully this will prevent this annoyance

BTW: interesstingly enough there is always a .smilies/ directory in those accounts

Hate to bring up such an old thread but we just discovered this same kind of hack on one of our accounts. The attack appears to have been done in November of 2009, same issues, weird wysiwygpro .php files, weird .smilies folders, etc.

Anyone know why this is happening, especially now, two years after something like this is reported. I cannot tell if the exploit is still there.

Does anyone else know anything about this ?

 

[Infopro]

Are you sure the user didn't just stop an upload in progress or the page (File Manager) timed out and the upload failed? Something like that might result in wierd files I would think. You'd have to look closer to see if you can piece together what the files are/were.

 

[nyjimbo]

Are you sure the user didn't just stop an upload in progress or the page (File Manager) timed out and the upload failed? Something like that might result in wierd files I would think. You'd have to look closer to see if you can piece together what the files are/were.

Looks like all ".htm" files in the public_html directory had a one line script call inserted at the bottom right before the end "body" tag. But if I look at the wysiwyg php files they are date/time stamped the same as the exploited web pages. Looking in the php files I see the code there too as if it was part of the edit. Just wondering if the editor is the culprit or there was some other way they got in. Checked all the other accounts on the server and they are clean.