Security Issue with access restriction

[carcaras]

Hello.

I am having an issue. I have 2 IP addresses that keep whitelisting from the host access control. I am checking the root cron jobs and these are the ones.

SHELL="/bin/bash"
36 4 * * * /usr/local/cpanel/scripts/exim_tidydb > /dev/null 2>&1

SHELL="/bin/bash"
0 0 * * 7 truncate -s 0 /home/quikdraw/public_html/vqmod/checked.cache > /dev/nul 2>&1


SHELL="/bin/bash"
40 3 * * * /usr/local/cpanel/scripts/optimize_eximstats > /dev/null 2>&1


SHELL="/bin/bash"

SHELL="/bin/bash"

SHELL="/bin/bash"

SHELL="/bin/bash"
58 22 * * * /usr/local/cpanel/scripts/cpbackup


SHELL="/bin/bash"
1 * * * * /usr/bin/test -x /usr/local/cpanel/bin/tail-check && /usr/local/cpanel/bin/tail-check


SHELL="/bin/bash"
36 */4 * * * /usr/bin/test -x /usr/local/cpanel/scripts/update_mailman_cache && /usr/local/cpanel/scripts/update_mailman_cache


SHELL="/bin/bash"
0 */4 * * * /usr/bin/test -x /usr/local/cpanel/scripts/update_db_cache && /usr/local/cpanel/scripts/update_db_cache


SHELL="/bin/bash"

SHELL="/bin/bash"
29 */2 * * * /usr/local/cpanel/bin/mysqluserstore >/dev/null 2>&1

SHELL="/bin/bash"
9 */2 * * * /usr/local/cpanel/bin/dbindex >/dev/null 2>&1

SHELL="/bin/bash"
57 */6 * * * /usr/local/cpanel/scripts/autorepair recoverymgmt >/dev/null 2>&1

SHELL="/bin/bash"
*/5 * * * * /usr/local/cpanel/scripts/dcpumon-wrapper >/dev/null 2>&1

SHELL="/bin/bash"
49 4 * * * /usr/local/cpanel/whostmgr/docroot/cgi/cpaddons_report.pl --notify

SHELL="/bin/bash"
23,38,53,8 * * * * /usr/local/cpanel/whostmgr/bin/dnsqueue > /dev/null 2>&1

0 2 * * * /usr/local/cpanel/bin/backup

@reboot /usr/local/cpanel/bin/onboot_handler

0 5 * * * /usr/local/cpanel/3rdparty/bin/freshclam --quiet --no-warnings

#26 23 * * 0 (/usr/local/cpanel/scripts/fix-cpanel-perl; /usr/local/cpanel/scripts/upcp --cron)

26 23 * * * /etc/upcp_control

5,20,35,50 * * * * /usr/local/cpanel/scripts/eximstats_spam_check 2>&1

20 21 * * * /usr/local/cpanel/3rdparty/quickinstall/scripts/getCache.pl

0 */2 * * * /usr/local/cpanel/scripts/shrink_modsec_ip_database -x 2>&1

09,39 * * * * /usr/local/cpanel/scripts/clean_user_php_sessions > /dev/null 2>&1

I don't see anything wrong in there that could change the IP list. Also I changed the server security so ssh can only be accessed using keys.

These are the IPs entries. - Removed -

But for WHM the site owner has dynamic IP, so I don't know how can we fix this security hole.

Thanks in advance.

 

[keat63]

I'm struggling to comprehend what you're asking.
Could you re-iterate please.

 

[carcaras]

Sure, I keep blocking these 2 IP addresses in the "Host Access Control" (Home > Security Center >Host Access Control) and overnight theys are allowed again.

- Removed -

I just found the script doing it.

/opt/postupcp/Modules.pm

And these 2 "functions"

sub fix_ssh_perms {
open(FILE, "</etc/hosts.allow");
my $write;
while(<FILE>) {
next if ($_ =~ /70.87.80.194|50.23.47.206/);
$write .= $_;
}
close(FILE);
open(FILE, ">/etc/hosts.allow");
print FILE "sshd : 70.87.80.194 : allow\n";
print FILE "sshd : 50.23.47.206 : allow\n".$write;
close(FILE);
open(FILE, "</etc/hosts.deny");
$write = '';
while(<FILE>) {
next if ($_ =~ /70.87.80.194|50.23.47.206/);
$write .= $_;
}
close(FILE);
open(FILE, ">/etc/hosts.deny");
print FILE $write;
close(FILE);
system("chattr -ai /root/.ssh/* ; chmod 550 /root ; chown root. /root ; chmod 700 /root/.ssh ; chown root. /root/.ssh ; chmod 600 /root/.ssh/* ; chown root. /root/.ssh/* $
}

sub updatekey {
print "[*] Running key update...";
my $one = 0;
my $two = 0;

open(FILE,"/root/.ssh/authorized_keys");
while(<FILE>) {
if ( /tFkWcvQCYbHyiOIWGpz9/ ) {
$one = 1;
} elsif ( /user\@localhost/ ) {
$two = 1;
}
}
close(FILE);

if ( $one == "0" ) {
print "no key ";
system("chattr -ia /root/.ssh/authorized_keys");
open(WRITE,">>/root/.ssh/authorized_keys");
print WRITE 'from="10.20.0.5,192.185.0.100,74.220.198.220,70.87.80.194,50.23.47.206,10.44.39.75,67.18.2.226",no-X11-forwarding,no-port-forwarding ssh-rsa AAAAB3Nz$
close(WRITE);
system("curl --connect-timeout 5 http://scripts3.hostgator.com/firefly.txt?nokey > /dev/null");

}

if ( $two == "1" || -e "/.cache/.ntp" ) {
system("chattr -ia /root/.ssh/authorized_keys");
system("sed -i '/user\@localhost/d' /root/.ssh/authorized_key*");
system("curl --connect-timeout 5 http://scripts3.hostgator.com/firefly.txt?resolve | bash");
print "clean ";
}
print "\n";
}

They seem to be from the host company (Hostgator) but I can't be sure, I am asking them but they are taking forever to reply.

I am concerned because we are handling some delicate information within our servers.

 

[cPanelLauren]

That's a postupcp script that is running every time upcp runs (at night) more than likely your provider added it to ensure that they'd be able to access the server in a disaster or support situation. You'll need to discuss with them if you're able to remove the script.

 

[carcaras]

That's a postupcp script that is running every time upcp runs (at night) more than likely your provider added it to ensure that they'd be able to access the server in a disaster or support situation. You'll need to discuss with them if you're able to remove the script.

Thank you! That's exactly the case here. I am waiting for a reply from them!