The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Security Issue...

Discussion in 'Security' started by tAzMaNiAc, Mar 21, 2007.

Thread Status:
Not open for further replies.
  1. tAzMaNiAc

    tAzMaNiAc Well-Known Member

    Joined:
    Feb 16, 2003
    Messages:
    559
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Sachse, TX
    Seems like ftp is being used to get into directories and upload DarkMailer. I can't find out how, but it only happens with one account each time on all my servers and then I find it and delete it.. Can anyone help me with some ideas?

    New bug or root exploit?

    Example:

    Wed Mar 21 13:33:36 2007 3 12.218.85.204 3680 /home/xxxxx/public_html/cgi-bin/news/upload/from.txt a _ i r xxxxx ftp 1 * c
    Wed Mar 21 13:33:40 2007 0 12.218.85.204 626 /home/xxxxx/public_html/cgi-bin/news/upload/letter.txt a _ i r xxxxx ftp 1 * c
    Wed Mar 21 13:33:42 2007 0 12.218.85.204 13 /home/xxxxx/public_html/cgi-bin/news/upload/replyto.txt a _ i r xxxxx ftp 1 * c
    Wed Mar 21 13:33:49 2007 1 12.218.85.204 29 /home/xxxxx/public_html/cgi-bin/news/upload/subject.txt a _ i r xxxxx ftp 1 * c
    Wed Mar 21 13:33:55 2007 1 12.218.85.204 1392 /home/xxxxx/public_html/cgi-bin/news/config.txt a _ i r xxxxx ftp 1 * c
    Wed Mar 21 13:34:28 2007 29 12.218.85.204 250036 /home/xxxxx/public_html/cgi-bin/news/dm.cgi a _ i r xxxxx ftp 1 * c
     
  2. rs-freddo

    rs-freddo Well-Known Member

    Joined:
    May 13, 2003
    Messages:
    832
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Australia
    cPanel Access Level:
    Root Administrator
    Maybe they have the username and password? Sometimes the simple answer is the solution.
     
  3. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    667
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    Its common that FTP accounts get brute forced. users use simple passwords like their username and such. Change the password on the account.
     
  4. tAzMaNiAc

    tAzMaNiAc Well-Known Member

    Joined:
    Feb 16, 2003
    Messages:
    559
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Sachse, TX
    Hmm

    BUt there's no evidence of brute force... and they never come bac to the same account after i remove it.. \
     
  5. ahbao

    ahbao Member

    Joined:
    Mar 4, 2003
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    I have the same issues,

    they login directly into the ftp and uploaded some files, still looking around...
     
  6. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    Perhaps this isn't much help with the actual issue, but have you looked at blocking the execution of DarkMailer with mod_security?

    Interesting one this, as it sounds a bit like a cpanel exploit if the accounts are all different, although there's many other things they could have done to get in like this given enough time.
     
  7. ahbao

    ahbao Member

    Joined:
    Mar 4, 2003
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    yeah I have been putting keyword ban into mod_security , searching around for a solution though

    thanks!
     
  8. JamesSmith

    JamesSmith Well-Known Member

    Joined:
    Sep 17, 2003
    Messages:
    185
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    UK, Luton
  9. fich

    fich Member

    Joined:
    Apr 19, 2007
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    I am a custom of a web host that uses cPanel and have had this happen to me twice.

    I posted some info here:
    http://forums.cpanel.net/showthread.php?t=62821&page=6

    Basically:
    somebody/something uploaded a collection of phisihing sites to a directory on my vhost using FTP. There was no evidence of a brute force just logged straight in!
    I have never logged in using FTP at all and always use https / port 2083 to log into cPanel. and I upload files using SFTP.

    So on discovery of this the file where removed and I logged into cpanel using https/port 2083 and changed my password and logged out. I have never used the new password again and have never told anybody the password.
    But a few days later the same thing happened.

    I dont save passwords anywhere and I use linux so I feel comfortable that I dont have any malware installed.

    Also as this appears to be affecting a number of different web hosts I highly doubt my password was captured.
     
  10. ahbao

    ahbao Member

    Joined:
    Mar 4, 2003
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    this actually starts to happen on my server since last year, it looks like they are able to get the cpanel password, aka ftp password. After that they just login to cpanel and ftp without any brute force
     
  11. fich

    fich Member

    Joined:
    Apr 19, 2007
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    This is very strange, but something I did notice was that when I did login to cpanel and went to the FTP accounts section it has ftp links in the format of ftp://user : pass@ftp.demo.com/demo.com

    Which actually show your user password (when you hover over it).
    Now I know to see this you would have to have been logged in but this means that the password must be stored somewhere in either plain text or reversible encryption!

    Maybe this could this have anything to do with it?
    Maybe a local file include exploit could grab this file or something?

    Check yourself on the cpanel 10 demo at :
    http://www.cpanel.net/products/cPanelandWHM/linux/try_cp_whm.htm

    when logged in goto "FTP manager" then "FTP Accounts"

    Near the bottom are some links to the ftp server, hover over one and it show the password.
     
    #11 fich, Apr 20, 2007
    Last edited: Apr 20, 2007
  12. fich

    fich Member

    Joined:
    Apr 19, 2007
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    -- ignore this --
     
    #12 fich, Apr 20, 2007
    Last edited: Apr 20, 2007
  13. DaveUsedToWorkHere

    DaveUsedToWorkHere Well-Known Member

    Joined:
    Dec 28, 2001
    Messages:
    689
    Likes Received:
    1
    Trophy Points:
    18
    This will be different in cPanel 11. Please note that servers not running cPanel have been affected by this exploit as well so this is doubtful as the cause. Please send any relevant info to security AT cPanel .net


    I'm going to lock this thread as there is already a discussion here: http://forums.cpanel.net/showthread.php?t=62821
     
  14. cPanelNick

    cPanelNick Administrator
    Staff Member

    Joined:
    Mar 9, 2015
    Messages:
    3,426
    Likes Received:
    2
    Trophy Points:
    38
    cPanel Access Level:
    DataCenter Provider

    It pulls it out of the password your browser sent.

    You can disable this in tweak settings.
     
Loading...
Thread Status:
Not open for further replies.

Share This Page