Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

SOLVED Server compromised via password reset?

Discussion in 'Security' started by scottconc, Jun 8, 2018.

  1. scottconc

    scottconc Registered

    Joined:
    Jun 7, 2018
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Australia
    cPanel Access Level:
    Root Administrator
    Over the last two days we have had two separate servers hacked and two different users have their websites trashed. After investigating we have found they used the cPanel password reset function to gain access.

    access_log
    Code:
    41.111.119.117 - - [06/07/2018:01:43:15 -0000] "GET /resetpass?start=1 HTTP/1.1" 200 0 "[URL]https://www.example.com:2083/[/URL]" "Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.79 Safari/537.36" "-" "-" 2083
    After looking into /var/cpanel/passreset we found
    Code:
    -rw-------.   1 root root  111 Jun  7 11:13 _fake_user_12
    -rw-r--r--.   1 root root   13 Jun  7 14:17 .floodprotect-oursite_default
    -rw-r--r--.   1 root root   13 Jun  7 14:17 .floodprotect-oursite_puzzle
    -rw-r--r--.   1 root root   13 Jun  7 11:13 .floodprotect-_fake_user_12_default
    -rw-r--r--.   1 root root   13 Jun  7 11:13 .floodprotect-_fake_user_12_puzzle
    -rw-r--r--.   1 root root   13 Jun  7 11:14 .floodprotect-hackedsite_default
    -rw-r--r--.   1 root root   13 Jun  7 11:14 .floodprotect-hackedsite_puzzle
    -rw-r--r--.   1 root root   13 Jun  7 11:19 .floodprotect-hackedsite_resend
    -rw-r--r--.   1 root root   13 Jun  7 11:21 .floodprotect-hackedsite_reset
    
    We have used the tweak settings to turn off password reset for cPanel users to fix it in the mean time.

    On the seconds server we stopped it midway and found some files still there.

    The first one is /home/hackedsite/.contactemail inside it has an email - Removed - which we did not set.

    Secondly we found a folder called /home.hackedsite/public_html/security-team/Login-webapps-mpp-account-selection.

    See attached for a preview of that folder.

    If anyone could put some light on how they were able to get in we would be appreciative.
     

    Attached Files:

    #1 scottconc, Jun 8, 2018
    Last edited by a moderator: Jun 8, 2018
  2. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    727
    Likes Received:
    248
    Trophy Points:
    93
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    Was there any commonality between the two sites on the different servers ?

    eg Were they both running the same CMS, and if so, did both sites use the same plugins or addons ?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. cPanelLauren

    cPanelLauren Forums Analyst
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    2,230
    Likes Received:
    161
    Trophy Points:
    143
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @scottconc

    The only way they can reset a password is if they have the contact email for the account set to an email address they have control over. This would lead to the belief like @rpvw is suggesting that they initially had access through some other means, the likely culprit would be a vulnerable CMS, plugin, theme etc.

    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. scottconc

    scottconc Registered

    Joined:
    Jun 7, 2018
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Australia
    cPanel Access Level:
    Root Administrator
    Hey everyone we figured out how they were getting. We changed the PHP handler to a more secure handler. By default it is set to CGI. We switched it to DSO and that seemed to have stopped them.

    WHM > MultiPHP Manager > PHP Handlers

    Is where to change the option if anyone else has this issue.
     
  5. cPanelLauren

    cPanelLauren Forums Analyst
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    2,230
    Likes Received:
    161
    Trophy Points:
    143
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hello @scottconc

    Thanks for letting us know, I do hope the issue does not resurface now that you've changed the handler.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice