SOLVED Server compromised via password reset?

scottconc

Registered
Jun 7, 2018
2
0
1
Australia
cPanel Access Level
Root Administrator
Over the last two days we have had two separate servers hacked and two different users have their websites trashed. After investigating we have found they used the cPanel password reset function to gain access.

access_log
Code:
41.111.119.117 - - [06/07/2018:01:43:15 -0000] "GET /resetpass?start=1 HTTP/1.1" 200 0 "[URL]https://www.example.com:2083/[/URL]" "Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.79 Safari/537.36" "-" "-" 2083
After looking into /var/cpanel/passreset we found
Code:
-rw-------.   1 root root  111 Jun  7 11:13 _fake_user_12
-rw-r--r--.   1 root root   13 Jun  7 14:17 .floodprotect-oursite_default
-rw-r--r--.   1 root root   13 Jun  7 14:17 .floodprotect-oursite_puzzle
-rw-r--r--.   1 root root   13 Jun  7 11:13 .floodprotect-_fake_user_12_default
-rw-r--r--.   1 root root   13 Jun  7 11:13 .floodprotect-_fake_user_12_puzzle
-rw-r--r--.   1 root root   13 Jun  7 11:14 .floodprotect-hackedsite_default
-rw-r--r--.   1 root root   13 Jun  7 11:14 .floodprotect-hackedsite_puzzle
-rw-r--r--.   1 root root   13 Jun  7 11:19 .floodprotect-hackedsite_resend
-rw-r--r--.   1 root root   13 Jun  7 11:21 .floodprotect-hackedsite_reset
We have used the tweak settings to turn off password reset for cPanel users to fix it in the mean time.

On the seconds server we stopped it midway and found some files still there.

The first one is /home/hackedsite/.contactemail inside it has an email - Removed - which we did not set.

Secondly we found a folder called /home.hackedsite/public_html/security-team/Login-webapps-mpp-account-selection.

See attached for a preview of that folder.

If anyone could put some light on how they were able to get in we would be appreciative.
 

Attachments

Last edited by a moderator:

rpvw

Well-Known Member
Jul 18, 2013
1,088
446
113
UK
cPanel Access Level
Root Administrator
Was there any commonality between the two sites on the different servers ?

eg Were they both running the same CMS, and if so, did both sites use the same plugins or addons ?
 

cPanelLauren

Forums Analyst II
Staff member
Nov 14, 2017
8,126
667
263
Houston
cPanel Access Level
DataCenter Provider
Hi @scottconc

The only way they can reset a password is if they have the contact email for the account set to an email address they have control over. This would lead to the belief like @rpvw is suggesting that they initially had access through some other means, the likely culprit would be a vulnerable CMS, plugin, theme etc.

Thanks!
 

scottconc

Registered
Jun 7, 2018
2
0
1
Australia
cPanel Access Level
Root Administrator
Hey everyone we figured out how they were getting. We changed the PHP handler to a more secure handler. By default it is set to CGI. We switched it to DSO and that seemed to have stopped them.

WHM > MultiPHP Manager > PHP Handlers

Is where to change the option if anyone else has this issue.
 

kjavitz

Member
Aug 25, 2005
5
1
153
So this is what is really happening, please TAKE NOTE cpanel support it is huge security issue

the account is compromised probably via an old CMS and the hacker updates /home/accountname/.contactemail to their email and then resets the cpanel password

The cpanel flaw is this - the contact email shown in whm > list accounts is CORRECT, but the one used for cpanel email resets is the email address of the hacker! Why don't these 2 email addresses match? I verified it myself and the .contactemail is the hacker email and the one shown in WHM > list accounts is the real account owner email. But when I go to reset password it shows the first and last characters of the hacked .contactemail address
 
  • Like
Reactions: rarod

martin MHC

Well-Known Member
Sep 14, 2016
154
25
28
UK
cPanel Access Level
Root Administrator
the hacker updates /home/accountname/.contactemail to their email and then resets the cpanel password

errr, how does this relate to the PHP Handler?
Perhaps you could improve your list of disabled functions in your php.ini ?