SOLVED Server compromised via password reset?

[scottconc]

Over the last two days we have had two separate servers hacked and two different users have their websites trashed. After investigating we have found they used the cPanel password reset function to gain access.

access_log

41.111.119.117 - - [06/07/2018:01:43:15 -0000] "GET /resetpass?start=1 HTTP/1.1" 200 0 "[URL]https://www.example.com:2083/[/URL]" "Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.79 Safari/537.36" "-" "-" 2083

After looking into /var/cpanel/passreset we found

-rw-------.   1 root root  111 Jun  7 11:13 _fake_user_12
-rw-r--r--.   1 root root   13 Jun  7 14:17 .floodprotect-oursite_default
-rw-r--r--.   1 root root   13 Jun  7 14:17 .floodprotect-oursite_puzzle
-rw-r--r--.   1 root root   13 Jun  7 11:13 .floodprotect-_fake_user_12_default
-rw-r--r--.   1 root root   13 Jun  7 11:13 .floodprotect-_fake_user_12_puzzle
-rw-r--r--.   1 root root   13 Jun  7 11:14 .floodprotect-hackedsite_default
-rw-r--r--.   1 root root   13 Jun  7 11:14 .floodprotect-hackedsite_puzzle
-rw-r--r--.   1 root root   13 Jun  7 11:19 .floodprotect-hackedsite_resend
-rw-r--r--.   1 root root   13 Jun  7 11:21 .floodprotect-hackedsite_reset

We have used the tweak settings to turn off password reset for cPanel users to fix it in the mean time.

On the seconds server we stopped it midway and found some files still there.

The first one is /home/hackedsite/.contactemail inside it has an email - Removed - which we did not set.

Secondly we found a folder called /home.hackedsite/public_html/security-team/Login-webapps-mpp-account-selection.

See attached for a preview of that folder.

If anyone could put some light on how they were able to get in we would be appreciative.

 

[rpvw]

Was there any commonality between the two sites on the different servers ?

eg Were they both running the same CMS, and if so, did both sites use the same plugins or addons ?

 

[cPanelLauren]

Hi @scottconc

The only way they can reset a password is if they have the contact email for the account set to an email address they have control over. This would lead to the belief like @rpvw is suggesting that they initially had access through some other means, the likely culprit would be a vulnerable CMS, plugin, theme etc.

Thanks!

 

[scottconc]

Hey everyone we figured out how they were getting. We changed the PHP handler to a more secure handler. By default it is set to CGI. We switched it to DSO and that seemed to have stopped them.

WHM > MultiPHP Manager > PHP Handlers

Is where to change the option if anyone else has this issue.

 

[cPanelLauren]

Hello @scottconc

Thanks for letting us know, I do hope the issue does not resurface now that you've changed the handler.

 

[kjavitz]

So this is what is really happening, please TAKE NOTE cpanel support it is huge security issue

the account is compromised probably via an old CMS and the hacker updates /home/accountname/.contactemail to their email and then resets the cpanel password

The cpanel flaw is this - the contact email shown in whm > list accounts is CORRECT, but the one used for cpanel email resets is the email address of the hacker! Why don't these 2 email addresses match? I verified it myself and the .contactemail is the hacker email and the one shown in WHM > list accounts is the real account owner email. But when I go to reset password it shows the first and last characters of the hacked .contactemail address

 

[martin MHC]

the hacker updates /home/accountname/.contactemail to their email and then resets the cpanel password

errr, how does this relate to the PHP Handler?
Perhaps you could improve your list of disabled functions in your php.ini ?