The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Unauthorised root login

Discussion in 'Security' started by beddo, Dec 22, 2010.

  1. beddo

    beddo Well-Known Member

    Joined:
    Jan 19, 2007
    Messages:
    157
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    England
    cPanel Access Level:
    DataCenter Provider
    Right,
    I am in the process of migrating from an old FreeBSD dedicated server to a new CentOS colo.
    Most of the accounts are transferred and then this afternoon I get an alert from the old server:

    :eek:

    If I read this right, someone logged into WHM with the root password - or found some way to bypass the root password. My root password is long, has letters, numbers, symbols and isn't based around any words. Chances of it being guessed without brute force kicking in? Very slim.

    The cPanel access log shows them requesting the login page and then logging in with no evidence of trying any wrong passwords. They have downloaded a csv of accounts on the server and then accessed one of my databases with phpMyAdmin (that account was already migrated).

    First things I have done are to change the passwords on both servers (to different passwords!) and blacklist the IP concerned - chances are they have access to other IPs though.

    I've also firewalled off the cpanel ports to everywhere except my home and office IP addresses, but I have no idea how the hell they got in. I'm running WHM 11.28.52 which should be current to a few days ago.

    I don't actually care about the old server, it is being switched off tonight but I want to know how they got in to ensure that they can't get into the new server and that I'm not transferring any nasties when I package up the remaining accounts and transfer them over. Plus I thought the system was secure, I keep things up to date and firewalled so not happy!

    Any pointers folks?
     
  2. khorinis

    khorinis Well-Known Member

    Joined:
    Aug 15, 2010
    Messages:
    65
    Likes Received:
    0
    Trophy Points:
    6
    You should scan your entire /home/ directory (because of customer datas and cpanel accounts) with clamav. Maybe someone of your customer came into your server via php shell. Clamav should detect php shells and tell you which files are infected and then you can watch the account (check logs of it etc). Also you should, after checked all, terminate the infected files (be careful: false positives aren't unusually!).
     
  3. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,279
    Likes Received:
    36
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    1. Was the root password on the old machine the same as the new one?
    2. Were they "weak" passwords?
    3. Any chance that the PC(s) you are using to access the servers are hijacked?

    For #3, what i mean to ask is -- Do you store login credentials in your web browser for WHM/cpanel/etc? Is there any chance that one or more of the computers that you use to access WHM may be hijacked, therefore allowing for the possibility that somebody grabbed the root login for your servers from some stored credentials you had saved in your browser/FTP?

    4. Did you log in using a non-SSL port to WHM/cPanel or FTP on the new and/or old server any time recently?

    For #4, I'm asking because I wonder if there was an active sniffing process sniffing the unencrypted traffic on your old/new servers. Plus, if you were migrating accounts I have to assume the possibility exists that you may have FTP'd data over (rather than using scp / ssh / ftps / etc).

    I would tend to think that if this is a brand new box running 11.28.52 and that if it hasn't been online long but has been kept up to date, then if they simply accessed the server using root login credentials your passwords must have been discovered --- either by somebody sniffing unencrypted logins or by virtue of your PC being hijacked and stored login credentials stolen.

    5. You should be checking for strange active processes on _both_ servers. If you can afford to, shut down any unnecessary processes [those that can be shut off during your forensic study], and then use netstat, lsof, and other tools to attempt to see if there are any strange processes/open ports that may be currently used by the perpetrator to pass information back and forth.

    Also, I'd probably check your filesystems using "find" to see what new files have been placed on the system in the past week or so (which probably is difficult since you personally have placed a lot of new files on there during the transfer... but most probably kept the old timestamp depending upon how you transferred them).

    6. Check your /etc/passwd for any new / unfamiliar logins, strange home directories, shells.

    7. Check your logfiles for recently uploaded items from FTP into specific websites that may have been the point where malicious scripts weere uploaded for future execution to root your machine.

    8. If you aren't running suphp / suexec, suhosin, etc, don't have locked down php.inis, don't have bad things in php disabled via disable_functions= , etc. then you need to consider that in the future.

    Hard to tell by what you have given us. But I think it would be unwise to get into the mindset of thinking that cPanel/WHM itself was hacked because of some security flaw. It is probably more likely that access was gained by malicious scripts, traffic sniffing, hijacked access PCs and stolen credentials, etc.

    Of course it is always wise to force SSL on ports, use the proper type of authentication (http vs cookie), set the proper Tweak Settings (per cPanel suggestions) to avoid cross site scripting and things like that.

    Mike
     
  4. beddo

    beddo Well-Known Member

    Joined:
    Jan 19, 2007
    Messages:
    157
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    England
    cPanel Access Level:
    DataCenter Provider
    Thanks,
    Running "clamscan -r -l /root/clamlog -"i on both servers now as all accounts have been migrated across. So far it thinks it has found something in a webalizer temporary file along with the clamav test signature.

    Should have thought of something like this!
     
  5. beddo

    beddo Well-Known Member

    Joined:
    Jan 19, 2007
    Messages:
    157
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    England
    cPanel Access Level:
    DataCenter Provider
    Bingo. There's a .tar.gz uploaded yesterday at 13:07 that shouldn't be there.
    Unfortunately, that home directory was wiped out last night because I didn't need to transfer it. I don't know how they've got from a .tar.gz uploaded to a limited account to a root login though.

    Typically, being an unimportant account it is excluded from the backups too so I think the .tar.gz is gone and I'll never know what was in it. All I know is it was just under 310Mb (324935606 bytes)

    The only odd thing that happened was at 22:39 last night mysql failed and cpanel restarted it, looking in the mysql logs it seems a bit fishy as it reported a normal shutdown:

    MySQL is running 5.0.90_2 which seems to be the latest in the ports tree.

    I've also found a plaintext copy of my old root password in /var/cpanel/configs.cache/_root_.my.cnf___xxxxxxxxx (xxx being a long string)

    Can anyone check on a clean system if this file is supposed to be there?

    I *think* my new system will be safe. Turns out that I had changed the password encryption on FreeBSD to be something non standard. That means that entries in /etc/shadow are unreadable to the new server and require the password to be reset before they will work.

    It has also been a lot more heavily locked down by two firewalls prior to going production so if I'm lucky the new server has come along at just the right time.

    I guess I need to look into tools that scan for rootkits and the like. Makes a change from cleaning windows machines..
     
  6. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,279
    Likes Received:
    36
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    If that was a 300+ MB tar.gz uploaded, I have to wonder if it was really non-legit. I mean, it'd be so much easier for a miscreant to upload a much much smaller file that allowed them to get at least non-root access. Why in the world would they go through the trouble of uploading a 300+ MB gzipped file? So i'd doubt that this was a part of the hack. Maybe after someone got root they uploaded the 300+ MB file [with plans to upload others even] to distribute it elsewhere via your own webserver.

    This exists on every machine I admin. The file can only be read by root though. A good reason to make sure you never use your root account's password as the root password for MySQL.

    Also, remember that someone could upload necessary files to get user level access by uploading a simple PHP or CGI, and once they got root they ccould be smart enough to go back and delete a lot of the traces. So some of what you may be looking for as a clue could have been wiped if the perpetrator had the time to do it.

    Mike
     
  7. beddo

    beddo Well-Known Member

    Joined:
    Jan 19, 2007
    Messages:
    157
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    England
    cPanel Access Level:
    DataCenter Provider
    Just to follow this up, yesterday I had an email from the provider that started as follows:

    It only took them a week to notify their users of a "sustained" attack against all of their hosted servers. Nice.

    Their recommendation is simply to disable FTP and that no cpanel/whm passwords were compromised. I've replied telling them they should probably revise that statement seen as my root password got nicked. I've also asked if they have any more details on the attack and files that were uploaded to other servers in case it helps me tracking down anything in the data I have transferred over.

    I shan't name the company concerned however I'm glad I moved away. Having a support department that doesn't care about an iffy RAID controller is bad enough. They do have tech staff working 24/7 over Christmas (not just on call - one reason why I went with them) so they should have had plenty of time to pick this up sooner.
     
  8. uk01

    uk01 Well-Known Member

    Joined:
    Dec 31, 2009
    Messages:
    50
    Likes Received:
    1
    Trophy Points:
    8
    Hi,

    We have had exactly the same problem (and I think it's the same company as the email looks the same)

    We were accessed 2 nights ago, someone from Russia, then 4 hours later someone from the USA walked straight into our dedicated server and one of the main things they turned on was "allow account ftp access with root password"

    We are baffled how this happened as only us and the support team knew the password to the server (the password was stored on the host company account as it was the one allocated by them in January 2010. I must admit the service and uptime has been absolutely brilliant throughout 2010. I'm shocked this has happened.

    It's almost like somehow the 'hacker' got the password from somewhere but how? I'm even cautious about calling them a hacker as they didn't 'actually' appear to hack anything. They appeared to login just as I would. A hacker would only get 3 chances then they get blacklisted by the firewall and brute force protection, noone will answer the question as to how they walked straight past brute force.

    The host company has been talking to cpanel engineers and I'm referred to this thread saying it's a 2008 problem. Surely cpanel would have sorted a 2008 problem by now?!

    I want answers and determined to get them. In the meantime we are now using access keys to retrict ip access to the server but that brings problems as our building shares some ip's and I sometimes use a mobile broadband dongle with dynamic ip to access the server when on the road if a client calls. However in the meantime security is more important.

    I would warn anyone who has a dedicated server or vps with root access using cpanel/whm, watch it, someone could just walk straight past brute force and noone can tell you why.
     
  9. uk01

    uk01 Well-Known Member

    Joined:
    Dec 31, 2009
    Messages:
    50
    Likes Received:
    1
    Trophy Points:
    8
    I see cpanel havn't joined in this discussion, it's about time they did.
     
  10. rrwh

    rrwh Well-Known Member

    Joined:
    Oct 2, 2004
    Messages:
    48
    Likes Received:
    0
    Trophy Points:
    6
    I just came looking - I have had a similar thing occur within the last 24 hours - someone from 41.201.*.* just logged into whm as root - not on one server, but on 2 different servers within a few minutes.

    the access logs look exactly the same as when a legit login is completed - and I have no idea as to how it could happen.

    it looks like they did a listing of accounts then logged out.

    These sort of issues need to be discussed and the access methods identified so that they can be restricted.
     
Loading...

Share This Page