The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

websites compromised

Discussion in 'Security' started by vincentg, Apr 15, 2014.

  1. vincentg

    vincentg Well-Known Member

    Joined:
    May 12, 2004
    Messages:
    140
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    new york
    Two Websites were hacked on my server.

    A FTP user named root was created in both Cpanel accounts.

    They could have named it anything but naming it root I guess was to confuse you.

    I have no idea as to how this was done as I see no log entries anywhere on how they were able to login and create a FTP account.

    Any ideas on where to look and what to look for?

    I checked Cpanel Logs , account Logs , Apache Logs , Secure log and messages log and I don't see how anyone other than the account owner has had a login.
     
  2. vincentg

    vincentg Well-Known Member

    Joined:
    May 12, 2004
    Messages:
    140
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    new york
    I suspect that PHP version 5.4.25 may have been the problem.
    Have updated to 5.4.27
     
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Could you elaborate on what in particular with PHP 5.4.25 may have resulted in this? Do you suspect one of your PHP scripts as the source of the attack?

    Thank you.
     
  4. vincentg

    vincentg Well-Known Member

    Joined:
    May 12, 2004
    Messages:
    140
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    new york
    I suspect PHP because of the security warning for that version.

    But I am not sure as I have no log entry that points to anything.

    One website is Joomla and the other is WordPress and both were using current versions of software
    I doubt it has anything to do with the software used by the clients.

    If you have any ideas where to look let me know.
    From what I found the hacker only was able to create a FTP account.
    Once created he was able to upload files and create folders which were owned by the account user.

    The FTP user was named root@hackeddomain
    Where hackeddomain = the name of the clients website
     
  5. nospa

    nospa Well-Known Member

    Joined:
    Apr 23, 2012
    Messages:
    110
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Reseller Owner
    when those ftp accounts were created? how long ago? I don't think that 5.4.27 is the clue for compromise, it would be the most strange compromise I've ever heard...
     
  6. vincentg

    vincentg Well-Known Member

    Joined:
    May 12, 2004
    Messages:
    140
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    new york
    The FTP accounts were created on the day the files were uploaded.
    So we were alerted to an email problem - I checked and found the files and FTP accounts which were created the day before.

    It's not a Joomla or Wordpress problem.
    It's not a spyware problem.

    If you have an idea let me know.
    How can a person create FTP accounts in Cpanel without a login!
     
  7. nospa

    nospa Well-Known Member

    Joined:
    Apr 23, 2012
    Messages:
    110
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Reseller Owner
    I don't think this could be possible if you have tokens enabled - you can't do anything without root / reseller or cpanel login. If someone does not have root login - he cannot remove cpanel logs. So maybe those box was root compromised?
     
  8. vincentg

    vincentg Well-Known Member

    Joined:
    May 12, 2004
    Messages:
    140
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    new york
    Yes and maybe the moon is made of cheese.
     
  9. vanessa

    vanessa Well-Known Member
    PartnerNOC

    Joined:
    Sep 26, 2006
    Messages:
    817
    Likes Received:
    22
    Trophy Points:
    18
    Location:
    Virginia Beach, VA
    cPanel Access Level:
    DataCenter Provider
    I'm not sure why/how PHP was factored into this, as it seems like a pretty clear case where a cPanel account was compromised, likely due to an insecure password. Have you checked the cPanel access logs for the cPanel user in question? /usr/local/cpanel/logs/access_log
     
  10. vincentg

    vincentg Well-Known Member

    Joined:
    May 12, 2004
    Messages:
    140
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    new york
    People don't seem to read the posts.

    Again:
    I have no idea as to how this was done as I see no log entries anywhere on how they were able to login and create an FTP account.

    The only log entries show the USER's IP address as having access to their site.
    I see failed attempts of people trying to login but not one that shows success.

    There are no log entries that show this at all other than FTP logs entries showing the files being uploaded.
    How did they create the FTP account?

    Why create an FTP account if you had the account password?

    As to why I suspect PHP - because PHP has a resume that is not very good and that there is CVE-2013-7345 and CVE-2014-2497 and god knows what else.

    PHP PHP version 5.4.0 : Security vulnerabilities

    Can a hacker be able using API calls create a FTP account via a PHP security hole?
    Or is it a Cpanel security issue?
     
  11. vanessa

    vanessa Well-Known Member
    PartnerNOC

    Joined:
    Sep 26, 2006
    Messages:
    817
    Likes Received:
    22
    Trophy Points:
    18
    Location:
    Virginia Beach, VA
    cPanel Access Level:
    DataCenter Provider
    Yo bro, chill out. Your illogical conclusion that this is PHP or inherent cPanel problem when there is no evidence to that serves as the basis for my assumption that you really don't understand the concept of system administration very well. Thus, why we are trying to help you. If you're going to disregard our advice in favor of pushing your own unsubstantiated theories, then don't ask for help.

    Before you just assume what this is, or even ask us what this is knowing that none of us have been on your server or have evaluated the situation, you need to start from the most simple explanation. Which is, someone likely hacked the cPanel account itself, which has always been the case among the hundreds of times a month I deal with this exact issue. It's best not to ask questions about why hackers do what they do - as far as creating an FTP account when they have access to cPanel, it's pretty common. It's to secure FTP access to an account in the event that the cPanel password changes, because people rarely change FTP passwords. It's not that hard to comprehend.

    I do not see how the vulnerabilities in PHP <=5.4.25 specifically could have resulted in something like this, though it's technically possible for a PHP, perl, or Python script to edit the /etc/proftpd/$user file, since that file is in fact owned by the associated cPanel user. With the right combination of bad scripting and insufficient security on your server, sure, it's possible for such a script to be exploited.

    If this was an exploit of the cPanel API, you would see the access attempt in the access_log where the API call was executed, regardless of what it did. But you said you already checked that, so I'd imagine that such an execution would be obvious to an expert like you. So revisit the cPanel access_log and make sure you didn't miss anything. And maybe also take a Xanax.
     
  12. vincentg

    vincentg Well-Known Member

    Joined:
    May 12, 2004
    Messages:
    140
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    new york
    Having been managing servers for over 10 years I think I know which way is up.

    And your not helping by telling me oh it must be this or it must be that.

    I asked a question which is simple - can anyone tell me where else to look.

    For the Cpanel log there were no IP's other than the owner's IP that showed a successful login.

    The files created were owned by the user.

    As to what you are stating - must be the passwords were cracked - I say - On two accounts?
    My logs would have had one hell of a lot of entries from a single IP to have a bot crack two passwords.

    So we rule out cracked passwords - we rule out the user's software - we rule out Spyware on the user's PC - what's left?
     
  13. vanessa

    vanessa Well-Known Member
    PartnerNOC

    Joined:
    Sep 26, 2006
    Messages:
    817
    Likes Received:
    22
    Trophy Points:
    18
    Location:
    Virginia Beach, VA
    cPanel Access Level:
    DataCenter Provider
    I never said the passwords were cracked or brute-forced. It's 2014 - someone doesn't have to crack a password in order to get it. It's statements like this that support my assumption.

    I also never affirmatively stated that it was "this or that", but rather gave reasonable suggestions as to what it might be, and why it is unlikely that this is a cPanel or PHP security problem. I'm also curious as to how you are "ruling out" any of the items you listed. If it's the same way you theorized that this was a PHP problem, I suppose you're in trouble.

    Also, I suggest that if you want free assistance on these forums, you be less of dick when people try to help you, regardless of whether you feel the provided help was actually helpful. I'm detaching from this conversation at this point, hopefully someone else on these forums can be of assistance in telling you how to do your job.
     
    Infopro likes this.
  14. vincentg

    vincentg Well-Known Member

    Joined:
    May 12, 2004
    Messages:
    140
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    new york
    All I have so far is these IP addresses:
    --------------
    178.157.81.207
    217.118.81.25
    88.150.210.218
    217.118.81.29
    217.118.81.17

    They each used the FTP login root@website name

    The same IP's in both accounts - both accounts had an FTP account created.

    No Logs anywhere show how it was done.

    Nothing in Domlogs or Apache Logs or Cpanel Logs

    Can't tie the IP's found nor can I find IP's other than the website owner's IP that had access.

    The server's are secure and have a 10 year history of being secure.
    When some hacker from Amsterdam breaks through and leaves no trail - I want to know how they did it.

    And as of yet I have not a clue as to how it was done but no problems have taken place since the files, the FTP accounts were removed and PHP was updated.
     
  15. athomas.yvr

    athomas.yvr Registered

    Joined:
    Mar 20, 2014
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    DataCenter Provider
    I had raised an issue with cPanel regarding a similar issue however it affected 4k domains across multiple servers. After reading this post I am curious if the issue is related at all. The method through our compromise was via FTP and php/html/htm files were downloaded via FTP, code injected and then reuploaded.

    Suggestions were made about possible snooping of accounts on the wire or through rootkits. This I believe was squashed via the fact that numerous domains were migrated from legacy hosting platforms without any customer access or logins in the previous 2 years.

    I cannot help you with your report, however it does seem similar to mine.
     
  16. vincentg

    vincentg Well-Known Member

    Joined:
    May 12, 2004
    Messages:
    140
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    new york
    Not rootkits at all.

    What I have found is the hackers had the password.
    I checked the logs very careful and there is no evidence of a bot fishing for passwords.

    The IP's found went straight in in one shot.
    This means the FTP user was created already.

    So the question is how did they do it?

    Both these sites did have problems in the past due to Script security issues.
    I can't say for sure this was the reason.

    The only time the FTP account was used was a few days before the hack was noticed.
    They used FTP to upload a file and erased it shortly after.

    If I find out the what and where of it I will post it.

    Most FTP hack problems are due to Spyware.
    The person's PC gets infected with Spyware which reads the saved login info of the installed FTP application on the user's PC.

    The spyware sends that info to the hacker who then adds the login to his script.
    A hacker doesn't spend time trying to hack servers one by one.
    They have scripts do it for them.
    His script will login to the sites uploading files and adds a JavaScript line to the index file which is done to infect more PC's with the spyware.

    Does it sound like the problem you had?

    As for my problem I don't see anything that shows me when this FTP account was created.
    One would assume it would have been this month but to be sure I scanned the logs going back to the beginning of the year.

    Found nothing.
     
  17. athomas.yvr

    athomas.yvr Registered

    Joined:
    Mar 20, 2014
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    DataCenter Provider
    In my case I did not see ANY evidence of account password bruteforce snooping, rootkits, etc. This was across multiple servers and domains (~4000) with accounts that had never accessed FTP services. One of the accounts was my own domain and I can be quite certain that there was not any Spyware/Phishing being done. With this many domains affected I am suspicious of the single common elements and this being the physical network/software versions installed (OS, cPanel, Apache, FTP, PHP, etc)
     
  18. lorio

    lorio Well-Known Member

    Joined:
    Feb 25, 2004
    Messages:
    243
    Likes Received:
    3
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    The easiest, richest attack vector in common seems to be the Apache/PHP combo.

    Wouldn't it be a start to compare Apache/PHP Versions settings in use.
    How many servers are there when you talk about "multiple servers with ~4000 domains"?

    OS
    VPS/Metal
    Apache Version
    Mod Secruity
    PHP Handler
    PHP Version
    PHP disabled functions

    CSF/LFD or other tools?

    Last time root password was changed?
    Who knows password? (Think about ticketsoftware of datacenter or external support).

    10 years without signs of hacking are fantastic. But we all can get victims to new attack vectors every day.
    We all try to minimize the chances.

    A paper about the bigger attack of the last month:
    Operation Windigo ? the vivisection of a large Linux server-side credential-stealing malware campaign
     
Loading...

Share This Page