websites compromised

[vincentg]

Two Websites were hacked on my server.

A FTP user named root was created in both Cpanel accounts.

They could have named it anything but naming it root I guess was to confuse you.

I have no idea as to how this was done as I see no log entries anywhere on how they were able to login and create a FTP account.

Any ideas on where to look and what to look for?

I checked Cpanel Logs , account Logs , Apache Logs , Secure log and messages log and I don't see how anyone other than the account owner has had a login.

 

[vincentg]

I suspect that PHP version 5.4.25 may have been the problem.
Have updated to 5.4.27

 

[cPanelMichael]

I suspect that PHP version 5.4.25 may have been the problem.
Have updated to 5.4.27

Could you elaborate on what in particular with PHP 5.4.25 may have resulted in this? Do you suspect one of your PHP scripts as the source of the attack?

Thank you.

 

[vincentg]

I suspect PHP because of the security warning for that version.

But I am not sure as I have no log entry that points to anything.

One website is Joomla and the other is WordPress and both were using current versions of software
I doubt it has anything to do with the software used by the clients.

If you have any ideas where to look let me know.
From what I found the hacker only was able to create a FTP account.
Once created he was able to upload files and create folders which were owned by the account user.

The FTP user was named [email protected]
Where hackeddomain = the name of the clients website

 

[nospa]

when those ftp accounts were created? how long ago? I don't think that 5.4.27 is the clue for compromise, it would be the most strange compromise I've ever heard...

 

[vincentg]

The FTP accounts were created on the day the files were uploaded.
So we were alerted to an email problem - I checked and found the files and FTP accounts which were created the day before.

It's not a Joomla or Wordpress problem.
It's not a spyware problem.

If you have an idea let me know.
How can a person create FTP accounts in Cpanel without a login!

 

[nospa]

I don't think this could be possible if you have tokens enabled - you can't do anything without root / reseller or cpanel login. If someone does not have root login - he cannot remove cpanel logs. So maybe those box was root compromised?

 

[vincentg]

Yes and maybe the moon is made of cheese.

 

[vanessa]

I'm not sure why/how PHP was factored into this, as it seems like a pretty clear case where a cPanel account was compromised, likely due to an insecure password. Have you checked the cPanel access logs for the cPanel user in question? /usr/local/cpanel/logs/access_log

 

[vincentg]

People don't seem to read the posts.

Again:
I have no idea as to how this was done as I see no log entries anywhere on how they were able to login and create an FTP account.

The only log entries show the USER's IP address as having access to their site.
I see failed attempts of people trying to login but not one that shows success.

There are no log entries that show this at all other than FTP logs entries showing the files being uploaded.
How did they create the FTP account?

Why create an FTP account if you had the account password?

As to why I suspect PHP - because PHP has a resume that is not very good and that there is CVE-2013-7345 and CVE-2014-2497 and god knows what else.

PHP PHP version 5.4.0 : Security vulnerabilities

Can a hacker be able using API calls create a FTP account via a PHP security hole?
Or is it a Cpanel security issue?

 

[vanessa]

Yo bro, chill out. Your illogical conclusion that this is PHP or inherent cPanel problem when there is no evidence to that serves as the basis for my assumption that you really don't understand the concept of system administration very well. Thus, why we are trying to help you. If you're going to disregard our advice in favor of pushing your own unsubstantiated theories, then don't ask for help.

Before you just assume what this is, or even ask us what this is knowing that none of us have been on your server or have evaluated the situation, you need to start from the most simple explanation. Which is, someone likely hacked the cPanel account itself, which has always been the case among the hundreds of times a month I deal with this exact issue. It's best not to ask questions about why hackers do what they do - as far as creating an FTP account when they have access to cPanel, it's pretty common. It's to secure FTP access to an account in the event that the cPanel password changes, because people rarely change FTP passwords. It's not that hard to comprehend.

I do not see how the vulnerabilities in PHP <=5.4.25 specifically could have resulted in something like this, though it's technically possible for a PHP, perl, or Python script to edit the /etc/proftpd/$user file, since that file is in fact owned by the associated cPanel user. With the right combination of bad scripting and insufficient security on your server, sure, it's possible for such a script to be exploited.

If this was an exploit of the cPanel API, you would see the access attempt in the access_log where the API call was executed, regardless of what it did. But you said you already checked that, so I'd imagine that such an execution would be obvious to an expert like you. So revisit the cPanel access_log and make sure you didn't miss anything. And maybe also take a Xanax.

 

[vincentg]

Having been managing servers for over 10 years I think I know which way is up.

And your not helping by telling me oh it must be this or it must be that.

I asked a question which is simple - can anyone tell me where else to look.

For the Cpanel log there were no IP's other than the owner's IP that showed a successful login.

The files created were owned by the user.

As to what you are stating - must be the passwords were cracked - I say - On two accounts?
My logs would have had one hell of a lot of entries from a single IP to have a bot crack two passwords.

So we rule out cracked passwords - we rule out the user's software - we rule out Spyware on the user's PC - what's left?

 

[vanessa]

I never said the passwords were cracked or brute-forced. It's 2014 - someone doesn't have to crack a password in order to get it. It's statements like this that support my assumption.

I also never affirmatively stated that it was "this or that", but rather gave reasonable suggestions as to what it might be, and why it is unlikely that this is a cPanel or PHP security problem. I'm also curious as to how you are "ruling out" any of the items you listed. If it's the same way you theorized that this was a PHP problem, I suppose you're in trouble.

Also, I suggest that if you want free assistance on these forums, you be less of dick when people try to help you, regardless of whether you feel the provided help was actually helpful. I'm detaching from this conversation at this point, hopefully someone else on these forums can be of assistance in telling you how to do your job.

 

[vincentg]

All I have so far is these IP addresses:
--------------
178.157.81.207
217.118.81.25
88.150.210.218
217.118.81.29
217.118.81.17

They each used the FTP login [email protected] name

The same IP's in both accounts - both accounts had an FTP account created.

No Logs anywhere show how it was done.

Nothing in Domlogs or Apache Logs or Cpanel Logs

Can't tie the IP's found nor can I find IP's other than the website owner's IP that had access.

The server's are secure and have a 10 year history of being secure.
When some hacker from Amsterdam breaks through and leaves no trail - I want to know how they did it.

And as of yet I have not a clue as to how it was done but no problems have taken place since the files, the FTP accounts were removed and PHP was updated.

 

[athomas.yvr]

I had raised an issue with cPanel regarding a similar issue however it affected 4k domains across multiple servers. After reading this post I am curious if the issue is related at all. The method through our compromise was via FTP and php/html/htm files were downloaded via FTP, code injected and then reuploaded.

Suggestions were made about possible snooping of accounts on the wire or through rootkits. This I believe was squashed via the fact that numerous domains were migrated from legacy hosting platforms without any customer access or logins in the previous 2 years.

I cannot help you with your report, however it does seem similar to mine.

 

[vincentg]

Not rootkits at all.

What I have found is the hackers had the password.
I checked the logs very careful and there is no evidence of a bot fishing for passwords.

The IP's found went straight in in one shot.
This means the FTP user was created already.

So the question is how did they do it?

Both these sites did have problems in the past due to Script security issues.
I can't say for sure this was the reason.

The only time the FTP account was used was a few days before the hack was noticed.
They used FTP to upload a file and erased it shortly after.

If I find out the what and where of it I will post it.

Most FTP hack problems are due to Spyware.
The person's PC gets infected with Spyware which reads the saved login info of the installed FTP application on the user's PC.

The spyware sends that info to the hacker who then adds the login to his script.
A hacker doesn't spend time trying to hack servers one by one.
They have scripts do it for them.
His script will login to the sites uploading files and adds a JavaScript line to the index file which is done to infect more PC's with the spyware.

Does it sound like the problem you had?

As for my problem I don't see anything that shows me when this FTP account was created.
One would assume it would have been this month but to be sure I scanned the logs going back to the beginning of the year.

Found nothing.

 

[athomas.yvr]

In my case I did not see ANY evidence of account password bruteforce snooping, rootkits, etc. This was across multiple servers and domains (~4000) with accounts that had never accessed FTP services. One of the accounts was my own domain and I can be quite certain that there was not any Spyware/Phishing being done. With this many domains affected I am suspicious of the single common elements and this being the physical network/software versions installed (OS, cPanel, Apache, FTP, PHP, etc)

 

[lorio]

I am suspicious of the single common elements and this being the physical network/software versions installed (OS, cPanel, Apache, FTP, PHP, etc)

The easiest, richest attack vector in common seems to be the Apache/PHP combo.

Wouldn't it be a start to compare Apache/PHP Versions settings in use.
How many servers are there when you talk about "multiple servers with ~4000 domains"?

OS
VPS/Metal
Apache Version
Mod Secruity
PHP Handler
PHP Version
PHP disabled functions

CSF/LFD or other tools?

Last time root password was changed?
Who knows password? (Think about ticketsoftware of datacenter or external support).

10 years without signs of hacking are fantastic. But we all can get victims to new attack vectors every day.
We all try to minimize the chances.

A paper about the bigger attack of the last month:
Operation Windigo ? the vivisection of a large Linux server-side credential-stealing malware campaign