Operating System & Version
CloudLinux 7
cPanel & WHM Version
v100

ankeshanand

Well-Known Member
Mar 29, 2021
204
61
103
India
cPanel Access Level
Root Administrator
I received a distress call that a server was not booting up. I somehow managed to boot up the server but after so many tries finally fixed cPanel services and MariaDB. Nightmares for the user started when he saw no account in cPanel and I confirmed all accounts were deleted a day before server went down. Imunify360 WAF was also installed on the server.
--------
Nov 2, 2021= Accounts Deleted
Nov 3, 2021 03:00AM = Server went unbootable
Nov 3, 2021 Around 05:00PM= Server is UP again
--------
/var/cpanel/accounting.log showed Accounts being REMOVED on Nov 2, 2021
Now, these logs also showed that all accounts were deleted by root. An obvious question is root hacked, It seems yes but how? It had a 32 Alphanumeric symbolic password, so there was no chance bruteforce was that easy.
/var/log/secure shows:
Code:
ov  3 02:24:27 server sudo: wp-toolkit : TTY=unknown ; PWD=/usr/local/cpanel/3rdparty/wp-toolkit/scripts ; USER=root ; COMMAND=/bin/test -e /etc/passwd
Nov  3 02:24:27 server sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Nov  3 02:24:27 server sudo[524926]: pam_unix(sudo:session): session closed for user root
Nov  3 02:24:27 server sudo: wp-toolkit : TTY=unknown ; PWD=/usr/local/cpanel/3rdparty/wp-toolkit/scripts ; USER=root ; COMMAND=/bin/cat /etc/passwd
Nov  3 02:24:27 server sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Nov  3 02:24:27 server sudo[524929]: pam_unix(sudo:session): session closed for user root
Nov  3 02:24:27 server sudo: wp-toolkit : TTY=unknown ; PWD=/usr/local/cpanel/3rdparty/wp-toolkit/scripts ; USER=root ; COMMAND=/bin/cat /root/.wp-toolkit-identifier
Nov  3 02:24:27 server sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Nov  3 02:24:27 server sudo[524932]: pam_unix(sudo:session): session closed for user root
Nov  3 02:24:27 server sudo: wp-toolkit : TTY=unknown ; PWD=/usr/local/cpanel/3rdparty/wp-toolkit/scripts ; USER=root ; COMMAND=/bin/sh -c whmapi1 listaccts --output=json
Nov  3 02:24:27 server sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Nov  3 02:24:27 server sudo[524936]: pam_unix(sudo:session): session closed for user root
Nov  3 02:24:27 server sudo: wp-toolkit : TTY=unknown ; PWD=/usr/local/cpanel/3rdparty/wp-toolkit/scripts ; USER=root ; COMMAND=/bin/sh -c whmapi1 get_domain_info --output=json
Nov  3 02:24:27 server sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Nov  3 02:24:27 server sudo[524943]: pam_unix(sudo:session): session closed for user root
Nov  3 02:24:31 server sudo: wp-toolkit : TTY=unknown ; PWD=/usr/local/cpanel/3rdparty/wp-toolkit/scripts ; USER=root ; COMMAND=/bin/sh -c cat /usr/local/cpanel/3rdparty/wp-toolkit/var/license.xml 2>/dev/null
Nov  3 02:24:31 server sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Nov  3 02:24:31 server sudo[525466]: pam_unix(sudo:session): session closed for user root
grep -R -i sudo /var/log/* shows:
Code:
Binary file /var/log/secure matches
/var/log/wp-toolkit/main-2021-11-02.log:#0 /usr/local/cpanel/3rdparty/wp-toolkit/plib/library/RemoteServer/Executor/Implementation/LocalExecutorHelper.php(200): PleskExt\WpToolkit\RemoteServer\Executor\Implementation\LocalExecutorHelper::executeCommand('sudo -E -u firs...', NULL)
/var/log/wp-toolkit/main-2021-11-02.log:#0 /usr/local/cpanel/3rdparty/wp-toolkit/plib/library/RemoteServer/Executor/Implementation/LocalExecutorHelper.php(200): PleskExt\WpToolkit\RemoteServer\Executor\Implementation\LocalExecutorHelper::executeCommand('sudo -E -u craz...', NULL)
/var/log/wp-toolkit/main-2021-11-02.log:#0 /usr/local/cpanel/3rdparty/wp-toolkit/plib/library/RemoteServer/Executor/Implementation/LocalExecutorHelper.php(200): PleskExt\WpToolkit\RemoteServer\Executor\Implementation\LocalExecutorHelper::executeCommand('sudo -E -u wpwo...', NULL)
/var/log/wp-toolkit/main-2021-11-02.log:#0 /usr/local/cpanel/3rdparty/wp-toolkit/plib/library/RemoteServer/Executor/Implementation/LocalExecutorHelper.php(61): PleskExt\WpToolkit\RemoteServer\Executor\Implementation\LocalExecutorHelper::executeCommand('sudo -E -u cohe...')
/var/log/wp-toolkit/main-2021-11-02.log:#0 /usr/local/cpanel/3rdparty/wp-toolkit/plib/library/RemoteServer/Executor/Implementation/LocalExecutorHelper.php(200): PleskExt\WpToolkit\RemoteServer\Executor\Implementation\LocalExecutorHelper::executeCommand('sudo -E -u pron...', NULL)
/var/log/wp-toolkit/main-2021-11-02.log:#0 /usr/local/cpanel/3rdparty/wp-toolkit/plib/library/RemoteServer/Executor/Implementation/LocalExecutorHelper.php(200): PleskExt\WpToolkit\RemoteServer\Executor\Implementation\LocalExecutorHelper::executeCommand('sudo -E -u eser...', NULL)
/var/log/wp-toolkit/main-2021-11-02.log:#0 /usr/local/cpanel/3rdparty/wp-toolkit/plib/library/RemoteServer/Executor/Implementation/LocalExecutorHelper.php(200): PleskExt\WpToolkit\RemoteServer\Executor\Implementation\LocalExecutorHelper::executeCommand('sudo -E -u eser...', NULL)
/var/log/wp-toolkit/main-2021-11-02.log:#0 /usr/local/cpanel/3rdparty/wp-toolkit/plib/library/RemoteServer/Executor/Implementation/LocalExecutorHelper.php(200): PleskExt\WpToolkit\RemoteServer\Executor\Implementation\LocalExecutorHelper::executeCommand('sudo -E -u firs...', NULL)
/var/log/wp-toolkit/main-2021-11-02.log:#0 /usr/local/cpanel/3rdparty/wp-toolkit/plib/library/RemoteServer/Executor/Implementation/LocalExecutorHelper.php(200): PleskExt\WpToolkit\RemoteServer\Executor\Implementation\LocalExecutorHelper::executeCommand('sudo -E -u firs...', NULL)
/var/log/wp-toolkit/main-2021-11-02.log:#0 /usr/local/cpanel/3rdparty/wp-toolkit/plib/library/RemoteServer/Executor/Implementation/LocalExecutorHelper.php(200): PleskExt\WpToolkit\RemoteServer\Executor\Implementation\LocalExecutorHelper::executeCommand('sudo -E -u firs...', NULL)
/var/log/wp-toolkit/main-2021-11-02.log:#0 /usr/local/cpanel/3rdparty/wp-toolkit/plib/library/RemoteServer/Executor/Implementation/LocalExecutorHelper.php(61): PleskExt\WpToolkit\RemoteServer\Executor\Implementation\LocalExecutorHelper::executeCommand('sudo -E -u just...')
/var/log/wp-toolkit/main-2021-11-02.log:#0 /usr/local/cpanel/3rdparty/wp-toolkit/plib/library/RemoteServer/Executor/Implementation/LocalExecutorHelper.php(200): PleskExt\WpToolkit\RemoteServer\Executor\Implementation\LocalExecutorHelper::executeCommand('sudo -E -u genp...', NULL)
/var/log/wp-toolkit/main-2021-11-02.log:#0 /usr/local/cpanel/3rdparty/wp-toolkit/plib/library/RemoteServer/Executor/Implementation/LocalExecutorHelper.php(200): PleskExt\WpToolkit\RemoteServer\Executor\Implementation\LocalExecutorHelper::executeCommand('sudo -E -u genp...', NULL)
/var/log/wp-toolkit/main-2021-11-02.log:#0 /usr/local/cpanel/3rdparty/wp-toolkit/plib/library/RemoteServer/Executor/Implementation/LocalExecutorHelper.php(200): PleskExt\WpToolkit\RemoteServer\Executor\Implementation\LocalExecutorHelper::executeCommand('sudo -E -u gsmn...', NULL)
/var/log/wp-toolkit/main-2021-11-02.log:#0 /usr/local/cpanel/3rdparty/wp-toolkit/plib/library/RemoteServer/Executor/Implementation/LocalExecutorHelper.php(200): PleskExt\WpToolkit\RemoteServer\Executor\Implementation\LocalExecutorHelper::executeCommand('sudo -E -u heig...', NULL)
/var/log/wp-toolkit/main-2021-11-02.log:#0 /usr/local/cpanel/3rdparty/wp-toolkit/plib/library/RemoteServer/Executor/Implementation/LocalExecutorHelper.php(200): PleskExt\WpToolkit\RemoteServer\Executor\Implementation\LocalExecutorHelper::executeCommand('sudo -E -u heig...', NULL)
/var/log/wp-toolkit/main-2021-11-02.log:#0 /usr/local/cpanel/3rdparty/wp-toolkit/plib/library/RemoteServer/Executor/Implementation/LocalExecutorHelper.php(61): PleskExt\WpToolkit\RemoteServer\Executor\Implementation\LocalExecutorHelper::executeCommand('sudo -E -u just...')
/var/log/wp-toolkit/main-2021-11-02.log:#0 /usr/local/cpanel/3rdparty/wp-toolkit/plib/library/RemoteServer/Executor/Implementation/LocalExecutorHelper.php(61): PleskExt\WpToolkit\RemoteServer\Executor\Implementation\LocalExecutorHelper::executeCommand('sudo -E -u news...')
/var/log/wp-toolkit/main-2021-11-02.log:#0 /usr/local/cpanel/3rdparty/wp-toolkit/plib/library/RemoteServer/Executor/Implementation/LocalExecutorHelper.php(200): PleskExt\WpToolkit\RemoteServer\Executor\Implementation\LocalExecutorHelper::executeCommand('sudo -E -u mick...', NULL)
/var/log/wp-toolkit/main-2021-11-02.log:#0 /usr/local/cpanel/3rdparty/wp-toolkit/plib/library/RemoteServer/Executor/Implementation/LocalExecutorHelper.php(200): PleskExt\WpToolkit\RemoteServer\Executor\Implementation\LocalExecutorHelper::executeCommand('sudo -E -u pron...', NULL)
/var/log/wp-toolkit/main-2021-11-02.log:#0 /usr/local/cpanel/3rdparty/wp-toolkit/plib/library/RemoteServer/Executor/Implementation/LocalExecutorHelper.php(200): PleskExt\WpToolkit\RemoteServer\Executor\Implementation\LocalExecutorHelper::executeCommand('sudo -E -u pron...', NULL)
/var/log/wp-toolkit/main-2021-11-02.log:#0 /usr/local/cpanel/3rdparty/wp-toolkit/plib/library/RemoteServer/Executor/Implementation/LocalExecutorHelper.php(200): PleskExt\WpToolkit\RemoteServer\Executor\Implementation\LocalExecutorHelper::executeCommand('sudo -E -u ramn...', NULL)
/var/log/wp-toolkit/main-2021-11-02.log:#0 /usr/local/cpanel/3rdparty/wp-toolkit/plib/library/RemoteServer/Executor/Implementation/LocalExecutorHelper.php(61): PleskExt\WpToolkit\RemoteServer\Executor\Implementation\LocalExecutorHelper::executeCommand('sudo -E -u taja...')
/var/log/wp-toolkit/main-2021-11-02.log:#0 /usr/local/cpanel/3rdparty/wp-toolkit/plib/library/RemoteServer/Executor/Implementation/LocalExecutorHelper.php(200): PleskExt\WpToolkit\RemoteServer\Executor\Implementation\LocalExecutorHelper::executeCommand('sudo -E -u taks...', NULL)
/var/log/wp-toolkit/main-2021-11-02.log:#0 /usr/local/cpanel/3rdparty/wp-toolkit/plib/library/RemoteServer/Executor/Implementation/LocalExecutorHelper.php(200): PleskExt\WpToolkit\RemoteServer\Executor\Implementation\LocalExecutorHelper::executeCommand('sudo -E -u theg...', NULL)
/var/log/wp-toolkit/main-2021-11-02.log:#0 /usr/local/cpanel/3rdparty/wp-toolkit/plib/library/RemoteServer/Executor/Implementation/LocalExecutorHelper.php(200): PleskExt\WpToolkit\RemoteServer\Executor\Implementation\LocalExecutorHelper::executeCommand('sudo -E -u theg...', NULL)
/var/log/wp-toolkit/main-2021-11-02.log:#0 /usr/local/cpanel/3rdparty/wp-toolkit/plib/library/RemoteServer/Executor/Implementation/LocalExecutorHelper.php(61): PleskExt\WpToolkit\RemoteServer\Executor\Implementation\LocalExecutorHelper::executeCommand('sudo -E -u hand...')
/var/log/wp-toolkit/main-2021-11-02.log:#0 /usr/local/cpanel/3rdparty/wp-toolkit/plib/library/RemoteServer/Executor/Implementation/LocalExecutorHelper.php(200): PleskExt\WpToolkit\RemoteServer\Executor\Implementation\LocalExecutorHelper::executeCommand('sudo -E -u theu...', NULL)
/var/log/wp-toolkit/main-2021-11-02.log:#0 /usr/local/cpanel/3rdparty/wp-toolkit/plib/library/RemoteServer/Executor/Implementation/LocalExecutorHelper.php(200): PleskExt\WpToolkit\RemoteServer\Executor\Implementation\LocalExecutorHelper::executeCommand('sudo -E -u theu...', NULL)
/var/log/wp-toolkit/main-2021-11-02.log:#0 /usr/local/cpanel/3rdparty/wp-toolkit/plib/library/RemoteServer/Executor/Implementation/LocalExecutorHelper.php(61): PleskExt\WpToolkit\RemoteServer\Executor\Implementation\LocalExecutorHelper::executeCommand('sudo -E -u toor...')
/var/log/wp-toolkit/main-2021-11-02.log:#0 /usr/local/cpanel/3rdparty/wp-toolkit/plib/library/RemoteServer/Executor/Implementation/LocalExecutorHelper.php(61): PleskExt\WpToolkit\RemoteServer\Executor\Implementation\LocalExecutorHelper::executeCommand('sudo -E -u toor...')
/var/log/wp-toolkit/main-2021-11-02.log:#0 /usr/local/cpanel/3rdparty/wp-toolkit/plib/library/RemoteServer/Executor/Implementation/LocalExecutorHelper.php(61): PleskExt\WpToolkit\RemoteServer\Executor\Implementation\LocalExecutorHelper::executeCommand('sudo -E -u vamb...')
/var/log/wp-toolkit/main-2021-11-02.log:#0 /usr/local/cpanel/3rdparty/wp-toolkit/plib/library/RemoteServer/Executor/Implementation/LocalExecutorHelper.php(61): PleskExt\WpToolkit\RemoteServer\Executor\Implementation\LocalExecutorHelper::executeCommand('sudo -E -u zeos...')
/var/log/wp-toolkit/main-2021-11-02.log:#0 /usr/local/cpanel/3rdparty/wp-toolkit/plib/library/RemoteServer/Executor/Implementation/LocalExecutorHelper.php(61): PleskExt\WpToolkit\RemoteServer\Executor\Implementation\LocalExecutorHelper::executeCommand('sudo -E -u zobs...')
/var/log/wp-toolkit/main-2021-11-02.log:#0 /usr/local/cpanel/3rdparty/wp-toolkit/plib/library/RemoteServer/Executor/Implementation/LocalExecutorHelper.php(200): PleskExt\WpToolkit\RemoteServer\Executor\Implementation\LocalExecutorHelper::executeCommand('sudo -E -u temp...', NULL)
/var/log/wp-toolkit/main-2021-11-02.log:#0 /usr/local/cpanel/3rdparty/wp-toolkit/plib/library/RemoteServer/Executor/Implementation/LocalExecutorHelper.php(42): PleskExt\WpToolkit\RemoteServer\Executor\Implementation\LocalExecutorHelper::executeCommand('sudo -E -u esho...', NULL, Array)
/var/log/wp-toolkit/main-2021-11-02.log:#1 /usr/local/cpanel/3rdparty/wp-toolkit/plib/library/RemoteServer/Executor/Implementation/LocalExecutor.php(94): PleskExt\WpToolkit\RemoteServer\Executor\Implementation\LocalExecutorHelper::executeSudoCommand('eshopping', 'cd /home/eshopp...', '/home/eshopping...', NULL, NULL)
/var/log/wp-toolkit/main-2021-11-02.log:#0 /usr/local/cpanel/3rdparty/wp-toolkit/plib/library/RemoteServer/Executor/Implementation/LocalExecutorHelper.php(200): PleskExt\WpToolkit\RemoteServer\Executor\Implementation\LocalExecutorHelper::executeCommand('sudo -E -u best...', NULL)
You might be thinking how it is a nightmare? The provider did not make backups and thought RAID was backup(kind of). Can anyone confirm if root was compromised via WP-toolkit? Also, any ways his Data can ever come back(if even possible)?
 

cPanelPeter

Senior Technical Analyst
Staff member
Sep 23, 2013
579
23
143
cPanel Access Level
Root Administrator
Hello ankeshanand,

Thank you for posting this. I've checked a couple of our servers and those logs are perfectly normal and not indicative of any security issue in WordPress Toolkit.
However, it is possible that your server is indeed compromised at the root level.

Please consider opening a ticket with us and one of our L3 analysts (and myself) will be happy to further investigate this for you.
 
  • Like
Reactions: cPanelAnthony

cPanelAnthony

Administrator
Staff member
Oct 18, 2021
1,051
106
118
Houston, TX
cPanel Access Level
Root Administrator
Hello, did you find out the cause in the end? We recently had similar case happen to us
Hello! It appears the previous user never ended up opening a ticket. Would you be able to do so using the link in my signature or by asking your web hosting provider to help? If you do so, please provide the ticket ID here.

Thanks!
 

ankeshanand

Well-Known Member
Mar 29, 2021
204
61
103
India
cPanel Access Level
Root Administrator
Hello, did you find out the cause in the end? We recently had similar case happen to us
I asked the owner and he already abandoned the server because it was no use to him. But I am preety sure that was because of WP-toolkit and I do have Logs downloaded. Thats because CageFS limits all users but still there was a sudo elevation just after wp-toolkit processes. Morever, Imunify was on totally Strict mode with WAF and PHP kill mode so no processes can bypass. The root password was of 32 Digits with SSH Password authorization disabled and No bruteforce noticed in cPhulk or Imunify360. That leaves only one thing, i.e Sudo user elevation which gave root access to whoever hacked it.
Also, recently he received a spoofed Email asking for Money..... 5000USD in BTC! :-p
No one will give away that kind of money when they find backups....
 

cPanelPeter

Senior Technical Analyst
Staff member
Sep 23, 2013
579
23
143
cPanel Access Level
Root Administrator
Just to be clear here, WordPress Toolkit does use sudo to run certain tasks as the user. It has to do that. It does not mean they are escalated to root, just that it is connected as the user to perform the tasks needed. It has to do with the environment variables within each user as it pulls those variables in. Therefore they must be run as the user and not as root.
 
  • Like
Reactions: cPanelTJ

Dhrupodi

Active Member
Sep 8, 2019
29
1
3
root
cPanel Access Level
Root Administrator
I am very skeptical of WP toolkit taking this route of using sudo. It is just another point of failure in the mix. It didn't need sudo to install WordPress. Seeing the number of major bugs WP Toolkit has, especially incompatibility with disable_functions in PHP 8, that exists since the days of Plesk in 2019, I am not sure it is a well thought out software.


Just to be clear here, WordPress Toolkit does use sudo to run certain tasks as the user.
 

cPanelPeter

Senior Technical Analyst
Staff member
Sep 23, 2013
579
23
143
cPanel Access Level
Root Administrator
Hello,

Thank you for the update. I think you may have misunderstood part of my reply.

When I said, "WordPress Toolkit does use sudo to run certain tasks as the user...", that's what I meant. It has to impersonate the user to run those commands. It does not impersonate root directly but does use the wp-toolkit user in order to perform file operations and run processes (e.g. wp-cli.phar) on a WordPress instance as the specified user.

Additionally, your statement that WordPress Toolkit doesn't need sudo to install WordPress is incorrect. It does use sudo to change to the user in question and then performs the install using the wp-cli utility which runs under the wp-toolkit user.

You also stated this:

Seeing the number of major bugs WP Toolkit has, especially incompatibility with disable_functions in PHP 8, that exists since the days of Plesk in 2019,...

Can you please be more specific? What bugs exactly? Have you reported these defects? I'm not aware of any defects that specifically mention PHP 8 and disable_functions. WordPress Toolkit v5.3 was the first version to support PHP 8. It came out on 2/15/2021, not in 2019.

The original poster for this thread mentioned that several of his accounts showed REMOVED and he was sure it was related to WordPress Toolkit and provided log files. But what we stated was that the log files were normal and not any kind of indication that this was a root compromise or that it was directly involved in his issue.

However, I offered to check and requested a ticket be opened. To date, that has not occurred. The offer still stands, if you or anyone believes that WordPress Toolkit is to blame for a security issue on your server, feel free to open a ticket and our L3 analysts and myself will be happy to review things for you.