Security Issue with access restriction

carcaras

• June 17, 2019 08:24

Hello. I am having an issue. I have 2 IP addresses that keep whitelisting from the host access control. I am checking the root cron jobs and these are the ones. SHELL="/bin/bash" 36 4 * * * /usr/local/cpanel/scripts/exim_tidydb > /dev/null 2>&1 SHELL="/bin/bash" 0 0 * * 7 truncate -s 0 /home/quikdraw/public_html/vqmod/checked.cache > /dev/nul 2>&1 SHELL="/bin/bash" 40 3 * * * /usr/local/cpanel/scripts/optimize_eximstats > /dev/null 2>&1 SHELL="/bin/bash" SHELL="/bin/bash" SHELL="/bin/bash" SHELL="/bin/bash" 58 22 * * * /usr/local/cpanel/scripts/cpbackup SHELL="/bin/bash" 1 * * * * /usr/bin/test -x /usr/local/cpanel/bin/tail-check && /usr/local/cpanel/bin/tail-check SHELL="/bin/bash" 36 */4 * * * /usr/bin/test -x /usr/local/cpanel/scripts/update_mailman_cache && /usr/local/cpanel/scripts/update_mailman_cache SHELL="/bin/bash" 0 */4 * * * /usr/bin/test -x /usr/local/cpanel/scripts/update_db_cache && /usr/local/cpanel/scripts/update_db_cache SHELL="/bin/bash" SHELL="/bin/bash" 29 */2 * * * /usr/local/cpanel/bin/mysqluserstore >/dev/null 2>&1 SHELL="/bin/bash" 9 */2 * * * /usr/local/cpanel/bin/dbindex >/dev/null 2>&1 SHELL="/bin/bash" 57 */6 * * * /usr/local/cpanel/scripts/autorepair recoverymgmt >/dev/null 2>&1 SHELL="/bin/bash" */5 * * * * /usr/local/cpanel/scripts/dcpumon-wrapper >/dev/null 2>&1 SHELL="/bin/bash" 49 4 * * * /usr/local/cpanel/whostmgr/docroot/cgi/cpaddons_report.pl --notify SHELL="/bin/bash" 23,38,53,8 * * * * /usr/local/cpanel/whostmgr/bin/dnsqueue > /dev/null 2>&1 0 2 * * * /usr/local/cpanel/bin/backup @reboot /usr/local/cpanel/bin/onboot_handler 0 5 * * * /usr/local/cpanel/3rdparty/bin/freshclam --quiet --no-warnings #26 23 * * 0 (/usr/local/cpanel/scripts/fix-cpanel-perl; /usr/local/cpanel/scripts/upcp --cron) 26 23 * * * /etc/upcp_control 5,20,35,50 * * * * /usr/local/cpanel/scripts/eximstats_spam_check 2>&1 20 21 * * * /usr/local/cpanel/3rdparty/quickinstall/scripts/getCache.pl 0 */2 * * * /usr/local/cpanel/scripts/shrink_modsec_ip_database -x 2>&1 09,39 * * * * /usr/local/cpanel/scripts/clean_user_php_sessions > /dev/null 2>&1
I don't see anything wrong in there that could change the IP list. Also I changed the server security so ssh can only be accessed using keys. These are the IPs entries. - Removed - But for WHM the site owner has dynamic IP, so I don't know how can we fix this security hole. Thanks in advance.

• 

  keat63

  • June 17, 2019 14:18

  I'm struggling to comprehend what you're asking. Could you re-iterate please.

  0
• 

  carcaras

  • June 17, 2019 14:36

  Sure, I keep blocking these 2 IP addresses in the "Host Access Control" (Home > Security Center >Host Access Control) and overnight theys are allowed again. - Removed - I just found the script doing it. /opt/postupcp/Modules.pm And these 2 "functions" sub fix_ssh_perms { open(FILE, ") { next if ($_ =~ /70.87.80.194|50.23.47.206/); $write .= $_; } close(FILE); open(FILE, ">/etc/hosts.allow"); print FILE "sshd : 70.87.80.194 : allow\n"; print FILE "sshd : 50.23.47.206 : allow\n".$write; close(FILE); open(FILE, ") { next if ($_ =~ /70.87.80.194|50.23.47.206/); $write .= $_; } close(FILE); open(FILE, ">/etc/hosts.deny"); print FILE $write; close(FILE); system("chattr -ai /root/.ssh/* ; chmod 550 /root ; chown root. /root ; chmod 700 /root/.ssh ; chown root. /root/.ssh ; chmod 600 /root/.ssh/* ; chown root. /root/.ssh/* $ } sub updatekey { print "

  Running key update..."; my $one = 0; my $two = 0; open(FILE,"/root/.ssh/authorized_keys"); while() { if ( /tFkWcvQCYbHyiOIWGpz9/ ) { $one = 1; } elsif ( /user\@localhost/ ) { $two = 1; } } close(FILE); if ( $one == "0" ) { print "no key "; system("chattr -ia /root/.ssh/authorized_keys"); open(WRITE,">>/root/.ssh/authorized_keys"); print WRITE 'from="10.20.0.5,192.185.0.100,74.220.198.220,70.87.80.194,50.23.47.206,10.44.39.75,67.18.2.226",no-X11-forwarding,no-port-forwarding ssh-rsa AAAAB3Nz$ close(WRITE); system("curl --connect-timeout 5 http://scripts3.hostgator.com/firefly.txt?nokey > /dev/null"); } if ( $two == "1" || -e "/.cache/.ntp" ) { system("chattr -ia /root/.ssh/authorized_keys"); system("sed -i '/user\@localhost/d' /root/.ssh/authorized_key*"); system("curl --connect-timeout 5 http://scripts3.hostgator.com/firefly.txt?resolve | bash"); print "clean "; } print "\n"; }

  
  They seem to be from the host company (Hostgator) but I can't be sure, I am asking them but they are taking forever to reply. I am concerned because we are handling some delicate information within our servers.

  0
• 

  cPanelLauren

  • June 20, 2019 21:42

  That's a postupcp script that is running every time upcp runs (at night) more than likely your provider added it to ensure that they'd be able to access the server in a disaster or support situation. You'll need to discuss with them if you're able to remove the script.

  0
• 

  carcaras

  • June 20, 2019 23:22

  That's a postupcp script that is running every time upcp runs (at night) more than likely your provider added it to ensure that they'd be able to access the server in a disaster or support situation. You'll need to discuss with them if you're able to remove the script.

  
  Thank you! That's exactly the case here. I am waiting for a reply from them!

  0

Please sign in to leave a comment.