CPanel accounts getting attacked by the same person whom is resetting zone file and adding their own records.
Hi All,
One of our webhosts has come under attack recently by the same person. They have done the following on 6 cpanel accounts in the past week:
- Reset zone file back to defaults
- Add MX record pointing to amazonAWS
- Add CNAME records for amazonSES dkim
- Add TXT record for amazon proof of domain control
- Sends test emails from the cpanel account to themselves: l00ser1@rocketmail.com
At the moment I've been tracking /var/log/exim_mainlog to see emails to rocketmail - that way I know the account has been breached. Then I am restoring from a daily jetbackup and changing the cpanel password.
I've been unable to determine the method of attack that they are doing. My going theory is that they are either exploiting CMS or website form vulnerabilities and using that to somehow gain access to cpanel, but what I have found today is that I haven't received a password change notification for the cpanel account like I normally would - so whatever they're doing it's not involving a password reset. I've attempted to comb through /usr/local/cpanel/logs/access_log to see what pages they were visiting, I can see a lot of email attempts but it's very difficult to work through these logs, even around the time period that exim_mainlog says an email went out. This WHM has been hit previously by AnonymousFox attacks which exploit CMS vulnerabilites to reset cpanel passwords but I have disabled the abilities for users to reset their passwords as of 3 weeks ago, which has ruled out that method of infection. The WHM runs on cloudlinux 7.9, WHM v96.0.9 and has imunify360 and kernelcare running. No threats have been picked up for this particular cpanel account. The part that makes this extra annoying for us is the lack of cpanel auditing features - I'm unable to find a way to audit Zone file changes, or just general auditing of what a user account is doing, like you would be able to view in ausearch. The extra extra annoying part is that our customer's domains are usually authorative on this server so the resetting of the zone file will stop their mail from working until we fix it. This server has DNS bind clustering configured to 2 other WHM server's. I am thinking of moving customers with authorative DNS to another service such as cloudflare to reduce the impact of this attack unless I can definitively work out how we are being attacked. It is nice to have DNS + Website centralized for ease of access though. Any assistance would be appreciated. - Cameron
2021-06-05 07:12:26 1lpHa2-001KlD-Tx <= l00ser1@rocketmail.com H=sonic305-21.consmr.mail.gq1.yahoo.com [98.137.64.84]:40817 P=esmtps X=TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128 CV=no S=6623 id=965018891.2586971.1622842894476@mail.yahoo.com T="test" for sales@-company-we-support-.com.au
I've been unable to determine the method of attack that they are doing. My going theory is that they are either exploiting CMS or website form vulnerabilities and using that to somehow gain access to cpanel, but what I have found today is that I haven't received a password change notification for the cpanel account like I normally would - so whatever they're doing it's not involving a password reset. I've attempted to comb through /usr/local/cpanel/logs/access_log to see what pages they were visiting, I can see a lot of email attempts but it's very difficult to work through these logs, even around the time period that exim_mainlog says an email went out. This WHM has been hit previously by AnonymousFox attacks which exploit CMS vulnerabilites to reset cpanel passwords but I have disabled the abilities for users to reset their passwords as of 3 weeks ago, which has ruled out that method of infection. The WHM runs on cloudlinux 7.9, WHM v96.0.9 and has imunify360 and kernelcare running. No threats have been picked up for this particular cpanel account. The part that makes this extra annoying for us is the lack of cpanel auditing features - I'm unable to find a way to audit Zone file changes, or just general auditing of what a user account is doing, like you would be able to view in ausearch. The extra extra annoying part is that our customer's domains are usually authorative on this server so the resetting of the zone file will stop their mail from working until we fix it. This server has DNS bind clustering configured to 2 other WHM server's. I am thinking of moving customers with authorative DNS to another service such as cloudflare to reduce the impact of this attack unless I can definitively work out how we are being attacked. It is nice to have DNS + Website centralized for ease of access though. Any assistance would be appreciated. - Cameron
-
Hello CameronW! I am sorry to hear about the recent security issues you've been experiencing. We have a utility available that you can use called CSI. The CSI utility is a script that provides various functions to assist with the investigation of both root- and user-level compromises. Please be aware, however, that we cannot provide any support for any information the script may turn up, and it shouldn't be considered the end-all-be-all for determining if a site, or account, has been compromised; It should be used as part of a full suite of security checks. You can find more information on this script as well as other practices you can take when you believe your server has been hacked in the article we've published below: Auditd - The Linux Auditing System I hope that this information helps! If you require further assistance beyond the suggestions in the articles above, please open a support ticket so that we can review the issue more thoroughly. You can submit a support request using the "Submit a ticket" link in my signature below. Thank you for choosing cPanel! 0 -
Hello, Here is a good tutorial about auditd it comes with examples How To Use the Linux Auditing System on CentOS 7 | DigitalOcean 0 -
Thank you for that information rscalover! 0
Please sign in to leave a comment.
Comments
3 comments