.cpanelinfo.php file

caeos

• October 29, 2013 17:03

Some (but not all ) accounts on a shared host i looked at have this file .cpanelinfo.php whcih contains ; if ($filter) { etc
is this a legitimate file or something else?

• 

  quizknows

  • October 29, 2013 23:22

  I don't see those files on the server I'm working on now, and they do not sound familiar. I could be wrong but I don't think it should be there. What's the rest of the content of the file?

  0
• 

  cPanelMichael

  • October 30, 2013 12:39

  Hello :) This is not a file created or handled by the cPanel software. You may want to investigate it further to see if it's part of a third-party plugin that you have installed. Thank you.

  0
• 

  kazar01

  • November 03, 2013 04:33

  Hi, few days ago I've found .cpanelinfo.php files in all acounts public_html folders on the server. These files are malicious and can be used to execute shell commands on the server or modify users files! You can check this yourself using the following command: curl -b "p3=system; p2=cat ///etc///passwd;;" yourdomain.com/.cpanelinfo.php
  I advise you to remove/disable such files ASAP and reset server root password. On my server these files were uploaded via cPanel, so I have reset passwords for all cPanel accounts too. Also I want to detect how attacker got access to 'root' account in cPanel and I have a question for cPanel staff: please check the part of logs below, did attacker use accesshash to log in WHM? Or root password was used ? Please advice. 5.34.177.110 - root [10/26/2013:21:23:25 -0000] "GET /json-api/listaccts HTTP/1.1" 200 0 "" "Mozilla/5.0 (Windows NT 6.1; rv:10.0) Gecko/20100101 Firefox/10.0" "-" 5.34.177.110 - root [10/26/2013:21:23:29 -0000] "GET /json-api/domainuserdata?domain=example.com.orig HTTP/1.1" 200 0 "" "Mozilla/5.0 (Windows NT 6.1; rv:10.0) Gecko/20100101 Firefox/10.0" "-" ... 5.34.177.110 - - [10/26/2013:21:27:08 -0000] "POST /login/ HTTP/1.1" 301 0 "" "Mozilla/5.0 (Windows NT 6.1; rv:10.0) Gecko/20100101 Firefox/10.0" "-" 5.34.177.110 - root [10/26/2013:21:27:10 -0000] "GET /cpsess3152952527/xfercpanel/camsuom HTTP/1.1" 0 "" "Mozilla/5.0 (Windows NT 6.1; rv:10.0) Gecko/20100101 Firefox/10.0" "-" 5.34.177.110 - - [10/26/2013:21:27:11 -0000] "GET /cpsess3152952527/login/?session=camsuom:n3xOvIITshqynmjtt69yYzAMG2UmZPbgPbS2bDWO4gmg5DXFBFRPH1vKH0_jYs9b,aab292dba48b85fa3b45f8540eb4938c1661c920a0c8a2aa83d04dbf687cb771^M HTTP/1.1" 301 0 "" "Mozilla/5.0 (Windows NT 6.1; rv:10.0) Gecko/20100101 Firefox/10.0" "-" 5.34.177.110 - camsuom [10/26/2013:21:27:12 -0000] "GET /cpsess3152952527/frontend/x3/index.html?post_login=71314175206959 HTTP/1.1" 200 0 "" "Mozilla/5.0 (Windows NT 6.1; rv:10.0) Gecko/20100101 Firefox/10.0" "-" 5.34.177.110 - camsuom [10/26/2013:21:27:17 -0000] "POST /cpsess3152952527/json-api/cpanel HTTP/1.1" 200 0 "" "Mozilla/5.0 (Windows NT 6.1; rv:10.0) Gecko/20100101 Firefox/10.0" "-"
  

  0
• 

  caeos

  • November 03, 2013 14:59

  it has appeared on empty accounts. i though it was suspect and renamed it to .txt thanks so far,,. on to investigation

  0

Please sign in to leave a comment.