What is SSHControl.pm?

soundguy

• July 25, 2014 14:01

While working on one of my servers, I noticed that there are a bunch of root shell commands in the history that I never entered: echo Cpanel::SSHControl::Expect::Reset::miZkeAyqwM2PxU6o export LANG=C; export TERM=dumb; export PS1="Cpanel::SSHControl - \TcPs# ";export PROMPT_COMMAND=""; stty raw; echo $0; echo; echo exit There are several more with account-specific language that resembles some modifications that I actually did a few days ago, but why is this stuff appearing on the root shell history? I'm treating it like an exploit. The file /usr/local/cpanel/Cpanel/SSHControl.pm seems to be a legit cPanel Perl module, but it just showed up on July 14th. Anybody have any ideas what's going on here? I see that the file exists on at least one of my other servers (dated July 9th), but the shell commands are not in the history on that machine. I'm wondering if this is a new cPanel feature that is already being exploited by miscreants.

• 

  cPanelMichael

  • July 25, 2014 19:15

  Hello :) Please ensure you open a support ticket if you are concerned about a potential security flaw with cPanel: Submit A Ticket This will allow us to direct the ticket to our security team if deemed necessary. Feel free to post the ticket number here so we can update this thread with the outcome. Thank you.

  0
• 

  JacobPerkins

  • July 25, 2014 19:25

  Hi, SSHControl is a package used during Transfers with the new Transfer Tool. It will create a lot of text in the bash history files on servers.

  0
• 

  soundguy

  • July 25, 2014 19:55

  Ok, thanks. That fits the circumstances. You guys really should issue a warning when you create new features with that kind of behavior though. Seeing command strings with obfuscated data calling a file that has only existed for a couple of days just screams "exploit", especially when I'm only half way thru my first cup of coffee. :-)

  0

Please sign in to leave a comment.