Phishing subdomains constantly created
Hi there,
We are noticing it from a long time but can't find where it's from. Sometimes once a week, sometimes 3 or 4 the same day, we are receiving "abuse" emails from companies for hosting phishing websites (our IP has been blocked several times).
At the beginning it touched only few customers using Wordpress and mysterious plugins, we didn't care a lot and suspended the accounts until reactions. Now it seems to touch anyone. We (in the team) have created few accounts for our own usage, some are active, some were never used (nothing uploaded since the creation). Despite this, every week we see phishing subdomains created (containing phishing website) or sometimes only 1 .html is created with a JS redirection to another account.
We've noticed that sometimes it's the exact same IP in the .lastlogin, so when we grep it in cpanel logs, here is what we see:
root [~]# grep "197.X.X.X" /usr/local/cpanel/logs/login_log
197.X.X.X - bloodofj [04/18/2015:00:10:07 -0000] "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN cpaneld: invalid cpanel user bloodofj (loadcpdata failed)
197.X.X.X - artvinfo [04/18/2015:00:10:36 -0000] "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN cpaneld: invalid cpanel user artvinfo (loadcpdata failed)
197.X.X.X - nebuleus [04/18/2015:00:10:52 -0000] "POST /login/?login_only=1 HTTP/1.1" FAILED LOGIN cpaneld: invalid cpanel user nebuleus (loadcpdata failed)
197.X.X.X - producti [04/18/2015:00:22:05 -0000] "GET / HTTP/1.1" DEFERRED LOGIN cpaneld: security token missing
At first sight, I understand that he is using the login form. It's like he has the passwords (hard to believe because we create users from WHMCS with generated passwords =/ ) Then: root [~]# grep "197.X.X.X" /usr/local/cpanel/logs/access_log 197.X.X.X - - [04/18/2015:00:09:46 -0000] "GET / HTTP/1.1" 401 0 "" "Mozilla /5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0. 2272.118 Safari/537.36" "-" "-" 197.X.X.X - - [04/18/2015:00:09:46 -0000] "GET /cPanel_magic_revision_1396130370/unprotected/cpanel/images/login-whisp.png HTTP/1.1" 200 0 "acct4 [04/18/2015:00:11:09 -0000] "POST /login/?login_only=1 HTTP/1.1" 301 0 "acct4 [04/18/2015:00:11:12 -0000] "GET /cpsess3987311672/ HTTP/1.1" 200 0 "acct4 [04/18/2015:00:11:13 -0000] "GET /cpsess3987311672/frontend/x3/index.html HTTP/1.1" 200 0 "acct4 [04/18/2015:00:11:31 -0000] "GET /cpsess3987311672/frontend/x3/subdomain/index.html HTTP/1.1" 200 0 "acct4 [04/18/2015:00:12:17 -0000] "GET /cpsess3987311672/frontend/x3/subdomain/doadddomain.html?domain=ac.update.line.defap4527.lverificatiion.74463986dhuibnostr89.submit.43do.aad54f38655583lddsopa81089.edit7899787734534434556sdn28001&rootdomain=live.v-info.info&dir=public_html%2Fac.update.line.defap4527.lverificatiion.74463986dhuibnostr89.submit.43do.aad54f38655583lddsopa81089.edit7899787734534434556sdn28001&go=create HTTP/1.1" 200 0 "acct5 [04/18/2015:00:23:17 -0000] "GET /cPanel_magic_revision_1396129212/frontend/x3/filemanager/img/icons/codeEditorB.gif HTTP/1.1" 304 0 "acct5 [04/18/2015:00:23:20 -0000] "GET /cpsess2073941840/json-api/cpanel?cpanel_jsonapi_module=Encoding&cpanel_jsonapi_func=guess_file&cpanel_jsonapi_apiversion=2&file=%2Fhome%2Facct5%2Fpublic_html%2Finndex.php HTTP/1.1" 200 0 "acct5 [04/18/2015:00:23:22 -0000] "GET /cpsess2073941840/frontend/x3/filemanager/editit.html?file=inndex.php&fileop=&dir=%2Fhome%2Facct5%2Fpublic_html&dirop=&charset=&file_charset=utf-8&baseurl=&basedir=&codeedit=1 HTTP/1.1" 200 0 "
As you can see, in the first "block", he tries some accounts and fails but gains access to acct4... After that, in the second block, we see him creating the subdomains using the web panel (or a script using it), and in the third part he's using the file manager to create and modify some files on acct5... Users capable of setting the same password everywhere, why not. But having this attack on multiple accounts including the team's websites, it's hard to believe. Moreover, the account password can be used to access the FTP directly... I must say that we've run LMD and chkrootkit (and some other check scripts), but everything is negative. Has anyone encountered such an issue, or have an idea please? Thank you for your help.
At first sight, I understand that he is using the login form. It's like he has the passwords (hard to believe because we create users from WHMCS with generated passwords =/ ) Then: root [~]# grep "197.X.X.X" /usr/local/cpanel/logs/access_log 197.X.X.X - - [04/18/2015:00:09:46 -0000] "GET / HTTP/1.1" 401 0 "" "Mozilla /5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0. 2272.118 Safari/537.36" "-" "-" 197.X.X.X - - [04/18/2015:00:09:46 -0000] "GET /cPanel_magic_revision_1396130370/unprotected/cpanel/images/login-whisp.png HTTP/1.1" 200 0 "acct4 [04/18/2015:00:11:09 -0000] "POST /login/?login_only=1 HTTP/1.1" 301 0 "acct4 [04/18/2015:00:11:12 -0000] "GET /cpsess3987311672/ HTTP/1.1" 200 0 "acct4 [04/18/2015:00:11:13 -0000] "GET /cpsess3987311672/frontend/x3/index.html HTTP/1.1" 200 0 "acct4 [04/18/2015:00:11:31 -0000] "GET /cpsess3987311672/frontend/x3/subdomain/index.html HTTP/1.1" 200 0 "acct4 [04/18/2015:00:12:17 -0000] "GET /cpsess3987311672/frontend/x3/subdomain/doadddomain.html?domain=ac.update.line.defap4527.lverificatiion.74463986dhuibnostr89.submit.43do.aad54f38655583lddsopa81089.edit7899787734534434556sdn28001&rootdomain=live.v-info.info&dir=public_html%2Fac.update.line.defap4527.lverificatiion.74463986dhuibnostr89.submit.43do.aad54f38655583lddsopa81089.edit7899787734534434556sdn28001&go=create HTTP/1.1" 200 0 "acct5 [04/18/2015:00:23:17 -0000] "GET /cPanel_magic_revision_1396129212/frontend/x3/filemanager/img/icons/codeEditorB.gif HTTP/1.1" 304 0 "acct5 [04/18/2015:00:23:20 -0000] "GET /cpsess2073941840/json-api/cpanel?cpanel_jsonapi_module=Encoding&cpanel_jsonapi_func=guess_file&cpanel_jsonapi_apiversion=2&file=%2Fhome%2Facct5%2Fpublic_html%2Finndex.php HTTP/1.1" 200 0 "acct5 [04/18/2015:00:23:22 -0000] "GET /cpsess2073941840/frontend/x3/filemanager/editit.html?file=inndex.php&fileop=&dir=%2Fhome%2Facct5%2Fpublic_html&dirop=&charset=&file_charset=utf-8&baseurl=&basedir=&codeedit=1 HTTP/1.1" 200 0 "
As you can see, in the first "block", he tries some accounts and fails but gains access to acct4... After that, in the second block, we see him creating the subdomains using the web panel (or a script using it), and in the third part he's using the file manager to create and modify some files on acct5... Users capable of setting the same password everywhere, why not. But having this attack on multiple accounts including the team's websites, it's hard to believe. Moreover, the account password can be used to access the FTP directly... I must say that we've run LMD and chkrootkit (and some other check scripts), but everything is negative. Has anyone encountered such an issue, or have an idea please? Thank you for your help.
-
Hi there, We are noticing it from a long time but can't find where it's from. Sometimes once a week, sometimes 3 or 4 the same day, we are receiving "abuse" emails from companies for hosting phishing websites (our IP has been blocked several times). At the beginning it touched only few customers using Wordpress and mysterious plugins, we didn't care a lot and suspended the accounts until reactions. Now it seems to touch anyone. We (in the team) have created few accounts for our own usage, some are active, some were never used (nothing uploaded since the creation). Despite this, every week we see phishing subdomains created (containing phishing website) or sometimes only 1 .html is created with a JS redirection to another account. We've noticed that sometimes it's the exact same IP in the .lastlogin, so when we grep it in cpanel logs, here is what we see: At first sight, I understand that he is using the login form. It's like he has the passwords (hard to believe because we create users from WHMCS with generated passwords =/ ) Then: As you can see, in the first "block", he tries some accounts and fails but gains access to acct4... After that, in the second block, we see him creating the subdomains using the web panel (or a script using it), and in the third part he's using the file manager to create and modify some files on acct5... Users capable of setting the same password everywhere, why not. But having this attack on multiple accounts including the team's websites, it's hard to believe. Moreover, the account password can be used to access the FTP directly... I must say that we've run LMD and chkrootkit (and some other check scripts), but everything is negative. Has anyone encountered such an issue, or have an idea please? Thank you for your help.
You might want to consider the possibility that your WHMCS install has been breached. If you don't have the latest 5.3.x version installed and are not adhering to all proper security practices with respect to the billing system, then the billing system ends up getting compromised. Did you add your new "team" accounts through WHMCS? If somebody has control of your WHMCS install it would be trivial for them to go and fetch the login credentials for a particular hosting account. M0 -
You might want to consider the possibility that your WHMCS install has been breached. If you don't have the latest 5.3.x version installed and are not adhering to all proper security practices with respect to the billing system, then the billing system ends up getting compromised.
This is indeed a vector. But we we've changed our WHMCS passwords and the database password at the same time. Concerning SSH, we receive an email anytime someone not whitelisted is connected, and we currently only have our IP listed. We often see SQL injections attempts (with AES_ENCRYPT strings) but as we're updated, it always fails. Strangely, these attempts are from USA while the successfully hacks are done from Tunisia. And of course, the ISP never answered our abuses.Did you add your new "team" accounts through WHMCS? If somebody has control of your WHMCS install it would be trivial for them to go and fetch the login credentials for a particular hosting account.
Yes we do, in order to keep a consistency in WHMCS. We also pay our personal hosting websites, so it's a must to use WHMCS. Any other idea ? Thank you for your help.0
Please sign in to leave a comment.
Comments
3 comments