Brute Force Attacks Against cPanel
I've been running web servers with cPanel for many years, and recently have noticed a number of brute force attacks against cPanel and accounts.
I started noticing this a few months back, when a couple domains I manage on the server started sending out email Password Change Notifications to me to let me know cPanel received a password reset request and has sent out a new password. I thought maybe I had a weak password on those domains, so I changed the password, cleaned up the hacks and moved on.
Today, I was going through a clients domain to clean up a hack, and noticed that the account had a list of all users in /home/* in a folder of hack attempts to common content management and shopping cart programs.
One of the scripts in the users directory was, of course encoded. After decoding the script the title of the exploit was called "CPanel Bruteforce | S4MP4H", and upon examining the file, it looks as though its meant to scan the server for exploits and enact on them.
However, the user in question is jailshelled, so im curious as to how the script was able to find a list of other users on the server?
Has anyone else noticed exploits towards their server, specifically attacking cPanel, its scripts and API's to initiate password resets, create sub domains, and what appears to be a break out of jailshell?
Thanks,
Kevin
-
However, the user in question is jailshelled, so im curious as to how the script was able to find a list of other users on the server?
Hello :) Are you positive it was a list of all user accounts, or is it possible the usernames were associated with cPanel services? I could not reproduce the listing of any other account usernames from the jailshell environment on a test machine. Thank you.0
Please sign in to leave a comment.
Comments
1 comment