Possible mysql root password hacked

Recently I was looking into an issue where a cpanel user could not access his MySQL Databases page. When checking the cpanel error logs I found the following:


Use of uninitialized value in string ne at /usr/local/cpanel/Cpanel/MysqlUtils.pm line 1178,  line 1.
Cpanel::Exception::InvalidCharacters/(XID n2p543) This value may not contain a line feed.
at /usr/local/cpanel/Cpanel/Exception/CORE.pm line 77,  line 1.
        Cpanel::Exception::create("InvalidCharacters", "This value may not contain a line feed.", HASH(0x24f5f28)) called at /usr/local/cpanel/Cpanel/Exception.pm line 30
        Cpanel::Exception::__ANON__(__CPANEL_HIDDEN__, __CPANEL_HIDDEN__, HASH(0x24f5f28)) called at /usr/local/cpanel/Cpanel/Validate/LineTerminatorFree.pm line 50
        Cpanel::Validate::LineTerminatorFree::validate_or_die("'\x{d}\x{a}\x{d}\x{a}hacked\x{d}\x{a}\x{d}\x{a}\x{d}\x{a}\x{d}\x{a}\x{d}\x{a}\x{d}\x{a}\x{d}\x{a}

hacked


 line 1.
        Cpanel::Wrap::send_cpwrapd_request("namespace", "Cpanel", "module", "cpmysql", "function", "DBCACHE", "data", "", "action", ...) called at /usr/local/cpanel/Cpanel/AdminBin.pm line 58
        Cpanel::AdminBin::adminrun("cpmysql", "DBCACHE", "") called at cpanel.pl line 2791
        cpanel::cpanel::domysql("initcache", ARRAY(0x5010c20)) called at cpanel.pl line 2095
        eval {...} called at cpanel.pl line 2095
        cpanel::cpanel::_api1("Mysql", "mysql", "initcache()", "initcache", ARRAY(0x5010c20), "safe_html_encode") called at /usr/local/cpanel/Cpanel/Template/Plugin/Api1.pm line 93
        eval {...} called at /usr/local/cpanel/Cpanel/Template/Plugin/Api1.pm line 93
        Cpanel::Template::Plugin::Api1::_api1_exec(0, "Mysql", "initcache", ARRAY(0x5010c20)) called at /usr/local/cpanel/Cpanel/Template/Plugin/Api1.pm line 45
        Cpanel::Template::Plugin::Api1::_captured_api1_exec("Mysql", "initcache", ARRAY(0x5010c20)) called at /usr/local/cpanel/base/frontend/paper_lantern/sql/index.html.tt line 3
        eval {...} called at /usr/local/cpanel/base/frontend/paper_lantern/sql/index.html.tt line 3
        eval {...} called at /usr/local/cpanel/base/frontend/paper_lantern/sql/index.html.tt line 16
        Template::Provider::__ANON__(Template::Context=HASH(0x5024278)) called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/x86_64-linux-64int/Template/Document.pm line 163
        eval {...} called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/x86_64-linux-64int/Template/Document.pm line 161
        Template::Document::process(Template::Document=HASH(0x50c62d8), Template::Context=HASH(0x5024278)) called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/x86_64-linux-64int/Template/Context.pm line 351
        eval {...} called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/x86_64-linux-64int/Template/Context.pm line 321
        Template::Context::process(Template::Context=HASH(0x5024278), Template::Document=HASH(0x50c62d8)) called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/x86_64-linux-64int/Template/Service.pm line 94
        eval {...} called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/x86_64-linux-64int/Template/Service.pm line 91
        Template::Service::process(Template::Service=HASH(0x5023ea0), "/usr/local/cpanel/base/frontend/paper_lantern/sql/index.html.tt", HASH(0x5023798)) called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/x86_64-linux-64int/Template.pm line 66
        Template::process(Template=HASH(0x5023b88), "/usr/local/cpanel/base/frontend/paper_lantern/sql/index.html.tt", HASH(0x5023798), SCALAR(0x28cde60)) called at /usr/local/cpanel/Cpanel/Template.pm line 427
        Cpanel::Template::process_template("cpanel", HASH(0x5023798), HASH(0x5023690)) called at cpanel.pl line 1221
        cpanel::cpanel::cptt_exectag("/usr/local/cpanel/base/frontend/paper_lantern/sql/index.html.tt", 1) called at cpanel.pl line 5224
        cpanel::cpanel::run_standard_mode() called at cpanel.pl line 847
        cpanel::cpanel::script("cpanel::cpanel", "./frontend/paper_lantern/sql/index.html.tt") called at cpanel.pl line 306
[2016-11-14 16:53:00 +0100] warn [cpanel] Cpanel::Wrap::send_cpwrapd_request error: namespace=[Cpanel] module=[cpmysql] function=[DBCACHE]: set error in context mysql: statusmsg=[The adminbin "cpmysql" in the "Cpanel" namespace call to function "DBCACHE" ended prematurely: The subprocess reported error number 255 when it ended.] at /usr/local/cpanel/Cpanel/Wrap.pm line 129, <$socket> line 1.
        Cpanel::Wrap::send_cpwrapd_request("namespace", "Cpanel", "module", "cpmysql", "function", "DBCACHE", "data", "", "action", ...) called at /usr/local/cpanel/Cpanel/AdminBin.pm line 58
        Cpanel::AdminBin::adminrun("cpmysql", "DBCACHE", "") called at cpanel.pl line 2791
        cpanel::cpanel::domysql("initcache", ARRAY(0x5010c20)) called at cpanel.pl line 2095
        eval {...} called at cpanel.pl line 2095
        cpanel::cpanel::_api1("Mysql", "mysql", "initcache()", "initcache", ARRAY(0x5010c20), "safe_html_encode") called at /usr/local/cpanel/Cpanel/Template/Plugin/Api1.pm line 93
        eval {...} called at /usr/local/cpanel/Cpanel/Template/Plugin/Api1.pm line 93
        Cpanel::Template::Plugin::Api1::_api1_exec(0, "Mysql", "initcache", ARRAY(0x5010c20)) called at /usr/local/cpanel/Cpanel/Template/Plugin/Api1.pm line 45
        Cpanel::Template::Plugin::Api1::_captured_api1_exec("Mysql", "initcache", ARRAY(0x5010c20)) called at /usr/local/cpanel/base/frontend/paper_lantern/sql/index.html.tt line 3
        eval {...} called at /usr/local/cpanel/base/frontend/paper_lantern/sql/index.html.tt line 3
        eval {...} called at /usr/local/cpanel/base/frontend/paper_lantern/sql/index.html.tt line 16
        Template::Provider::__ANON__(Template::Context=HASH(0x5024278)) called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/x86_64-linux-64int/Template/Document.pm line 163
        eval {...} called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/x86_64-linux-64int/Template/Document.pm line 161
        Template::Document::process(Template::Document=HASH(0x50c62d8), Template::Context=HASH(0x5024278)) called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/x86_64-linux-64int/Template/Context.pm line 351
        eval {...} called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/x86_64-linux-64int/Template/Context.pm line 321
        Template::Context::process(Template::Context=HASH(0x5024278), Template::Document=HASH(0x50c62d8)) called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/x86_64-linux-64int/Template/Service.pm line 94
        eval {...} called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/x86_64-linux-64int/Template/Service.pm line 91
        Template::Service::process(Template::Service=HASH(0x5023ea0), "/usr/local/cpanel/base/frontend/paper_lantern/sql/index.html.tt", HASH(0x5023798)) called at /usr/local/cpanel/3rdparty/perl/522/lib64/perl5/cpanel_lib/x86_64-linux-64int/Template.pm line 66
        Template::process(Template=HASH(0x5023b88), "/usr/local/cpanel/base/frontend/paper_lantern/sql/index.html.tt", HASH(0x5023798), SCALAR(0x28cde60)) called at /usr/local/cpanel/Cpanel/Template.pm line 427
        Cpanel::Template::process_template("cpanel", HASH(0x5023798), HASH(0x5023690)) called at cpanel.pl line 1221
        cpanel::cpanel::cptt_exectag("/usr/local/cpanel/base/frontend/paper_lantern/sql/index.html.tt", 1) called at cpanel.pl line 5224
        cpanel::cpanel::run_standard_mode() called at cpanel.pl line 847
        cpanel::cpanel::script("cpanel::cpanel", "./frontend/paper_lantern/sql/index.html.tt") called at cpanel.pl line 306
[2016-11-14 16:53:00 +0100] warn [Mysql::initcache] Encountered error in Mysql::initcache: Mysql::initcache() failed: The adminbin "cpmysql" in the "Cpanel" namespace call to function "DBCACHE" ended prematurely: The subprocess reported error number 255 when it ended.

After I found this I deleted all the cpses_ mysql users. This got me worried so I checked the mysql.user and found more users with the same host:

user    host
agrodend_milan  \n\nHacked\n\n\n\n\nHacked\n\n\n\n\nHacked\n\n\n\n\nHacked\n\n\n\n\nHacked\n\n\n\n\nHacked\n\n\n\n\nhacked\n\n\n\n\nhacked\n\n\n\n\nhacked\n\n\n\n\nhacked\n\n\n\n\nhacked\n\n\n\n\nhacked\n\n\n\n\nhacked\n\n\n\n\nhacked\n\n\n\n\nhacked\n\n\n\n\nhacked\n\n\n\n\nhacked\n\n\n\n\nhacked\n\n\n\n\nhacked\n\n\n\n\nhacked\n\n\n\n\nhacked\n\n\n\n\nhacked\n\n\n\n\nhacked\n\n\n\n\nhacked\n\n\n


Remote mysql and ssh and whm access has been blocked on the network level before the server was even in production. The only way I have been able to recreate this as the user is with the mysql root password. Have any of you had a similar situation? Is there a way to recreate this whithout mysql root? What should I check for next?

cPanelMichael

November 15, 2016 19:33

Hello, Temporary cpses* MySQL users are created when you access a cPanel account by clicking the cPanel icon next to the account in "WHM >> Account Functions >> List Accounts", or by directly accessing the cPanel account with the account username and root password. Could you verify if that's the behavior you are noticing? Thank you.

Vladimir ebez

November 16, 2016 10:27

I understand the generation of temporary cpses* users. What I want to know is how were they generated with the following hostname "\n\nhacked\n\n\n

November 16, 2016 11:12

Hello, Could you open a support ticket using the link in my signature so we can take a closer look? You can post the ticket number here and we will update this thread with the outcome. Thank you.

November 16, 2016 13:07

The ticket id is 7992711 .

November 18, 2016 08:36

The issue is resolved. It appears the suspicious hostname was added by the user during the restoration of the mysql database.

November 18, 2016 12:23

I'm happy to see the issue is now resolved. Thank you for updating us with the outcome.

Possible mysql root password hacked

Comments

Didn't find what you were looking for?