Skip to main content
We are aware of an issue after updating to cPanel versions 11.110.0.65, 11.126.0.21, or 11.128.0.11, some cPanel plugins or features are no longer functioning properly including WP Toolkit. Please see the following article for more information and updates:
Update to latest cPanel 110, 126, or 128 versions removes "addonfeatures" directory.

Block 'unprotected' password change

Mugoma
Hello, Recently we had user accounts being compromised. We we checked the logs we found the hacker calling `/unprotected/passwordstrength.cgi`:
41.251.163.205 - - [04/21/2017:15:19:29 -0000] "POST /unprotected/passwordstrength.cgi HTTP/1.1" 200 0 "http://www.domain.com:2082/resetpass" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0" "-" "-" 2082 41.251.163.205 - - [04/21/2017:15:19:30 -0000] "POST /unprotected/passwordstrength.cgi HTTP/1.1" 200 0 "http://www.domain.com:2082/resetpass" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0" "-" "-" 2082 41.251.163.205 - - [04/21/2017:15:19:30 -0000] "POST /unprotected/passwordstrength.cgi HTTP/1.1" 200 0 "http://www.domain.com:2082/resetpass" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0" "-" "-" 2082 41.251.163.205 - - [04/21/2017:15:19:30 -0000] "POST /unprotected/passwordstrength.cgi HTTP/1.1" 200 0 "http://www.domain.com:2082/resetpass" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0" "-" "-" 2082 41.251.163.205 - - [04/21/2017:15:19:30 -0000] "POST /unprotected/passwordstrength.cgi HTTP/1.1" 200 0 "http://www.domain.com:2082/resetpass" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0" "-" "-" 2082 41.251.163.205 - - [04/21/2017:15:19:30 -0000] "POST /unprotected/passwordstrength.cgi HTTP/1.1" 200 0 "http://www.domain.com:2082/resetpass" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0" "-" "-" 2082
How can block such calls? Thanks.

Comments

6 comments

Date Votes
  • Mugoma
    I haven't received response on this. It appears cPanel has a history of 'resetpass' being exploited: 1. cPanel Resetpass Remote Command Execution Vulnerability 2. More agobot/phatbot/polybot variants, cPanel resetpass exploit - SANS Internet Storm Center 3. cpanel hack attempts through resetpass script 4. More agobot/phatbot/polybot variants, cPanel resetpass exploit - Forums
    0
  • Infopro
    Those are all very old posts. You can disable "Reset Password for cPanel accounts" here: WebHost Manager "Server Configuration "Tweak Settings, System tab. When someone wants to reset password they'll see this: 46423 How to Reset a cPanel Account Password - cPanel Knowledge Base - cPanel Documentation You might also want to visit the Redirection tab and be sure that this option is on: Choose the closest matched domain for which that the system has a valid certificate when redirecting from non-SSL to SSL URLs. Formerly known as "Always redirect to SSL/TLS" If you actually visit domain.com:2082/resetpass you'll note that you need to know the users username first, and then email address, so you can receive a security code via email, to actually change a password. Personally, I've never enabled the option for a user to reset a password on any server I've ever managed. Probably since/due to those old posts from 2004. The password reset option should be quite secure now though. Making sure cPHulk is enabled would surely block failed logins to the system.
    0
  • Mugoma
    Hello, We have noticed several attacks on cPanel that looks like exploits. The attacker first makes a call to change email then after that makes a call to change password:
    105.158.175.133 - - [04/22/2017:20:13:33 -0000] "GET /unprotected/loader.html?random=Ew1riJmbh_utDf9f&goto_uri= HTTP/1.1" 200 0 "http://domain.com/cpanel" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36" "-" "-" 2082 105.158.175.133 - - [04/22/2017:20:13:33 -0000] "GET /unprotected/redirect.html?goto_uri= HTTP/1.1" 200 0 "http://domain.com:2082/unprotected/loader.html?random=Ew1riJmbh_utDf9f&goto_uri=" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36" "-" "-" 2082 105.158.175.133 - - [04/22/2017:20:13:36 -0000] "GET /unprotected/redirect.html?goto_uri= HTTP/1.1" 200 0 "http://domain.com:2082/unprotected/loader.html?random=Ew1riJmbh_utDf9f&goto_uri=" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36" "-" "-" 2082 105.158.175.133 - - [04/22/2017:20:13:36 -0000] "GET /unprotected/redirect.html?goto_uri= HTTP/1.1" 200 0 "http://domain.com:2082/unprotected/loader.html?random=Ew1riJmbh_utDf9f&goto_uri=" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36" "-" "-" 2082
    Could this be a vulnerability in cPanel? This is also related to Block 'unprotected' password change
    0
  • Infopro
    Threads merged here.
    0
  • cPanelMichael
    Hello @Mugoma, Could you open a support ticket using the link in my signature so we can take a closer look at the logs on the affected system? Thank you.
    0
  • Mugoma
    Could you open a support ticket

    Support ticket: 8416647
    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post