Block 'unprotected' password change

Mugoma

• April 21, 2017 17:39

Hello, Recently we had user accounts being compromised. We we checked the logs we found the hacker calling `/unprotected/passwordstrength.cgi`:
41.251.163.205 - - [04/21/2017:15:19:29 -0000] "POST /unprotected/passwordstrength.cgi HTTP/1.1" 200 0 "http://www.domain.com:2082/resetpass" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0" "-" "-" 2082 41.251.163.205 - - [04/21/2017:15:19:30 -0000] "POST /unprotected/passwordstrength.cgi HTTP/1.1" 200 0 "http://www.domain.com:2082/resetpass" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0" "-" "-" 2082 41.251.163.205 - - [04/21/2017:15:19:30 -0000] "POST /unprotected/passwordstrength.cgi HTTP/1.1" 200 0 "http://www.domain.com:2082/resetpass" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0" "-" "-" 2082 41.251.163.205 - - [04/21/2017:15:19:30 -0000] "POST /unprotected/passwordstrength.cgi HTTP/1.1" 200 0 "http://www.domain.com:2082/resetpass" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0" "-" "-" 2082 41.251.163.205 - - [04/21/2017:15:19:30 -0000] "POST /unprotected/passwordstrength.cgi HTTP/1.1" 200 0 "http://www.domain.com:2082/resetpass" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0" "-" "-" 2082 41.251.163.205 - - [04/21/2017:15:19:30 -0000] "POST /unprotected/passwordstrength.cgi HTTP/1.1" 200 0 "http://www.domain.com:2082/resetpass" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0" "-" "-" 2082
How can block such calls? Thanks.

• 

  Mugoma

  • April 22, 2017 23:53

  I haven't received response on this. It appears cPanel has a history of 'resetpass' being exploited: 1. cPanel Resetpass Remote Command Execution Vulnerability 2. More agobot/phatbot/polybot variants, cPanel resetpass exploit - SANS Internet Storm Center 3. cpanel hack attempts through resetpass script 4. More agobot/phatbot/polybot variants, cPanel resetpass exploit - Forums

  0
• 

  Infopro

  • April 23, 2017 02:44

  Those are all very old posts. You can disable "Reset Password for cPanel accounts" here: WebHost Manager "Server Configuration "Tweak Settings, System tab. When someone wants to reset password they'll see this: 46423 How to Reset a cPanel Account Password - cPanel Knowledge Base - cPanel Documentation You might also want to visit the Redirection tab and be sure that this option is on: Choose the closest matched domain for which that the system has a valid certificate when redirecting from non-SSL to SSL URLs. Formerly known as "Always redirect to SSL/TLS" If you actually visit domain.com:2082/resetpass you'll note that you need to know the users username first, and then email address, so you can receive a security code via email, to actually change a password. Personally, I've never enabled the option for a user to reset a password on any server I've ever managed. Probably since/due to those old posts from 2004. The password reset option should be quite secure now though. Making sure cPHulk is enabled would surely block failed logins to the system.

  0
• 

  Mugoma

  • April 23, 2017 07:54

  Hello, We have noticed several attacks on cPanel that looks like exploits. The attacker first makes a call to change email then after that makes a call to change password:
  105.158.175.133 - - [04/22/2017:20:13:33 -0000] "GET /unprotected/loader.html?random=Ew1riJmbh_utDf9f&goto_uri= HTTP/1.1" 200 0 "http://domain.com/cpanel" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36" "-" "-" 2082 105.158.175.133 - - [04/22/2017:20:13:33 -0000] "GET /unprotected/redirect.html?goto_uri= HTTP/1.1" 200 0 "http://domain.com:2082/unprotected/loader.html?random=Ew1riJmbh_utDf9f&goto_uri=" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36" "-" "-" 2082 105.158.175.133 - - [04/22/2017:20:13:36 -0000] "GET /unprotected/redirect.html?goto_uri= HTTP/1.1" 200 0 "http://domain.com:2082/unprotected/loader.html?random=Ew1riJmbh_utDf9f&goto_uri=" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36" "-" "-" 2082 105.158.175.133 - - [04/22/2017:20:13:36 -0000] "GET /unprotected/redirect.html?goto_uri= HTTP/1.1" 200 0 "http://domain.com:2082/unprotected/loader.html?random=Ew1riJmbh_utDf9f&goto_uri=" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36" "-" "-" 2082
  Could this be a vulnerability in cPanel? This is also related to Block 'unprotected' password change

  0
• 

  Infopro

  • April 23, 2017 13:46

  Threads merged here.

  0
• 

  cPanelMichael

  • April 26, 2017 16:53

  Hello @Mugoma, Could you open a support ticket using the link in my signature so we can take a closer look at the logs on the affected system? Thank you.

  0
• 

  Mugoma

  • April 27, 2017 19:05

  Could you open a support ticket

  
  Support ticket: 8416647

  0

Please sign in to leave a comment.