cPanel jailshell being abused and causing downtime
Hello,
This issue is first reported at cpanel uses jailshell for cron (problem) but no solution provided.
We are running cPanel on CentOS 7.2 and since last week we see /usr/local/cpanel/bin/jailshell being abused by spammers.
We see jailshell called many times pushing 100% CPU and RAM, and making server unusable.
Example email:
# exim -Mvh 1d2bSf-0008UU-Uy
1d2bSf-0008UU-Uy-H
user 2341 993
1493030597 0
-ident user
-received_protocol local
-aclc _outgoing_spam_scan 1
1
-body_linecount 5
-max_received_linelength 51
-auth_id user
-auth_sender user@server.com
-allow_unqualified_recipient
-allow_unqualified_sender
-deliver_firsttime
-local
-spam_bar /
-spam_score -0.0
-spam_score_int 0
-sender_set_untrusted
XX
1
someusr@gmail.com
202P Received: from user by server.com with local (Exim 4.89)
(envelope-from )
id 1d2bSf-0008UU-Uy
for someusr@gmail.com; Mon, 24 Apr 2017 12:43:20 +0200
033* From: "(Cron Daemon)"
053F From: "(Cron Daemon)"
029T To: someusr@gmail.com
045 Subject: Cron php .php.php
040 Content-Type: text/plain; charset=UTF-8
031 Auto-Submitted: auto-generated
017 Precedence: bulk
036 X-Cron-Env:
045 X-Cron-Env:
031 X-Cron-Env:
046 X-Cron-Env:
052 X-Cron-Env:
034 X-Cron-Env:
033 X-Cron-Env:
031 X-Cron-Env:
028 X-Cron-Env:
052I Message-Id:
038 Date: Mon, 24 Apr 2017 12:43:17 +0200
039 X-OutGoing-Spam-Status: No, score=-0.0
-
Hello, The output you provided suggests the account setup cron jobs to send out SPAM email. This is similar to what can happen if an account uploads a PHP file and uses it to send out SPAM via the web server. You'd generally need to suspend the account, or remove the cron jobs and change the account password if the account's login credentials were compromised. You could also setup a /etc/cron.deny file and add the account username to the file if you want to block cron jobs for a specific account. Thank you. 0 -
account setup cron jobs to send out SPAM email
There are no cron jobs for the user: # crontab -l -u user no crontab for user # cat /var/spool/cron/crontabs/user cat: /var/spool/cron/crontabs/user: No such file or directory So, what's happening is something other than cron jobs.0 -
Hello, Could you open a support ticket using the link in my signature so we can take a closer look? You can post the ticket number here so we can update this thread with the outcome. Thank you. 0 -
open a support ticket
We have since terminated the affected accounts. So, it would be difficult to replicate the issue. But we'll still raise a ticket and see if we can restore scripts that were injected to send spam.0 -
You can post the ticket number here so we can update this thread with the outcome
Support Request ID: 84092110 -
Hi, On April 25th, 2017, Mugoma emitted a ticket of support ID '8409211' concerning a problem with one job cron. ]https://forums.cpanel.net/styles/cpanel/xenforo/avatars/avatar_male_m.png
Mugoma Well-Known Member cPanelMichael said: ? You can post the ticket number here so we can update this thread with the outcome Support Request ID: 8409211 #6 Mugoma, Apr 25, 2017 I have the same problem and I would have liked knowing what is the result of this ticket that it was the final outcome to resolve the situation. Thank you.0 -
Hello, Here's the response that solved the issue for that user: There isn't an option to disable the SHELL variable cPanel adds when creating a crontab through cPanel but you can add any users who you don't want to allow crons for to "/etc/cron.deny" then create a new feature list for those users and remove the "Cron Jobs" feature through 'WHM -> Packages -> Feature Manager' which would remove the "Cron Jobs" interface from cPanel.
Thank you.0
Please sign in to leave a comment.
Comments
7 comments