cPanel Account compromised through cPanelID?
Hi,
I recently had unauthorised content added to a site. The compromise was tracked down to an unauthorised user gaining access to upload files via the cpanel API. the login used apears to be via CpanelID.
However:
[LIST]
Although CPanel ID was enabled, no Ids were set up/Authorised to access the site
Only 1 user was set up on the account using a strong password, which I am confident was not compromised
2 Questions:
[LIST]
Has anyone seen anything like this before?
Has anyone any idea how this person may have gained access
Thanks in advance for any input
-
The compromise was tracked down to an unauthorised user gaining access to upload files via the cpanel API. the login used apears to be via CpanelID.
Hello, Could you provide the specific log entry that you are referring to (ensure to replace identifying information with examples)? Thank you.0 -
I am no expert on these but as far as I can see the following lines from the sessions log suggests a successful login (Note I have taken out all IPs and identifying info) [2017-06-11 19:58:55 +0100] info [cpaneld] 0.0.0.0 NEW username:chr_string1 "address=0.0.0.0,app=cpaneld,creator=domain,method=handle_form_login,path=form,possessed=0" [2017-06-11 19:58:56 +0100] info [cpaneld] 1.1.1.1 PURGE username:chr_string1 badpass [cookie ip check: IP address has changed] [2017-06-11 19:59:02 +0100] info [cpaneld] 1.1.1.1 NEW username:chr_string2 "address=1.1.1.1,app=cpaneld,creator=domain,method=handle_form_login,path=form,possessed=0" [2017-06-11 19:59:03 +0100] info [cpaneld] 0.0.0.0 PURGE username:chr_string2 badpass [cookie ip check: IP address has changed] [2017-06-11 19:59:15 +0100] info [cpaneld] 0.0.0.0 NEW username:chr_string3 "address=0.0.0.0,app=cpaneld,creator=domain,method=handle_form_login,path=form,possessed=0" [2017-06-11 20:04:03 +0100] info [cpaneld] 1.1.1.1 PURGE username:chr_string3 badpass [cookie ip check: IP address has changed]
The attached file contains entries from the access log for the same period which seems to show files being uploaded via the json-api. (It would not let me save the message with these entries pasted into it.0 -
Hello, Could you open a support ticket using the link in my signature so we can take a closer look at the affected system? Thank you. 0 -
I have raised a ticket 0 -
First thing to say, it turns out it was not CpanelID that was to blame. It was a compromised password obtained as a result of insecure FTP transactions. 2 takeaways from this: - ]
- Cpanel support is first rate, and the focus they put on getting to the bottom of this gives me confidence in the security of cpanel as a system
- Using FTP is dangerous as it is insecure! Use SFTP instead
0
Please sign in to leave a comment.
Comments
5 comments