Thought I would make a post here regarding this.
Put short, I've inherited a customer environment who despite using a stock cPanel experience with ALL features which don't pertain to email and email management via the web ui disabled they advised that they seem to experience compromise-looking behavior often. I have just recently seen my first evidence of this seeing new 'customer' accounts pop up under WHM's Users section with the account themselves as their own account manager.
Deleting/Disabling/Suspending this is one cluck but without any hesitation I've scheduled full rebuild of their WHM cPanel server and will migrate their single user account to a new one this week migrating the customer's single user account which handles their emails, migrated to a fresh WHM cPanel box without troublesome history.
The problem for my brain is that I can't seem to figure out how the likely automated remote attacker was able to compromise the system and even create their own customer account with the below known facts:
* The passwords for WHM and the single customer user account are random and long. Uncrackable by today's standards.
* The logs show no recent logins to have achieved this (Leading me to believe and the remote attacking host is leveraging some bug/exploit of cPanel to achieve their goals)
* The customer's single user account is not a reseller and thus cannot create new customers.
* Most features of the default customer profile have been disabled as this customer only uses it for Mail and the cPanel UI for managing mail-related tools.
* The cPanel box checks for and applies updates weekly and was upgraded from CentOS 7 to AlmaLinux-8 mid 2023.
* I've combed all files on the customer's single user account (Many email files) and have found nothing that could contribute to the compromise. The root filesystem also shows no obvious entry point.
It's in enumerating all these posibilities I noticed it isn't running anything like auditd for audit logs implying evidence could have been wiped. I'm not sure why the cPanel experience wouldn't include that for security sake so I installed and enabled it in case we see this again before migration day.
These accounts seem to pop up and create a DNS zone plus an AutoSSL-protected vhost for hosting their spam garbage. Effectively hijacking the platform for free hosting. The account doesn't seem to do anything else going through the system logs and cPanel's own. But the unanswered question is how are they doing that. There aren't enough logs anywhere at the time of the attack to help figure out what they leveraged for access to this machine and I would like to find the answer to that puzzle.
Really only here asking if anyone else has experienced this on black-box cPanel instances and may have any pointers to look? Everything regarding the single user account is Jailed, even PHP is disabled for the customer avoiding the most obvious php-shell-upload attacks.
As I said the moment I saw this for myself the other day I scheduled the host for a rebuild and will get to that ASAP. But I'm not going to be happy if this is some undiscovered CVE and a new cPanel instance on a new machine will meet the same fate again despite the highly restricted cpanel user account.
Please sign in to leave a comment.