Skip to main content

Can a hacker have access to all the websites in public_html ?

Comments

7 comments

  • ffeingol

    Based on what you posted, it sounds like you are hosting multiple sites via add-on domains.  If that's the case, then they are all owned by the same cPanel user-id and if someone gets access to the account they have access to all the domains in that account.

    If you truly want to isolate them, then they need to be separate accounts.  Even at that level, it depends on how you configure PHP handlers (for example).

    0
  • eventtex

    We agree that to do this he did not need the usernames and password of the Cpanel account but that he went directly through a vulnerability in a plugin which gave him access to the public_html directory?

    0
  • ffeingol

    If you have a vulnerability where they can upload files, then yes, they have full access to basically every file under that users home folder.  They can upload a PHP script that can write/modify any file owned but that user.  They can upload scripts that install their own file manager and then have GUI access to every file in that users account etc. etc.

    0
  • eventtex

    Thank you for your answer. Ok so we have cleaned all the sites and passed the update package.

    On the other hand, I was unable to find out what the purpose of the malicious code that I shared with you was. Do you have an idea ?

    0
  • rbairwell

    I've just decoded it and put simply, the code waits for a GET request to come in looking like: example.com/page.php?u=XXXXX&p=PASSWORD (where password is the reverse of the md5 hash 48FF3BDBAB87B3EE4D19F29C837D0AAC : I haven't been able to reverse that yet) and XXXXX is a base64 encoded URL which is then passed to curl to fetch. Once that page has been fetched, it is then executed/run.

    I would search your Apache access logs for the strings "u=" and "p=" (each prefixed with a question mark, & symbol or ; as a seperator) to see if you can find any references.

    If you have SSH access to your account, you can do this via:

    grep "[?&;]u=" ~/access-logs/ -r | grep "[?&;]p="

    which will search the access logs for lines containing those parameters to see if the code has actually been used.

    0
  • eventtex

    Thank you for your answer.

    I executed the command you gave me for my Cpanel user but I don't have any results that resemble the example URL you gave me.

    Are there any other checks I can do?

    0
  • ffeingol

    It would not be unusual for the malicious code to be uploaded and then not used/access for days or weeks.  The attacker is doing their best to stay under the radar.

    0

Please sign in to leave a comment.