Skip to main content

The single user can view other user's cPanels when logged in via server's url

Comments

20 comments

  • cPRex Jurassic Moderator

    Hey there!  Does that user possibly have the same password as root?

    0
  • HeyHost

    Huh, it does. Somehow, it does. 
    So that might be the reason.
    How come when I change the root password, it has changed the password to many users to that new password?

    0
  • cPRex Jurassic Moderator

    It doesn't - changing the root password is not in any way related to the cPanel users.  However, you can likely still login with the root password for other users.

    0
  • HeyHost

    For some reason, with my WHM that is the case. I have changed the root password in WHM and that changed the passwords for all the other users.

    0
  • cPRex Jurassic Moderator

    There is no mechanism in cPanel that would do that.  It would be worth reviewing the security of your system to ensure it has not been compromised.

    0
  • HeyHost

    Ok, how can I do that? 

    0
  • cPRex Jurassic Moderator

    I'm not sure, as cPanel doesn't provide those types of services.

    You could first confirm this is happening by changing the root password and then seeing if data in /etc/shadow or /etc/passwd changes for all users at the same time, as that seems very unlikely.

    0
  • HeyHost

    I have changed the password again and checked /etc/shadow and it changed all the passwords for all users. I can log in with any user with that new password. Does it look like a WHM bug?

    0
  • cPRex Jurassic Moderator

    Definitely not a WHM bug.  It sounds like the server has been compromised.

    0
  • HeyHost

    Well, any clue what can be wrong as I noticed this from the day I got the server? 
    I run the security software on the server and all accounts come up clean. 
    Could it be that the server was not set up properly? What could cause the WHM to change the passwords for all users by changing the root password?

    0
  • cPRex Jurassic Moderator

    No, there really isn't a good explanation for this behavior.

    How are you confirming the change to /etc/shadow?  Does the password hash change for all users at the same time?

    0
  • HeyHost

    Well, I do not see the time in the etc/shadow but all the accounts are there and they finish with
    ::99999:7:::
    And then when I try to log in I can log into any account with the newly setup root password.
    I tested 10 random accounts and they all have that new password. And every time I test other 10 accounts when I change the root password.
    Is it safe for me to post here the sample of etc/shadow file?

    0
  • cPRex Jurassic Moderator

    That all sounds like normal behavior to me - all the passwords always end with that string as that isn't actually the password, and you will always be able to access accounts with the root password.

    Everything you've described so far indicates a normally-functioning system since that is the case.

    0
  • HeyHost

    But this means that all the users have now new passwords? They have the passwords that I have setup for root user.

    Does that sound right? 

    0
  • cPRex Jurassic Moderator

    No - it just means that the system is setup to allow you to login with any user with the root password.

    0
  • HeyHost

    I have just tested one account and I can log in with both their old password and the new one I have setup for the root user. 
    So that is normal?

    0
  • cPRex Jurassic Moderator

    Yes, that is normal behavior.

    1
  • HeyHost

    Ok, I see. 

    0
  • HeyHost

    Hi cPRex,
    I am trying to troubleshoot on who did some password changes on some accounts and following this info but I can't get the Terminal to read anything.

    https://support.cpanel.net/hc/en-us/articles/1500000687862-How-to-determine-if-a-cPanel-user-changed-their-password-using-the-cPanel-interface
    What would be the working command to see when the password has been changed in cPanel?

    OS
    AlmaLinux v8.9.0 STANDARD hyper-v
    cPanel Version
    118.0.6
     
    0
  • cPRex Jurassic Moderator

    When you say you can't get the Terminal to read anything, can you get me more details?  Running this command:

    grep changepass /usr/local/cpanel/logs/access_log|grep cpusername|grep POST

    and adjusting the "cpusername" variable should give you results.

    0

Please sign in to leave a comment.