Hack attempt

wav3front

Hi there,

I had just had a what I believe was targeted hack attempt.
Initially, I received an email from cPfence (what would we do without it?):

`Dear Admin,

An infected cron entry was detected and removed on node1. This is a one-time alert for this user.

Details:

Username: *********
Site UUID: ***************
Infected Cron Command: 0 * * * * { echo L3Vzci9iaW4vcGtpbGwgLTAg.................. Daily system backup

Recommendation:
We strongly recommend that you manually inspect the site's files, plugins, and themes for any hidden or malicious content. Pay close attention to recently modified files and look for any unfamiliar additions.

Inspect the site directory: /var/www/***********
Review recent changes:
find /var/www/************** -type f -mtime -2 -printf '%TY-%Tm-%Td %TH:%TM %p\n' | sort
If WordPress, check wp-content/plugins and wp-content/themes for unknown or recently changed items
Update core, plugins, and themes, and rotate passwords for wp-admin, database, and SFTP
Review remaining cron jobs for ********:
su - ********** -c 'crontab -l'

Best regards,
The cPFence Team`

The encoded cron entry did this:

/usr/bin/bash -c "exec -a '[raid5wq]' '/var/www/*************/.ssh/putty/id_rsa'" \

I also noticed extra files on /.ssh directory

This is website running a very old PHP app called OxyClassifieds. It seems that there are numerous vulnerabilities in there.

gmakhs

wav3front would be great if enhance blocked ssh properly instead of just hiding the password , from the user .

Not related to the issue but security issues nevertheless

cPFence

wav3front

Glad to hear cPFence got your back. The next version will include additional security checks to cover the attack pattern you shared with us in tickets. Thanks for the details.

xyzulu

wav3front a very old PHP app called OxyClassifieds. It seems that there are numerous vulnerabilities in there

No offence intended, but it's obvious where the issue came from.. yet you open tickets with Enhance support about finding ways to continue to host insecure scripts. I get it.. customers are dumb sometimes.. but if you care about security.. just don't host things like this.

You should never allow password authentication via SSH these days, disable it serverwide. Most VPS providers have this as default now. If you care about security, manage your firewall in such a way that no ports apart from 443 (and perhaps 80, but we don't even allow that) are open to the wide internet. @Adam suggestion above about using AllowUsers is a little tedious, but also an option.

It's a "feel good" post from you I guess.. about how cPFence helped you locate this vulnerability, but you end up complaining about Enhance instead of focusing on the actual issue. I'd love to continue having constructive conversations about proper server admin instead of watching inexperienced and opinionated users end up making the tool (Ubuntu/Enhance) look bad because they don't know how to use it properly.

wav3front

gmakhs I agree.

I sent an email to Adam suggesting numerous things, like ssh port change, proper web server logs (super important), somehow to harden the cron entries (lock them?), and monitor what files are being created on /.ssh?

Before Enhance I was using aaPanel. It has numerous security features that Enhance is missing:
https://www.aapanel.com/docs/Function/Security.html

I also talked to cPfence and they will make changes to the next version that would prevent this kind of hack.

standtech

Most likely a case of the test user , test123 password. Set strong passwords, and cleanup old stale accounts.

wav3front

standtech it was a vulnerability in "Smarty template" that OxyClassifieds uses.

wav3front

We've found malicious code on.bashrc

https://security.stackexchange.com/questions/224547/how-bashrc-can-be-used-to-attack-a-system

wav3front

cPFence you keep us secure sir.

Adam

As per your support ticket, PHP under Enhance runs as the website user. As far as I know this is common to all major control panels. This means it can write to any file owned by the user, including .bashrc.

I don't recommend changing your SSH port but you can disable password authentication, this will not interfere with Enhance. If you want to restrict the users that can log in, there is the AllowUsers directive in sshd_config.

The cron job, if added via the website container, will not be executed on the host o/s.

The feature to retain access logs will be available in the near future however this will use significant disk space if the retention period is long and the site is busy.

wav3front

Adam thank you for the information and the great support.

Nickske00

Not sure what disabling ssh would do when the hackers enter via a hole in the application... Yes, adding login keys would do nothing, but if they can execute php code that uses exec or one of the other functions php has for running cli stuff from a script, it is the same as logging in through ssh.

As Adam points out, it runs as the user and they are in their container, so normally the rest of the server should be save.

Splunge

Nickske00 I did notice (as i'm new to this and still exploring the nuts and bolts of this) that the php.ini files do not contain any disable_function directives, whereas other panels disable functions by default. Is there any reason why dangerous functions like exec and shell_exec should be allowed by default in user containers?

cPFence

Enhance already does a great job securing containers, you’d need something like cloudlinux to get similar isolation elsewhere. From a security standpoint, Enhance is solid. What’s really needed now are persistent logs and some quality-of-life improvements to emails, ols and backups.

cPFence

Splunge

On a clean cpanel install, disable_functions is typically empty by default.

Go to your main Enhance CP > Settings > Application. Add this

disable_functions:
exec,system,passthru,shell_exec,dl,popen,show_source,posix_kill,posix_mkfifo,posix_getpwuid,posix_setpgid,posix_setsid,posix_setuid,posix_setgid,posix_seteuid,posix_setegid,posix_uname,pcntl_exec,expect_popen

The settings are automatically inherited by all roles on your cluster even if you have 100 servers.

Splunge

cPFence Thank you. That's really helpful.

rdbf

cPFence The settings are automatically inherited by all roles on your cluster even if you have 100 servers.

Do you happen to know how the local overrides of those global settings work? For example, when I disabled mail globally, but removed it (enable) for one website, it would still be disabled.

cPFence

rdbf For example, when I disabled mail globally, but removed it (enable) for one website, it would still be disabled.

Are you trying to disable the mail() function?

rdbf

cPFence Are you trying to disable the mail() function?

Not anymore, but a while back I wanted to disable mail() globally, but enable it for a few websites, rather than enable it globally and disable it separately for a ton of websites.

cPFence

rdbf

Never tried disabling that function, but the override works for every function or directive we’ve tested, and we’ve tested a lot.

JohnB

xyzulu Well said.

Its not the fault of the panel and no security product can truly make an insecure heap of shitcode safe.

Unfortunately a lot of people have sites/dashboards made by a cheap developer on fiverr or upwork for $200. Of course there is NO followup or maintence included. Its essentially tinder for software development but the disease pops up years later. They truly don't know any better. They think its just code and if it was fine 5 years ago why isn't it fine now?

Educate them and offer services to update or migrate to a current framework/plugin. Or they can kick rocks.

If for some reason you need to find a way to host them as is, host them on a seperate VPS just for them on a provider you don't care about. If their site launches attacks and the provider bans you, not a big deal that way.

wav3front

xyzulu but I said it myself, the issue started with this very old PHP app.

I have no idea how you came to the conclusion that password auth is enabled. I have it disabled in my whole cluster.

xyzulu yet you open tickets with Enhance support about finding ways to continue to host insecure scripts

I'm sorry but I really do not like your sayings here. It's not even your business what I do, is it?
FYI, I did not ask Adam how to host an insecure script, that is 100% your conclusion. I asked him several questions about how to get information about the hack, because this information is not available in the documentation.
For example, running "who" as root will not display information about containerised ssh connections. In addition, the http logs of Enhance did not allow me to investigate what php file run in the hack, and Adam confirmed that they are working on an update regarding logs.

xyzulu you end up complaining about Enhance

where did I complain?
Frankly, I only care about making Enhance better. I love it, but when I find opportunity to make it better, I will suggest a feature.

xyzulu instead of watching inexperienced and opinionated users end up making the tool (Ubuntu/Enhance) look bad because they don't know how to use it properly.

Once more, I do not like your sayings sir.

wav3front

xyzulu how cPFence helped you locate this vulnerability,

But they did. So did the -always amazing support- they I get from Adam.

The reason I opened this thread was to inform the community about the hack, and help make Enhance better. And guess what? it did.

gmakhs

xyzulu
You can't Disable password auth when Enhance UI offer's it as an option, that will be super confusing for users (i do agree with you though)