Preventing back connect in Cpanel servers

Posted by Fernando on Server Fault See other posts from Server Fault or by Fernando
Published on 2013-08-02T14:34:33Z Indexed on 2013/08/02 15:41 UTC
Read the original article Hit count: 157

Filed under:

security

|

cpanel

We run a Cpanel server and someone gained access to almost all accounts using the following steps:

1) Gained access to an user account due to weak password. Note: this user didn't had shell access.

2) With this user account, he accessed Cpanel and added a cron task. The cron task was a perl script that connected to his IP and he was able to send back shell commands.

3) Having a non jailed shell, he was able to change content of most websites in server specially for users who set their folders to 777 ( Unfortunately a common recommendation and sometimes a requirement for some PHP softwares ).

Is there a way to prevent this? We started by disabling cron in Cpanel interface, but this is not enough. I see a lot of other options in which an user could run this perl script.

We have a firewall running and blocking uncommon outgoing ports. But he used port 80 and, well, I can't block this port as a lot of processes use them to access things, even Cpanel itself.

© Server Fault or respective owner

Related posts about security

sudo apt-get update errors

as seen on Ask Ubuntu - Search for 'Ask Ubuntu'
Here is what I get on my terminal when running sudo apt-get update errors. I dont know if the issue is from my sources.list or my proxy setup(have not made any changes to proxies). Thank you for any help in advanced. Ign http://security.ubuntu.com oneiric-security Release.gpg Ign http://security… >>> More
The Security-Developer Gap: Why IT Security Can't Fix Your Security Problems Alone

as seen on Devx - Search for 'Devx'
Two well-known white hats explain how hackers take advantage of security holes left by enterprise application developers. >>> More
The Security-Developer Gap: Why IT Security Can't Fix Your Security Problems Alone

as seen on Internet.com - Search for 'Internet.com'
Two well-known white hats explain how hackers take advantage of security holes left by enterprise application developers. >>> More
StackOverFlowError while creating Mac object on AS400/Java

as seen on Stack Overflow - Search for 'Stack Overflow'
Hello all, I am a newbie to AS400-Java programming. I am trying to create my first program to test the implementation of Message Authentication Code (MAC). I am trying to use the HMACSHA1 hash function. My (Java 1.4) program runs fine on a dev box (V5R4).But fails terribly on the QA box (V5R3). My… >>> More
Google App Engine - Spring Security Issue (java.security.AccessControlException)

as seen on Stack Overflow - Search for 'Stack Overflow'
I'm currently getting the AccessControlException below when I deploy to app engine (I don't see it when I run in my local environment). I'm using GAE 1.3.1, Spring 3.0.1, and Spring Security 3.0.2. Any ideas how to get around this issue? It appears to be an issue with Spring Security trying to get… >>> More

Related posts about cpanel

I can't find my backup for the cpanel in whm/cpanel

as seen on Pro Webmasters - Search for 'Pro Webmasters'
The Problem: I have made a complete backup from the cpanel for the whole home folder. I have placed this folder in the default home directory. Thereafter, i tried to restore this file from the WHM, but i couldn't find it. Does anyone know what causes such problems? Additional Details: I am the… >>> More
Mailman Error / Cpanel

as seen on Server Fault - Search for 'Server Fault'
Mailman is giving off this error when any changes are made to the list: ======================= Bug in Mailman version 2.1.14 We're sorry, we hit a bug! Please inform the webmaster for this site of this problem. Printing of traceback and other system information has been explicitly… >>> More
fcgi php.ini override

as seen on Server Fault - Search for 'Server Fault'
I'm using cPanel on centos5 64bit installed. PHP handler is : fcgi cat /usr/local/apache/conf/php.conf output is : LoadModule fcgid_module modules/mod_fcgid.so MaxRequestsPerProcess 500 FCGIWrapper /usr/local/cpanel/cgi-sys/php5 .php5 FCGIWrapper /usr/local/cpanel/cgi-sys/php5… >>> More
Problem with Apache webserver and MySQL after installing cPanel

as seen on Server Fault - Search for 'Server Fault'
I have a Fedora machine with Apache webserver and MySQL installed with some data present in both the servers. I installed cPanel on this machine with a test license. After installing cPanel I am not able to start Apache Webserver and login to MySQL. I am getting the following error when I try to… >>> More
Too many apache processes, killing the CPU

as seen on Server Fault - Search for 'Server Fault'
I am noticed that too many apache processes killing the CPU in my dedicated server. 14193 (Trace) (Kill) nobody 0 66.1 0.0 /usr/local/apache/bin/httpd -k start -DSSL 14128 (Trace) (Kill) nobody 0 65.9 0.0 /usr/local/apache/bin/httpd -k start -DSSL 14136 (Trace) (Kill) nobody… >>> More