Filed Under (brute force hacking tool,bruteforce,bruteforcer,cpanel cracker,hacking tool,website hacking,website hacking tool) By RPK Cpanel bruteforcer hack any login supported website with the cpanel bruforce attack. Technology is evolving very fast and the open source tool you decide to use as a cPanel alternative has to keep the pace with it. New OS versions are released, new PHP versions and others feature like HTTPS ( as was the case) on letsencrypt.org have to work with the tool.
It looks like I have a hacker getting into my C-panel server. Here is the Var/log/messages section that logs the Pure ftp session. Is there a way to stop this?
Jun 24 04:01:37 server pure-ftpd: ([email protected]) INFO New connection from 59.93.71.35 Jun 24 04:01:38 server pure-ftpd: ([email protected]) INFO sallenus is now logged in Jun 24 04:01:41 server pure-ftpd: ([email protected]) INFO Logout. Jun 24 04:01:44 server pure-ftpd: ([email protected]) INFO New connection from 89.36.138.87 Jun 24 04:01:44 server pure-ftpd: ([email protected]) INFO sallenus is now logged in Jun 24 04:01:46 server pure-ftpd: ([email protected]) NOTICE /home/sallenus//publichtml/index.php downloaded (872 bytes, 50.85KB/sec) Jun 24 04:01:46 server pure-ftpd: ([email protected]) INFO Logout. Jun 24 04:01:54 server pure-ftpd: ([email protected]) INFO New connection from 202.150.113.249 Jun 24 04:01:56 server pure-ftpd: ([email protected]) INFO sallenus is now logged in Jun 24 04:02:04 server named12119: lame server resolving '21.229.108.59.in-addr.arpa' (in '229.108.59.in-addr.arpa'?): 219.232.48.62#53 Jun 24 04:02:05 server pure-ftpd: ([email protected]) NOTICE /home/sallenus//publichtml/index.php uploaded (950 bytes, 0.28KB/sec) Jun 24 04:02:06 server pure-ftpd: ([email protected]) INFO Logout. Jun 24 04:02:09 server pure-ftpd: ([email protected]) INFO New connection from 75.187.192.237 Jun 24 04:02:10 server pure-ftpd: ([email protected]) INFO sallenus is now logged in Jun 24 04:02:12 server pure-ftpd: ([email protected]) NOTICE /home/sallenus//publichtml/html/index.html downloaded (1370 bytes, 30.04KB/sec) Jun 24 04:02:12 server pure-ftpd: ([email protected]) INFO Logout. Jun 24 04:02:15 server pure-ftpd: ([email protected]) INFO New connection from 88.109.5.212 Jun 24 04:02:16 server pure-ftpd: ([email protected]) INFO sallenus is now logged in Jun 24 04:02:18 server pure-ftpd: ([email protected]) NOTICE /home/sallenus//publichtml/html/index.html uploaded (1449 bytes, 4.79KB/sec) Jun 24 04:02:18 server pure-ftpd: ([email protected]) INFO Logout.
Jun 24 04:02:21 server pure-ftpd: ([email protected]) INFO New connection from 75.187.192.237 Jun 24 04:02:21 server pure-ftpd: ([email protected]) INFO sallenus is now logged in Jun 24 04:02:23 server pure-ftpd: ([email protected]) NOTICE /home/sallenus//publichtml/suspended.page/index.html downloaded (3494 bytes, 69.96KB/sec) Jun 24 04:02:24 server pure-ftpd: ([email protected]) INFO Logout. Jun 24 04:02:26 server pure-ftpd: ([email protected]) INFO New connection from 91.64.208.10 Jun 24 04:02:27 server pure-ftpd: ([email protected]) INFO sallenus is now logged in Jun 24 04:02:29 server pure-ftpd: ([email protected]) NOTICE /home/sallenus//publichtml/suspended.page/index.html uploaded (3561 bytes, 7.29KB/sec) Jun 24 04:02:30 server pure-ftpd: ([email protected]) INFO Logout. Jun 24 04:02:32 server pure-ftpd: ([email protected]) INFO New connection from 86.20.64.110 Jun 24 04:02:33 server pure-ftpd: ([email protected]) INFO sallenus is now logged in Jun 24 04:02:35 server pure-ftpd: ([email protected]) NOTICE /home/sallenus//publichtml/themes/engines/phptemplate/default.tpl.php downloaded (128 bytes, 5.42KB/sec) Jun 24 04:02:35 server pure-ftpd: ([email protected]) INFO Logout.
![Software Software](/uploads/1/2/5/4/125420168/435730583.jpg)
Jun 24 04:02:38 server pure-ftpd: ([email protected]) INFO New connection from 92.84.250.31 Jun 24 04:02:38 server pure-ftpd: ([email protected]) INFO sallenus is now logged in Jun 24 04:02:41 server pure-ftpd: ([email protected]) NOTICE /home/sallenus//publichtml/themes/engines/phptemplate/default.tpl.php uploaded (238 bytes, 0.83KB/sec) Jun 24 04:02:41 server pure-ftpd: ([email protected]) INFO Logout. Pretty interesting how that is done. Multiple different IP addresses accessing the same account within seconds, each accessing/modifying a different page.
I hesitate to say that's from a full fledged botnet, but it's likely from multiple compromised machines being controlled from an IRC channel or some other distributed remote means. Somebody issues a command to log in and change files, and all applicable participants act immediately. It is likely that this isn't actually the first time that account has been breached.
It probably was breached initially - and during that time no directory listing or other activity was likely done. Just a quick login/logout to verify that it can be accessed. Then they sit on it for a while (perhaps weeks or more) without making use of it (so you have no reference left on your server in the logfiles from the previous access). Then they pounce and have it do a quickchange of your various html/php pages. They probably added additional malicious javascript code to each of those pages, or an iframe or something.
Like Infopro said - change your password for that account immediately - to something that is very strong. Set up your Cpanel to require strong passwords across the board. Go through all of your FTP logs for the past month (or as long as you have them) and look around for strangeness. If you see a group of accounts being accessed in quick succession by the same IP, then you can assume that somebody got a hold of your passwd/shadow files and brute force broke the weak passwords. IF this were the case, you'd want to implement that secure password policy within Cpanel and then change every current account's password as quick as possible to something that is secure.
It may be isolated it most often is, but I have seen it where obviously somebody got a hold of the passwd/shadow files on the server, spent a long time cracking as many easy passwords as they could, then many months later pounced on multiple accounts at once. There are a lot of hackers sniffing FTP network traffic lately.
Since FTP transmits usernames and passwords in plain text over the network, hackers are able to sniff (discover/steal) your clients usernames and password and store them in databases. They can then simply FTP into your users accounts, using mass FTP bots to modify thousands of webpages worldwide. The best and only solution we found was to force SECURE FTP, in our case we chose FTPES (emplicit secure FTP).
This then makes all FTP data transmitted over networks in encrypted format. That way hackers can't sniff your clients usernames and passwords. PureFTP can be setup in WHM to ONLY ALLOW secure FTP connections.
This is what we have done, now our users can only connect via FTPES (secure FTP). Filezilla and FireFTP are both FREE FTP Clients and both support FTPES (FTP TLS), many more free FTP clients will include support for secure FTPES soon too. I want to get this message out because this is one of the biggest security threats on the internet atm. Everyone should make their FTP server accept secure FTP connections only. As soon as we switched all our servers over to ONLY FTPES, all hacking activity completely stopped.
This sounds exactly like the IFRAME hacks that have been discussed on this forum. Your computer gets infected with a trojan when viewing a hacked page (and you download something?). The trojan transmits your FTP passwords back to the hacker whenever you use FileZilla or other FTP client. The hacker then uses a network of infected computers to modify the web pages to plant more IFRAME hacks. Sallen812, changing your FTP passwords will solve the problem, but only if you are 100% sure that your computer is virus free.
This sounds exactly like the IFRAME hacks that have been discussed on this forum. Your computer gets infected with a trojan when viewing a hacked page (and you download something?). The trojan transmits your FTP passwords back to the hacker whenever you use FileZilla or other FTP client.
The hacker then uses a network of infected computers to modify the web pages to plant more IFRAME hacks. Sallen812, changing your FTP passwords will solve the problem, but only if you are 100% sure that your computer is virus free. Click to expand.Thank you, Stefaans! I'm getting tired of the 'oh my $@$@ server hacked' posts everywhere! Yes, as Stefaans summarized, there is a group of hackers operating out of China right now who is getting their password via the use of trojans on the user's own computers at home and NOT the servers or data centers where their web hosting accounts are located. It is important to note a few things: 1. Unless you totally clean your home computer of these trojan viruses, any password changes you do at your hosting company will not work because the hackers will be updated to your new password.
The hacking group is not only collecting web hosting information from your computer at home but also banking login information as well and if you logged into your bank from an infected home computer, they likely have your bank login as well and there have been reports of unauthorized bank transfers being made in various places already. If you suspect your computer is infected, get the latest updates to one of the top 5 antivirus programs and run full scans on your computer along with the latest updates from a good trojan detection tool such as Spy Doctor or if that is out of reach, at least SpyBot:Search and Destroy and try to confirm your computer is completely clean and if it were me, I would go ahead and change all my web hosting and bank passwords yet again after doing all the local computer scans just to be sure. Click to expand.Correct!
The current exploit attack heavily in the wild right now involves keylogging, packet capturing, and file analysis from the victim's own home computer. Doesn't really matter what you do aside from implementing a one time keypad on the server side because as long as the user is infected, the hacking group behind this will know how to login and it does not matter if you force secure FTP, using only certificates, or anything else. A lot of people erroneously believe right now that FTP is being hacked because they don't know what is really going on and making bad assumptions and then through those same bad assumptions recommending you switch your FTP software or disable FTP and go to secure FTP or implement some encryption method which is already by definition compromised already as long as the end user is still able to login from their home computer. Best action at the moment for anyone found infected is to suspend their accounts or change their passwords to prevent the home user from being able to login themselves until they can disinfect their home computers! One step that might help is if your server can support it - a little help will come from banning IPs from the affected countries I know that it isnt a perfect solution since the abusers can spoof ips and use proxies - but my server ONLY serves US Canada and northern Europe Ive blocked many of the suspect countries by IP at the firewall. A number of years back ( 5 ) the server that I shared at that time was compromised with Iframe injection attacks.
That server was behind on kernel updates and had a number of other weaknesses. Do everything and anything you can to protect yourself from these problems. Firewall, ip blocks, port scanning detection, LFD detection etc One final note - if you are on shared hosting, meaning you are on a VPS or one of thousands of accounts on a server that advertises as 'unlimited everything' for $3 a month. You are then subject to the weaknesses that such a monster server has to be configured for. You are getting what you pay for. If anyone of your 'roommates' on that server gets exploited then your site is more likely to be effected by that exploited neighbor.
This is not the iframe method! We had exact same issues our our customers webservers. We have investigated this issue and found the following: 1. A php shell script (which contain numerous php/apache/zend vulnerabilities) has been uploaded trough a XSS attack. Script has been used to gather usernames from the servers. Script has modified the passwords of the accounts located in /etc/passwd 4. Hackers connected from different IPs to the FTP accounts and uploaded/deleted files.
Upgrade to Apache 2.2 with latest PHP versions! And compile with suhosin, suphp, suexec! Install modSecurity from cpanel addons!
Install modsecurity rules from gotroot.com (they have a free rules download also). Install clamv addon from cpanel. Forbid the following functions in php. Click to expand.Replace '/home' with your path. Also find files that are using php command: 'posixgetpwuid' as this is how they list the server's usernames!
There are other vulnerabilities with zend also! Even if you enable Safe Mode in PHP they can still list /etc/passwd or any other system file even though Openbasedir restriction is enabled. We are still investigating this and I will update you as soo as we have a solution. Also we found another Perl script that came with the shell code above.
It uses the symlink function to create symlink into vulnerable account to any other account or directory in server. This way they have access to everything.
If someone has more ideas how to secure the server againts these vulnerabilities please let us know. I will also keep you updated. Click to expand.ramzex: I saw your original post a couple days ago and briefly contacted you but I have also been very busy this week helping a lot of users deal with the current hacking attacks going around, helping people secure their servers, and have not had much free time available. I would very much like to take a look at your server and sit down and go over with you all that you have done to try to clean it out and update the security as there is likely a great many areas you missed (based on your comments in each of your posts) that I may be able to help you address. You are already off to a good start in the things you list in your post above but I also see a great number of critical areas to address where you did not mention doing anything to secure your server in those areas. When you are available, try to contact me and if I have a few free moments, I'll try to make room to talk to you and help you with your server. Hi Everybody.
This is my first post. First of all please be careful everyone who uses FILEZILLA. Very Simple Look in your machine for a file called 'sitemanager.xml'. You can open it with a notepad. It holds all the information of your accounts. In plain text. Password ( not encrypted!!).
Once you have a trojan/virus (like Malicious.PDF.Gen, etc), is a piece of cake to it to get that information. It only have to read the xml and send that information to the attacker.
Now i am using another free ftp client. It encrypts everything.
I will try it now. Good Luck (and sorry for my odd english).