Preventing back connect in Cpanel servers
Posted
by
Fernando
on Server Fault
See other posts from Server Fault
or by Fernando
Published on 2013-08-02T14:34:33Z
Indexed on
2013/08/02
15:41 UTC
Read the original article
Hit count: 191
We run a Cpanel server and someone gained access to almost all accounts using the following steps:
1) Gained access to an user account due to weak password. Note: this user didn't had shell access.
2) With this user account, he accessed Cpanel and added a cron task. The cron task was a perl script that connected to his IP and he was able to send back shell commands.
3) Having a non jailed shell, he was able to change content of most websites in server specially for users who set their folders to 777 ( Unfortunately a common recommendation and sometimes a requirement for some PHP softwares ).
Is there a way to prevent this? We started by disabling cron in Cpanel interface, but this is not enough. I see a lot of other options in which an user could run this perl script.
We have a firewall running and blocking uncommon outgoing ports. But he used port 80 and, well, I can't block this port as a lot of processes use them to access things, even Cpanel itself.
© Server Fault or respective owner