I've been seeing a few issues lately on a few of my servers where an account gets hacked via outdated scripts, and the hacker uploads a cPanel / FTP Brute forcing PHP script inside the account.
The PHP File reads /etc/passwd to get the usernames, and than uses a passwd.txt file to try and brute force it's way in to 127.0.0.1:2082.
I'm trying to think of a way to block this. It doesn't POST anything except "GET /path/phpfile.php", so I can't use mod_security to block this.
I've been thinking of maybe changing permissions on /etc/passwd to 600, however I'm unsure how this will result in regards to my users.
I was also thinking of rate-limiting localhost connections to :2082, however I'm worried about mod_proxy being affected.
Any suggestions?
Run some form of auth that doesn't look at /etc/passwd for usernames such as LDAP. Also, I'd suggest activating SELinux so that such hacks break right at step 1 (httpd can't read /etc/passwd with the default rules), but cPanel is hateful of any advanced attempt to lock the system down.
So the first thing, is fix / delete the outdated scripts that gave the hackers the prilivege and ability to upload cPanel / PHP scripts in the first place. Everything after that is a bodge (bad fix) dancing around the real problem, and you will continue to have various problems until that is rectified.
The system expects
/etc/passwd
to be world and group readable (i.e.644
or444
but that may still break things), while/etc/shadow
which stores the password hashes should be limited to600
(owner read/write, group and everybody no accesso+rw,g-,a-
).Not having experience with cPanel, I don't know if it can be limited via PAM authentication modules, so as to rate limit password check attempts, so as to make password brute forcing attempts futile. The PAM module I had in mind is called
pam_faildelay
which slows down multiple attempts.I don't know if tarpit style solution using Apache and mod_security would be a means of rate-limiting access to cPanel logins.
First and foremost Enable cPHULK, it will help protect cPanel against brute force. NEVER change the permissions for /etc/passwd and /etc/shadow, they are set that way for a reason. SELinux will add an extra layer of secuirty and does stop exploits from obtaining code execution, but it might not stop this attack. Change the port number from 2082 to 2083 or something similar, the script that they are using might not be that smart.
mod_security is awesome but its not going to do anything to stop this attack.
You could also enforce better password rules. Try brute forcing your self with THC-Hydra, if any accounts are broken, disable them and force the user to pick a better password.