WARNING - Cpanel3 Demo Account Security Loophole

We setup a demo account on one of our boxes to demonstrate Cpanel3. As we were monitoring the server we found someone trying to take advantage of this to break into the server. Fortunately we monitor the server regularly so they didn't get anywhere, but there is a security threat.

What happened was someone uploaded 2 files to the demo account. A PHP Script and a CGI script. The PHP was a simple script to execute commands on the server, the CGI script was some kind of brute force password attacker. The hacker would start the perl CGI Script (named banner.cgi so it would look like a legit script in a top or ps aux) and it would run as nobody.

Below, we describe what steps I recommend anyone with a CPanel3 demo do to prevent the problem:

1) Do not setup CGI script execution on the demo account
2) Do not setup MySQL, Email, Frontpage or Subdomains with the demo account.
3) Change ownership of the entire demo account file structure to root/root.
4) Modify the quote of the demo account to 5 mb/month.

All of these steps combined should stop an attack like we experienced.

Take care,

Brian

 

 

 

 

Top