It has been recently brought to our attention that multiple cPanel servers used by certain clients which provide shared hosting services have been compromised by some sort of root escalation in order to use the servers as spam sources. Most of the instances we analyzed were forging phishing email pretending to be intuitt services.
After further analysis it seems the hack started via some sort of wordpress vulnerability abuse which was used to inject some scripts that then used the infamous sudo vulnerability, in case you were not aware this has been brought up recently on several news outlets as well as several security firms.
As a reference please check ZDNET article on this matter
One of the symptoms that constantly repeated in most of our clients is the hostname change, their servers hostname changed into intuitt-service(com) or similar on a daily basis, after an analysis of the linux journal we noticed the hostname changes via root user
For example see the image below:
by running the command:
journalctl | grep hostname - we were able to confirm that there was a root level escalation that triggered the hostname change ... so how to fix this?
1- Step 1: correct the sudo escalation bug, on a YUM based system like centos or almalinux which are the preferred flavors for cPanel the way to correct this is to upgrade the sudo package by running:
yum update sudo*
2- Step 2: its important to reboot your server in case they already have an open root session in place, also make sure to use a package like imunify 360 for cPanel so you can scan and clean the possible source of the script that triggered the sudo level escalation, please remember you can license imunify 360 directly from Racknation in the following link
We hope this article sheds some light on this recent hack, we are very sure there are hundreds if not thousands of cPanel servers all around the world that have been compromised using this same tactic.
Racknation Support Staff