Breaking News: Admin panels of Over 9.5 Thousand Sites Breached
Over nine and a half thousand sites had a supposed data leakage; 9548 urls with their admin login/password were leaked. A lot of them are cPanel - a popular web-based hosting control panel.
leakage of data example
According to the source, KevinSecTeam on RaidForums, several websites lost their data or got hacked before, which probably explains how they got hacked. Most of the 9548 breached sites, however, did not have a lot of data or were pretty much empty.
Apparently, the breach was as a result of vulnerabilities in multiple servers. According to KevinSecTeam, the hackers used a tool called ‘Priv8 web shell’ to access the vulnerable servers. Priv8 web shell is a type of malware which is able to go past commands that are directly implemented by the operating system. The attackers must have used priv8 web shell to gain complete access to the panels of these websites. They were able to gain full access to the vulnerable servers, their databases, and filesystems. Using priv8 scripts, cybercriminals can escalate and maintain continuous access to vulnerable servers.
The attackers might have taken advantage of crucial vulnerabilities in these servers such as SQL injection (SQLi), Unsecured FTP, Unrestricted File Uploads, Remote File Inclusion (RMI), etc. to upload malicious priv8 scripts. Such vulnerabilities may have present in the website codes or any themes used.
A priv8 web shell tends to have a remarkably strong set of features:
- Command-line console
- Password protection
- Brute force attacks against data servers or FTP
- PHP code execution
- Hunting for texts in files
- Sever information disclosure
- Encoding and decoding text input
- Database administration
- File manager - uploading, viewing, deleting, editing, etc
Who’s/what is to blame and how to fix it?
Imagine buying a router with both the password and username set to ‘admin.’ Who’s to blame if the router became a victim of cyber data breach? Well, the router maker could have used more powerful credentials, but at the same time, the user should have been more cautious with their security and change the credentials. The amount of cPanel logins among them points at weak spot in sufficient security. Vulnerabilities that led to this breach may have been due to failures of server administrators as well. Among other general ways of ensuring cPanel security, server admins should also observe the below measures to prevent priv8 web shell.
Preventing priv8 web shell
If the server admins of the breached 9548 sites had observed these measures, it is highly likely the breach would have never occurred:
- All possibly dangerous PHP functions should be disabled (if not used)
- PHP executions should be disabled in sensitive directories such as uploads and images
- Update your website core, themes and plugins regularly
- Never use plugins from unknown developers if you are using CMS like Magento, Joomla, OpenCart, WordPress, etc
- When allowing uploads to the server, only the uploads of whitelisted uploads should be permitted (check the MIME and extension type)
Improving your cPanel server security from personal data leakage
Server security is a multifaceted and complicated subject which can take long to fully master. Even the most experienced web security experts must always remain vigilant to prevent attacks from the bad guys. Following this breach, cPanel users will definitely need to look into their security features. And server admins should observe the following tips to improve the cPanel servers security:
Secure SSH - use the following steps to secure SSH
- change SSH port
- disable root login
- Disable SSH V1
Define secure passwords - weak passwords are the major causes of security lapses. You can use the cPanel password generator for suggestions.
Have Anti-Rootkit, firewall protection, and Anti-virus in place. Don’t just sit there and hope virus or hackers won’t get into your cPanel installation.
Update cPanel regularly to benefit from all of the security enhancement and bug fixes.
Enable brute force protection
Disable anonymous FTP - leaving anonymous FTP open is risky because it can allow hackers to upload content that will enable them gain access to the server.
Check hosted websites regularly - a domain name that has been identified as a possible threat by tools such as Google Safe Browsing can affect the security of your server.
As long as there will be people using unsecured systems and standard password, be sure, crooks will continue exploiting the available vulnerabilities resulting in the leakage of data.