Best way to whitelist cpdavd?

Post Reply
sneader
Junior Member
Posts: 84
Joined: 22 Mar 2007, 05:38

Best way to whitelist cpdavd?

Post by sneader »

I currently have the default cpdavd whitelist rule in place, but it's not working:
exe:/usr/local/cpanel/cpdavd
Here is the alert I am receiving:
Executable:
/usr/local/cpanel/3rdparty/perl/514/bin/perl

Command Line (often faked in exploits):
cpdavd - authenticated as someuser
Can someone suggest the best way to whitelist this one?

Thanks in advance.

- Scott
GHN
Junior Member
Posts: 3
Joined: 27 Jun 2016, 15:03

Re: Best way to whitelist cpdavd?

Post by GHN »

I am also looking for a solution on this. Anyone have one?

Executable:
/usr/local/cpanel/3rdparty/perl/514/bin/perl

Command Line (often faked in exploits):
cpdavd - authenticated as someuser
Sergio
Junior Member
Posts: 1715
Joined: 12 Dec 2006, 14:56

Re: Best way to whitelist cpdavd?

Post by Sergio »

The "exe" that you have to white list is:
exe:/usr/local/cpanel/3rdparty/perl/514/bin/perl

That is the one that the warning is telling you.

If you can post the next line that talks about the command line, then the one to whitelist will be:
cmd:{the part of what the log says}
GHN
Junior Member
Posts: 3
Joined: 27 Jun 2016, 15:03

Re: Best way to whitelist cpdavd?

Post by GHN »

Adding the line exe:/usr/local/cpanel/3rdparty/perl/514/bin/perl to pignore had no effect.

Here is the message reported...

=============
Time: Wed Jun 29 11:40:31 2016 -0500
PID: 14471 (Parent PID:20720)
Account: myuser
Uptime: 62 seconds


Executable:

/usr/local/cpanel/3rdparty/perl/522/bin/perl


Command Line (often faked in exploits):

cpdavd - authenticated as myuser@myuser.com

Network connections by the process (if any):

tcp: 0.0.0.0:2077 -> 0.0.0.0:0
tcp: 0.0.0.0:2078 -> 0.0.0.0:0
tcp: 0.0.0.0:2079 -> 0.0.0.0:0
tcp: 0.0.0.0:2080 -> 0.0.0.0:0
tcp: 45.33.11.181:2078 -> 12.199.61.82:59701

Files open by the process (if any):

/dev/null
/usr/local/cpanel/logs/cpdavd_error_log
/usr/local/cpanel/logs/cpdavd_error_log
/usr/local/cpanel/logs/login_log
/usr/local/cpanel/logs/cpdavd_session_log
/usr/local/cpanel/logs/cpdavd_error_log
/usr/local/cpanel/logs/cpdavd_error_log
/usr/local/cpanel/logs/cpdavd_error_log
Sergio
Junior Member
Posts: 1715
Joined: 12 Dec 2006, 14:56

Re: Best way to whitelist cpdavd?

Post by Sergio »

GHN,
if you see the exe that you wrote to the pignore says:
/usr/local/cpanel/3rdparty/perl/514/bin/perl

But if you see the executable that the log has:
/usr/local/cpanel/3rdparty/perl/522/bin/perl

You should add the exact exe file.
GHN
Junior Member
Posts: 3
Joined: 27 Jun 2016, 15:03

Re: Best way to whitelist cpdavd?

Post by GHN »

Ugh, silly me.. Thank you!
Post Reply