ConfigServer Community Forum

Peer support forums for ConfigServer Scripts
https://mail.forum.configserver.com/

Best way to whitelist cpdavd?

https://mail.forum.configserver.com/viewtopic.php?t=8991

Page 1 of 1

Best way to whitelist cpdavd?

Posted: 28 Sep 2015, 13:20
by sneader
I currently have the default cpdavd whitelist rule in place, but it's not working:
exe:/usr/local/cpanel/cpdavd
Here is the alert I am receiving:
Executable:
/usr/local/cpanel/3rdparty/perl/514/bin/perl

Command Line (often faked in exploits):
cpdavd - authenticated as someuser
Can someone suggest the best way to whitelist this one?

Thanks in advance.

- Scott

Re: Best way to whitelist cpdavd?

Posted: 27 Jun 2016, 15:06
by GHN
I am also looking for a solution on this. Anyone have one?

Executable:
/usr/local/cpanel/3rdparty/perl/514/bin/perl

Command Line (often faked in exploits):
cpdavd - authenticated as someuser

Re: Best way to whitelist cpdavd?

Posted: 28 Jun 2016, 04:05
by Sergio
The "exe" that you have to white list is:
exe:/usr/local/cpanel/3rdparty/perl/514/bin/perl

That is the one that the warning is telling you.

If you can post the next line that talks about the command line, then the one to whitelist will be:
cmd:{the part of what the log says}

Re: Best way to whitelist cpdavd?

Posted: 29 Jun 2016, 18:38
by GHN
Adding the line exe:/usr/local/cpanel/3rdparty/perl/514/bin/perl to pignore had no effect.

Here is the message reported...

=============
Time: Wed Jun 29 11:40:31 2016 -0500
PID: 14471 (Parent PID:20720)
Account: myuser
Uptime: 62 seconds


Executable:

/usr/local/cpanel/3rdparty/perl/522/bin/perl


Command Line (often faked in exploits):

cpdavd - authenticated as myuser@myuser.com

Network connections by the process (if any):

tcp: 0.0.0.0:2077 -> 0.0.0.0:0
tcp: 0.0.0.0:2078 -> 0.0.0.0:0
tcp: 0.0.0.0:2079 -> 0.0.0.0:0
tcp: 0.0.0.0:2080 -> 0.0.0.0:0
tcp: 45.33.11.181:2078 -> 12.199.61.82:59701

Files open by the process (if any):

/dev/null
/usr/local/cpanel/logs/cpdavd_error_log
/usr/local/cpanel/logs/cpdavd_error_log
/usr/local/cpanel/logs/login_log
/usr/local/cpanel/logs/cpdavd_session_log
/usr/local/cpanel/logs/cpdavd_error_log
/usr/local/cpanel/logs/cpdavd_error_log
/usr/local/cpanel/logs/cpdavd_error_log

Re: Best way to whitelist cpdavd?

Posted: 29 Jun 2016, 19:20
by Sergio
GHN,
if you see the exe that you wrote to the pignore says:
/usr/local/cpanel/3rdparty/perl/514/bin/perl

But if you see the executable that the log has:
/usr/local/cpanel/3rdparty/perl/522/bin/perl

You should add the exact exe file.

Re: Best way to whitelist cpdavd?

Posted: 01 Jul 2016, 14:20
by GHN
Ugh, silly me.. Thank you!
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited