update_cpanelv2 and similar commands in script
I have seen a script (installed on the web server of a web hoster, owned by root) using some of these update commands (update_cpanelv21, update_cloudv2, update_lswsv2, ...), all with --Uninstall, followed by rm -rf of these commands and some related files, killall, and finally the script deletes itself.
Searching for these update commands on Google, I can only find very questionable sites.
What are the chances that this is a 100% legitimate way of doing things (and unrelated to what you find on Google when searching for these commands)?
Comments
They are not, here is an example:
https://infosecwriteups.com/shared-license-or-crack-access-to-1000-servers-2c4d97b9b22b
wWw.AlbaHost.Net .AL domains, Dedicated Servers, VPS/VDS and Hosting Services. Geo located in Albania.
/usr/local/cpanel/scripts/upcp is the real way to update whm/cpanel
If anything, it's a script used by a license "crack" to clean cpane/whm licenses so they can be refreshed.
Here is a raw pastebin of it: https://pastebin.com/raw/KKhqZDGK
Is it possible to capture/share the executables?
youtube.com/watch?v=k1BneeJTDcU
All of my VMs: https://nodecheck.net/s/otusibrc/
I have captured the script (it contains a slightly different version of the "csp" section in VinnyReo's pastebin).
I don't see any of the binaries named in that script, but maybe that's because my account is containerized.
Anyway, just found that most of these components actually have publicly available licence checks where you can check the licence status for a specific IP address. The results I am seeing from these are not consistent with what I am seeing in the web UI (e.g. licence check only shows "free", "trial" or no licence, when clearly the full version is being made available to the end user).