Page 48 of 61 FirstFirst ... 384546474849505158 ... LastLast
Results 1,176 to 1,200 of 1523
  1. #1176
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,262
    Quote Originally Posted by TravisT-[SSS] View Post
    Finally some big guys are noticing this.
    They have server details too.
    Steven Ciaburri | Proactive Linux Server Management - Rack911.com
    System Administration Extraordinaire | Follow us on twitter:@Rack911Labs
    Managed Servers (AS62710), Server Management, and Security Auditing.
    www.HostingSecList.com - Security notices for the hosting community.

  2. #1177
    Join Date
    Apr 2012
    Location
    United Kingdom
    Posts
    39
    Edit: nevermind, my bad.

  3. #1178
    Join Date
    Aug 2003
    Posts
    2,067
    I am not sure if I follow this correctly. He mentioned in the beginning of the article that it hooks into md5 init, update and final, but then in the end he suggests the MD5 checksums are important. How can md5 checksums calculated on the system (to verify against original installation) be trusted, if the MD5 functions are compromised?
    Warning: include('signature') [function.include]: failed to open stream: No such file or directory in eval'd code on line 38
    Warning: include() [function.include]: Failed opening 'signature' for inclusion (include_path='.:/usr/local/php5/lib/php') in eval'd code on line 38

  4. #1179
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,262
    Ok.

    We all have been so worried on the sshd aspect to this.
    But we forgot to take a look at 'ssh'.. this little lonely binary used to initiate ssh connections with other servers.

    Well...

    You go and login to another server using an infected machine (which you may not know is infected).

    Guess what happens, our well known friend here:

    5297 connect(4, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("72.156.139.154")}, 16) = 0
    shows up again, sending your other servers login details out.

    So really all you need is 1 compromised server, to have multiple.. if you use your server to login to other servers.

    They are in memory too.

    ---

    With that said.. change all passwords to your servers even if they are not 'infected' if you may have used an infected machine to login to another server.
    Steven Ciaburri | Proactive Linux Server Management - Rack911.com
    System Administration Extraordinaire | Follow us on twitter:@Rack911Labs
    Managed Servers (AS62710), Server Management, and Security Auditing.
    www.HostingSecList.com - Security notices for the hosting community.

  5. #1180
    Join Date
    Aug 2004
    Posts
    136
    That's why I was asking if ssh binary was found modified cuz i saw it being patched as part of hacker bash history

  6. #1181
    Join Date
    Nov 2012
    Posts
    77
    Just received this from cPanel:

    You are receiving this email because you have opened a ticket with our support staff in the last 6 months. cPanel, Inc. has discovered that one of the servers we utilize in the technical support department has been compromised. While we do not know if your machine is affected, you should change your root level password if you are not already using ssh keys. If you are using an unprivileged account with "sudo" or "su" for root logins, we recommend you change the account password. Even if you are using ssh keys we still recommend rotating keys on a regular basis.

    As we do not know the exact nature of this compromise we are asking for customers to take immediate action on their own servers. cPanel's security team is continuing to investigate the nature of this security issue.

  7. #1182
    Join Date
    Jul 2006
    Location
    Australia
    Posts
    2,730
    I just received this from cPanel
    (the email looked legit)

    Salutations,

    You are receiving this email because you have opened a ticket with our support staff in the last 6 months. cPanel, Inc. has discovered that one of the servers we utilize in the technical support department has been compromised. While we do not know if your machine is affected, you should change your root level password if you are not already using ssh keys. If you are using an unprivileged account with "sudo" or "su" for root logins, we recommend you change the account password. Even if you are using ssh keys we still recommend rotating keys on a regular basis.

    As we do not know the exact nature of this compromise we are asking for customers to take immediate action on their own servers. cPanel's security team is continuing to investigate the nature of this security issue.



    --cPanel Security Team
    EDIT: Beaten.
    cPanel, CloudLinux, Softaculous ℵ Off Site Backups, Redundant DNS

  8. #1183
    Join Date
    Nov 2010
    Location
    Saskatchewan yep Canada
    Posts
    36

    so whats this all mean?

    I recived it as well
    Is cpanel going to help us all fix now??
    many of us have said may be them many times


    Quote Originally Posted by brianemwd View Post
    Just received this from cPanel:
    Last edited by weredigital; 02-21-2013 at 08:53 PM. Reason: error

  9. #1184
    Join Date
    Nov 2012
    Posts
    77
    Quote Originally Posted by ThreadHo View Post
    Is cpanel going to help us all fix now??
    Yeah I am pretty pissed off right now.

  10. #1185
    Join Date
    Sep 2004
    Location
    Aveiro - PORTUGAL
    Posts
    68
    And about servers without cpanel being exploited?

    Maybe using same passwords than cpanel servers, with password saved on cpanel ticket system?
    Alvaro

  11. #1186
    Join Date
    Feb 2013
    Posts
    97
    Quote Originally Posted by brianemwd View Post
    Just received this from cPanel:
    They neglected to tell the recipients that if they are using keys, they should delete the private key from the server straight after they have downloaded it! Ugh!!

  12. #1187
    Join Date
    Nov 2012
    Posts
    77
    Quote Originally Posted by mindnetcombr View Post
    And about servers without cpanel being exploited?

    Maybe using same passwords than cpanel servers, with password saved on cpanel ticket system?
    This is clearly a workstation exploit which means cPanel are not the only ones affected. No one knows how deep this rabbit hole is yet.

  13. #1188
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,262
    Quote Originally Posted by Zadmin View Post
    That's why I was asking if ssh binary was found modified cuz i saw it being patched as part of hacker bash history

    Its being done via the library.
    Steven Ciaburri | Proactive Linux Server Management - Rack911.com
    System Administration Extraordinaire | Follow us on twitter:@Rack911Labs
    Managed Servers (AS62710), Server Management, and Security Auditing.
    www.HostingSecList.com - Security notices for the hosting community.

  14. #1189
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,262
    Quote Originally Posted by brianemwd View Post
    This is clearly a workstation exploit which means cPanel are not the only ones affected. No one knows how deep this rabbit hole is yet.
    Likely still a workstation issue.
    Steven Ciaburri | Proactive Linux Server Management - Rack911.com
    System Administration Extraordinaire | Follow us on twitter:@Rack911Labs
    Managed Servers (AS62710), Server Management, and Security Auditing.
    www.HostingSecList.com - Security notices for the hosting community.

  15. #1190
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,262
    Want to say again -- if you logged into another server from your INFECTED machine.. You NEED to reset the password again.
    Steven Ciaburri | Proactive Linux Server Management - Rack911.com
    System Administration Extraordinaire | Follow us on twitter:@Rack911Labs
    Managed Servers (AS62710), Server Management, and Security Auditing.
    www.HostingSecList.com - Security notices for the hosting community.

  16. #1191
    Join Date
    Mar 2003
    Location
    Canada
    Posts
    8,873
    Quote Originally Posted by Steven View Post
    Likely still a workstation issue.
    You mean it's not PHP, cURL, lixproxy or HTML5 + CSS that led to the exploit?! Well I'll be damned. For a while there, I was doubting myself based on all the random crap being thrown around in this thread by people who would probably be lost using Linux without a control panel.

  17. #1192
    Join Date
    Oct 2012
    Location
    Europe and USA
    Posts
    827
    ok, so the cPanel servers compromise appears to be one of the possible ways of infection, but not the only one.

    The other methods mentioned in this topic (workstations infection etc.) are still valid, since there are servers infected without running cPanel, but Plesk, DirectAdmin or no control panel at all.
    Network Panda :: Shared Web Hosting SSD Powered - SSD VPS
    Instant activation, SSD disks, cPanel, FFMPEG, Softaculous/Installatron
    Fast servers in USA, Canada, UK, Germany, Netherlands, France

  18. #1193
    Join Date
    Feb 2013
    Posts
    97
    ISC Diary: The main activity of the rootkit consists in collection of credentials of authenticated users. Notice that the rootkit can steal username and password pairs as well as RSA and DSA private keys, so no matter which authentication mechanism you use, if the target host is infected it will successfully steal your information.
    It can't steal private keys that are not there, but perhaps they could be stolen upon creation. Best to create the keys locally using PuttyGen and upload the public key perhaps.

  19. #1194
    Join Date
    Nov 2012
    Posts
    77
    Quote Originally Posted by brianemwd View Post
    This is clearly a workstation exploit which means cPanel are not the only ones affected. No one knows how deep this rabbit hole is yet.
    I mean cPanel the company, not cPanel servers.

  20. #1195
    Join Date
    Nov 2004
    Location
    Australia
    Posts
    1,603
    Quote Originally Posted by Steven View Post
    It existed for ftp passwords, plz explain why ssh is impossible.
    It's occurred to me to wonder whether anyone is saving root WHM passwords in their browsers? Has anyone checked into that?

    The way these things work is they grab the passwords from saved files/registry entries. Of course, keylogging might also yield them fruit, but it's a slower process. We've experienced hackers grabbing saved passwords from customers for years now - at least 3 or 4.

  21. #1196
    As an FYI, I had also opened a cPanel ticket regarding an issue a few days prior to CSF letting me know the box may be exploited - though I've not received a similar notification from cPanel.

    cPanel staff also logged into the server in reference to that ticket.
    Last edited by ttoh; 02-21-2013 at 09:29 PM.

  22. #1197
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,262
    Quote Originally Posted by mindnetcombr View Post
    And about servers without cpanel being exploited?

    Maybe using same passwords than cpanel servers, with password saved on cpanel ticket system?
    http://www.webhostingtalk.com/showpo...postcount=1185
    Steven Ciaburri | Proactive Linux Server Management - Rack911.com
    System Administration Extraordinaire | Follow us on twitter:@Rack911Labs
    Managed Servers (AS62710), Server Management, and Security Auditing.
    www.HostingSecList.com - Security notices for the hosting community.

  23. #1198
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,262
    Quote Originally Posted by NetworkPanda View Post
    ok, so the cPanel servers compromise appears to be one of the possible ways of infection, but not the only one.

    The other methods mentioned in this topic (workstations infection etc.) are still valid, since there are servers infected without running cPanel, but Plesk, DirectAdmin or no control panel at all.
    Eric had plesk and directadmin servers compromised.. but he likely logged into them from a compromised server.

    'ssh' was sending out the password info.
    Steven Ciaburri | Proactive Linux Server Management - Rack911.com
    System Administration Extraordinaire | Follow us on twitter:@Rack911Labs
    Managed Servers (AS62710), Server Management, and Security Auditing.
    www.HostingSecList.com - Security notices for the hosting community.

  24. #1199
    Join Date
    Dec 2004
    Location
    Netherlands
    Posts
    352
    It seems a bit premature and baseless to accuse cPanel of being the root of all problems.
    DedicatedBox Dedicated Servers
    http://www.dedicatedbox.us

    Powered by CoreISP.net Corporation

  25. #1200
    Quote Originally Posted by DedicatedBox View Post
    It seems a bit premature and baseless to accuse cPanel of being the root of all problems.
    I tend to agree - but, all possibilities need to be looked at in trying to determine possible infection vectors.

Page 48 of 61 FirstFirst ... 384546474849505158 ... LastLast

Similar Threads

  1. ****`it Rootkit, Tuxtendo Rootkit
    By ISpy in forum Hosting Security and Technology
    Replies: 4
    Last Post: 06-22-2010, 11:27 AM
  2. Which server builds are you rolling out?
    By GeekMe in forum Dedicated Server
    Replies: 11
    Last Post: 04-18-2010, 08:03 AM
  3. Getting the ball rolling ...
    By policefreq in forum New Members
    Replies: 1
    Last Post: 08-19-2006, 11:16 PM
  4. Getting company to get rolling
    By Overclocked in forum Running a Web Hosting Business
    Replies: 19
    Last Post: 08-03-2004, 04:02 PM

Related Posts from theWHIR.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •