Page 97 of 102 FirstFirst ... 4787949596979899100 ... LastLast
Results 1,441 to 1,455 of 1523
  1. #1441
    Join Date
    Apr 2011
    Location
    Minneapolis
    Posts
    118
    Quote Originally Posted by luigidelgado View Post
    I see no other choices than to point them... Or why did they changed their support system so drastically? Its not a matter of proof, its a matter of probability.

    I think the true story will never go out.
    Servers not running cpanel were reportedly hacked as well.

    Half of the story is out already, I think the rest will get out eventually.

  2. #1442
    cPanel had access to all the servers of mine which got hit. Every single one had a ticket with cPanel support recently opened for it.

    Is the only way to sort the issue to reinstall the server still?

    Or has anyone been working on something to circumvent the need to do this?

  3. #1443
    Join Date
    Oct 2010
    Location
    My world u just live here
    Posts
    1,256
    Quote Originally Posted by Cryostasis View Post
    cPanel had access to all the servers of mine which got hit. Every single one had a ticket with cPanel support recently opened for it.

    Is the only way to sort the issue to reinstall the server still?

    Or has anyone been working on something to circumvent the need to do this?
    Let me try to answer this in philosophical way....

    The problem about this hack is the hacker becomes the root user. As root, you're GOD. And just like GOD, you can remake the world (server) in your imagine.

    Despite how advance science, even as far as we are today we do not know everything in the universe. And it is ever so likely that no matter how long we live, no matter how far we grow, and how much we learn overtime... We'll never know everything.

    In other words.... There is no way for you to know everything "God" has done, is doing, or will do to your "world" (server).

    LMAO .... This from an atheist.


    Sorry.... I had to poke fun at this. Its been asked so many times..... The answer is, NO. You must format and restore your sites, because there is no way of know what else could be there. We could cure X tomorrow and discover W, Y, Z, 1, 2, 3 ...ect... Was also added.

    ▲ ▲

  4. #1444

    *

    Quote Originally Posted by TheVisitors View Post
    Sorry.... I had to poke fun at this. Its been asked so many times..... The answer is, NO. You must format and restore your sites, because there is no way of know what else could be there. We could cure X tomorrow and discover W, Y, Z, 1, 2, 3 ...ect... Was also added.
    Brilliant answer! Made me laugh! Yeah I suspected as much -- just wanted to double check nothing had changed in the last couple of weeks before going into this.

    Thanks :-)

  5. #1445
    Join Date
    Oct 2005
    Posts
    393
    Quote Originally Posted by spendergrsec View Post
    Hi guys,

    I was busy for a bit (dinner, etc). Looking further into the backdoor, it's doing GOT modifications of the sshd it gets loaded into in order to hijack certain functions. For instance, it hooks:
    syslog
    __syslog_chk
    write
    audit_log_user_message
    audit_log_acct_message

    Presumably in response to receiving a specific password/username, for the one backdoor this is "XXXdYZulavB", it will temporarily disable logging via syslog, __syslog_chk, audit_log_user_message, and audit_log_acct_message. The write() hook will also prevent logging via stderr.

    The two I looked at were sending login credentials to UDP port 53 on 78.47.139.110. I need to investigate further to see what exactly that includes, but it's clearly at least sending the login name/UID, and hostname connected to.

    The attacker has three commands available: Xver, Xcat, and Xbnd. Xver displays the backdoor version, Xbnd causes the connect() hook in the backdoor to bind to a specific address before performing the connect. The Xcat command involves the shared memory in some way.

    Of interesting note is that the backdoor would crash as-is with the PAX_MPROTECT feature in grsecurity enabled. If the system wasn't enforcing PaX flags with RBAC, they could just disable the feature on sshd, however. For code hooking in several locations, the region involved has its protections changed to read/write/execute -- something disallowed on a grsecurity kernel and optionally logged. The write following the RWX mprotect would fail, causing a crash of sshd.

    If anyone has a 32bit version of the backdoor they could mail me, it would speed up analysis a bit as I'm doing it all statically.

    -Brad
    Brad, how did you find they were using XOR 81h encoding?

  6. #1446
    Join Date
    Aug 2010
    Posts
    231
    Hi,

    cPanel, at first, was saying this was not related to their software... ...this was correct.

    ...this was related to the fact one of their support tech was having a trojan on he's computer.

    We got 2 servers infected by this trojan, right after we opened a ticket.

    We submitted another ticket to cPanel, wondering what was this new libkey file, and 2 days later, they sent an email to all their customers saying since the last 4 months, everyone who were requesting support and were helped by some specific agents were infected by this trojan.

    See this for more infos : http://cpanel.net/cpanel-inc-announc...-enhancements/

    ...all you need (and can) do in regards to this is transfer all your files to a new server, and change all your passwords.

    We did this and no longer have any problem.

  7. #1447
    Join Date
    Aug 2010
    Posts
    231
    just think twice before you provide ssh access to someone else on your server, and you will avoid such problems

    ...we no longer outsource support since that time, and request email only support.

  8. #1448
    Join Date
    Aug 2004
    Posts
    164
    cPanel were working on a ticket and they (and me) were supprised one of the servers was brute forcing the DNS Only server (and locking itself out).

    This was back in October/November!!

    Seems it has been rolling around for a very long time.

    In addition to not giving root passwords to vendors over the internet *doh*, and aside from SSH keys, different SSH ports, CSF+LFD, is there anything else that can reduce attack surface and reduce chances of being rooted again?

  9. #1449
    Join Date
    May 2002
    Location
    Raleigh, NC
    Posts
    685
    Quote Originally Posted by o-dog View Post
    In addition to not giving root passwords to vendors over the internet *doh*, and aside from SSH keys, different SSH ports, CSF+LFD, is there anything else that can reduce attack surface and reduce chances of being rooted again?
    Review your firewall rules closely. Only allow incoming traffic on your firewall to ports that you need to have open to the public. Restrict connections to your SSH port to only authorized source IPs.
    Tranquil Hosting
    Managed Hosting | Dallas, TX | Raleigh, NC Co-location

  10. #1450
    Join Date
    Mar 2005
    Location
    Morocco
    Posts
    52
    So long story short! there is no real solution whatsoever for this problem? We ignore how it got there, We ignore how to get *effeciently* rid of it, and worst! even if we opt for an Os reload, we may get reinfected! That's like the killed with a spoon video.

    The funny part is when you contacted cPanel, they say we can't do anything on your server as it's compromised, when we follow their checkyourserver thing, the server doesn't appear to be compromised whatsoever. Although, cPanel may be the ultimate cause for this injection in first place. It's like you got a food poisoning in a restaurant, and when you go back to the same restaurant, they won't serve food to you because you are already *infected*.

    CloudLinux was kind enough to have a closer look themselves at this, and they figured out that the server is not compromised.

    Today the hackers are sending out spam from the servers, what if they decide to do something else with it!

    Hamza
    http://www.Genious.net/ - Beyond Perpections
    1st ICANN Accredited Registrar in North Africa - Shared, Cloud and Dedicated Hosting.
    Email : Sales@Genious.net

  11. #1451
    Join Date
    Mar 2003
    Location
    Canada
    Posts
    8,846
    Hamza, the general consensus among the experts of this forum is that it was most likely a localized PC infection that resulted in the compromises. That's how cPanel was infected. There is no reason to suspect a zero day exploit in any of the services right now.

    If someone has as server that was 100% for sure compromised, the best advise would be to reinstall all workstations that access the server, reinstall the server and make sure Java is disabled as that is the most likely culprit that was exploited. Some people in this thread initially said that was a stupid theory about localized PC infections and when they finally did a virus scan of their PC they found some stuff related to backdoors known for stealing credentials and setting up VNC like backdoors.

    A few other suggestions wouldn't be to disable password authentication and restrict SSH to certain IP ranges, if possible.
    Patrick William | RACK911 Labs | Software Security Auditing
    400+ Vulnerabilities Found - Free Quote @ https://www.RACK911Labs.com

    www.HostingSecList.com - Security notices for the hosting community.

  12. #1452
    Join Date
    Jan 2010
    Posts
    34
    right noq cent os 5 and cent os 6 both 32 and 64 bit are affected.. i'm under attack of this fujing rootkit..

    debian 6 is secured by this rootkit..

    once i install cent os my password gets hacked within 3 minutes aprox..

  13. #1453
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,249
    Quote Originally Posted by simmer14 View Post
    right noq cent os 5 and cent os 6 both 32 and 64 bit are affected.. i'm under attack of this fujing rootkit..

    debian 6 is secured by this rootkit..

    once i install cent os my password gets hacked within 3 minutes aprox..
    Are you using the same password for every install?
    What os is your workstation?
    Steven Ciaburri | Proactive Linux Server Management - Rack911.com
    System Administration Extraordinaire | Follow us on twitter:@Rack911Labs
    Managed Servers (AS62710), Server Management, and Security Auditing.
    www.HostingSecList.com - Security notices for the hosting community.

  14. #1454
    Join Date
    Jan 2010
    Posts
    34
    Quote Originally Posted by Steven View Post
    Are you using the same password for every install?
    What os is your workstation?
    i use very complex alpha numeric passwords.. diffrent on every install..

    Cent OS 6 and 5 64bit

    Debian 6 is absolutely fine.. not even a single attempt as failed login.. as i mentioned in my other thread that these attacks are automated and are working on a server.. and attack comes from diffrent machines and hosts... i even saw failed attempts from a kimsufi.. i guess once ur box or slice is rooted then it is used to attack on others to root them.. right now the way to survive is debain 6 for me..

  15. #1455
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,249
    Quote Originally Posted by simmer14 View Post
    i use very complex alpha numeric passwords.. diffrent on every install..

    Cent OS 6 and 5 64bit

    Debian 6 is absolutely fine.. not even a single attempt as failed login.. as i mentioned in my other thread that these attacks are automated and are working on a server.. and attack comes from diffrent machines and hosts... i even saw failed attempts from a kimsufi.. i guess once ur box or slice is rooted then it is used to attack on others to root them.. right now the way to survive is debain 6 for me..
    In theory its possible for remnants to remain resident in memory.
    Have you tried pulling the power completely to the machine prior to reload?
    Steven Ciaburri | Proactive Linux Server Management - Rack911.com
    System Administration Extraordinaire | Follow us on twitter:@Rack911Labs
    Managed Servers (AS62710), Server Management, and Security Auditing.
    www.HostingSecList.com - Security notices for the hosting community.

Page 97 of 102 FirstFirst ... 4787949596979899100 ... LastLast

Similar Threads

  1. ****`it Rootkit, Tuxtendo Rootkit
    By ISpy in forum Hosting Security and Technology
    Replies: 4
    Last Post: 06-22-2010, 11:27 AM
  2. Which server builds are you rolling out?
    By GeekMe in forum Dedicated Server
    Replies: 11
    Last Post: 04-18-2010, 08:03 AM
  3. Getting the ball rolling ...
    By policefreq in forum New Members
    Replies: 1
    Last Post: 08-19-2006, 11:16 PM
  4. Getting company to get rolling
    By Overclocked in forum Running a Web Hosting Business
    Replies: 19
    Last Post: 08-03-2004, 04:02 PM

Related Posts from theWHIR.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •