Page 1 of 2 12 LastLast
Results 1 to 40 of 64
  1. #1
    Join Date
    Apr 2006
    Location
    Dallas, Texas USA
    Posts
    71

    cPanel Exploit

    Just a heads up.. looks like there's a root exploit out for cPanel servers. cPanel has been informed. Admin companies + Anyone else interested please Contact me for info how to atleast stop it until there's proper "fix" provided by cpanel.

    I'm worried about posting the specifics on a public forum until there's a official patch/fix out.

    Very serious: Gives attackers full root access, will not show up in rootkit checks. Many of your machines may already be affected.
    - Comprehensive Server Management & End User Support
    - Now 100% U.S. Owned & Operated
    - Now offering instantly ready end-user support. 30secondsupport.com

  2. #2
    Join Date
    Apr 2000
    Location
    California
    Posts
    3,051

    Major security issue with Cpanel. Watch for updates.

    This is just a notice to you guys to watch for updates and to ensure your system is updated once Cpanel fixes this.

    We were hit by an issue with viruses being injected into random web pages (html, php, etc.) for any IE browsers. We cleaned the servers, but have located the method used.

    We can't (and won't) release any details or hints about this issue, but it's been confirmed to be a security issue with Cpanel and we're contacting them at this time to inform them of this urgent issue.

    This post is just a notice and warning to be aware that there will surely be an update from Cpanel that anyone running it will need to ensure its applied, so watch out for it soon.

  3. #3
    Join Date
    Apr 2000
    Location
    California
    Posts
    3,051
    Who is this? :-)

  4. #4
    Join Date
    Apr 2006
    Location
    Dallas, Texas USA
    Posts
    71
    Looks like we both posted about the same issue.
    - Comprehensive Server Management & End User Support
    - Now 100% U.S. Owned & Operated
    - Now offering instantly ready end-user support. 30secondsupport.com

  5. #5
    Join Date
    May 2006
    Location
    Florida, USA
    Posts
    362
    And how does one know that a server is infected please? What do we look for? I assume that this is the same thing that hit HostGator.
    Host, YES!
    Reselling? Partner for profit instead!

  6. #6
    Join Date
    Sep 2005
    Location
    In canada
    Posts
    3,213
    And how did you guys come to know of it ?

  7. #7
    Join Date
    Sep 2005
    Location
    In canada
    Posts
    3,213
    Quote Originally Posted by ServerSupportGuys
    Looks like we both posted about the same issue.
    Yup and can a fix be posted as well ?

  8. #8
    Join Date
    May 2006
    Location
    Florida, USA
    Posts
    362
    I believe Tim_Greer is from HostGator that's how he would know about it.

    http://forums.hostgator.com/showthread.php?t=10928
    Host, YES!
    Reselling? Partner for profit instead!

  9. #9
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,294
    I can confirm this finding.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  10. #10
    Join Date
    Apr 2006
    Location
    Dallas, Texas USA
    Posts
    71
    I think that's a little irresponsible. I'm going to hold off until we hear from cPanel.
    - Comprehensive Server Management & End User Support
    - Now 100% U.S. Owned & Operated
    - Now offering instantly ready end-user support. 30secondsupport.com

  11. #11
    Join Date
    Jul 2002
    Posts
    3,729
    What's irresponsible?

    Should we just chown 000 /usr/local/cpanel until the patch is put out? (which I would assume would be today considering the severity)

  12. #12
    Join Date
    Apr 2006
    Location
    Dallas, Texas USA
    Posts
    71
    lol that would work...
    - Comprehensive Server Management & End User Support
    - Now 100% U.S. Owned & Operated
    - Now offering instantly ready end-user support. 30secondsupport.com

  13. #13
    Join Date
    Mar 2002
    Location
    Austin, TX
    Posts
    112
    This has been confirmed and patched. Running /scripts/upcp will fix the vulnerability in all builds. Please note that this is a local exploit which requires access to a cPanel account.

    Please send information such as this to [email protected] to make us aware. The first communication we received was at 2:15pm CST. If you believe you have been exploited through this vulnerability, you are welcome to submit a support request for assistance. (https://tickets.cpanel.net/submit/in...eqtype=tickets)
    -Dave Koston
    Koston Consulting

  14. #14
    Join Date
    Apr 2006
    Location
    Dallas, Texas USA
    Posts
    71
    Nice work. Thanks
    - Comprehensive Server Management & End User Support
    - Now 100% U.S. Owned & Operated
    - Now offering instantly ready end-user support. 30secondsupport.com

  15. #15
    Join Date
    May 2001
    Location
    Anchorage, Alaska
    Posts
    20

    cPanel Auto Heal

    When I ran /scripts/upcp from the SSH CLI, I see a well marked (in green) "cPanel Auto Heal 2.4 Running".

    I'm asking for identification purpose to assure my servers are current: Is this the fix?

    Thanks for the prompt response and updates.
    Dan
    DanTech Services

  16. #16
    Join Date
    Mar 2002
    Location
    Austin, TX
    Posts
    112
    Quote Originally Posted by dafut
    When I ran /scripts/upcp from the SSH CLI, I see a well marked (in green) "cPanel Auto Heal 2.4 Running".

    I'm asking for identification purpose to assure my servers are current: Is this the fix?

    Thanks for the prompt response and updates.
    Upcp will fix the problem on all builds. It is seperate from cPanel Auto Heal. The cPanel Auto Heal system was used to distribute the patch though.
    -Dave Koston
    Koston Consulting

  17. #17
    Join Date
    Apr 2006
    Location
    Dallas, Texas USA
    Posts
    71
    I'd encourage everyone to seriously do some auditing on their machines.

    Check for anything that might seem out of place. If you have a file verification system/IDS (integrit, tripwire).. in place, i'd definitely suggest comparing to see what/if anything has been done on your system.

    It will not show up in any tools like rkhunter/chkrootkit etc. but i can confirm that this has been "public" for ATLEAST a month. So even if nothing is happening right now, you might still have been affected by this.

    Thanks again cPanel for the quick resolution.
    - Comprehensive Server Management & End User Support
    - Now 100% U.S. Owned & Operated
    - Now offering instantly ready end-user support. 30secondsupport.com

  18. #18
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,294
    I agre with serversupportguys. Who knows what can be laying dorment in your server.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  19. #19
    Join Date
    Nov 2002
    Location
    WebHostingTalk
    Posts
    8,878
    Thanks to ServerSupportGuys for alerting the WHT Community to this exploit. Hopefully everyone takes heed and ensures their systems are up to date and secured.

    Sirius
    I support the Human Rights Campaign!
    Moving to the Tampa, Florida area? Check out life in the suburbs in Trinity, Florida.

  20. #20
    Join Date
    May 2001
    Location
    Anchorage, Alaska
    Posts
    20
    Thanks DaveDark for the prompt response. And I echo my Customers that may not know how grateful they are to you and ServerSupportGuys plus all the others that have made this issue known.
    Dan
    DanTech Services

  21. #21
    Join Date
    Aug 2004
    Location
    Houston, TX
    Posts
    1,396
    Thanks dave! I just got about 100 upcp's running so hopefully this will work.
    Eleven2 Web Hosting - World-Wide Hosting, Done Right!
    Shared Hosting | Reseller Hosting | Dedicated | Virtual Premium Servers
    Server Locations in: Dallas | Los Angeles | Singapore | Amsterdam

  22. #22
    Join Date
    Sep 2005
    Location
    In canada
    Posts
    3,213
    Quote Originally Posted by DaveDark
    Upcp will fix the problem on all builds. It is seperate from cPanel Auto Heal. The cPanel Auto Heal system was used to distribute the patch though.
    Thanks just ran the update and in green i saw succeeded . Hopeful its safe but is there anything we should run to make sure that server is safe and is not exploited ?

    Like for example clean tmp folder etc etc. ??

  23. #23
    Just patch 100+ servers. Let's hope it's really patched. It's kind of a mystery what patch is applied if any, and without information it's kind of hard to tell.
    Like us on Facebook to qualify for discounts!
    http://www.sprintserve.net
    Offering: | Internap FCP Bandwidth! | Rebootless Kernel Updates! | Magento Optimized Hosting | Wordpress Hosting |
    Services: | Managed Multiple Cores 64bit Servers | Server Management |

  24. #24
    Join Date
    Apr 2006
    Location
    Dallas, Texas USA
    Posts
    71
    Have your sysadmin check over everything. I really suggest using a IDS or File verification system. It'll help take out some of the guesswork in the event something like this does happen.

    Also, check to see if any ssh keys have been added to your /root/.ssh/authorized_keys

    The ones I've seen so far have had this in common.

    Quote Originally Posted by paidhosting
    Thanks just ran the update and in green i saw succeeded . Hopeful its safe but is there anything we should run to make sure that server is safe and is not exploited ?

    Like for example clean tmp folder etc etc. ??
    - Comprehensive Server Management & End User Support
    - Now 100% U.S. Owned & Operated
    - Now offering instantly ready end-user support. 30secondsupport.com

  25. #25
    Join Date
    Mar 2002
    Location
    Austin, TX
    Posts
    112
    Quote Originally Posted by paidhosting
    Hopeful its safe but is there anything we should run to make sure that server is safe and is not exploited ?

    Like for example clean tmp folder etc etc. ??
    We were able to verify the cause of the exploit and our patches are tested against it and some variations of it. If you're up to date, you'll be ok.

    Of note: This exploit requires the malicious user to already have access to the system. If you've been exploited, please take a look at your security policies and take proper steps to ensure the point of entry hole has been closed.
    -Dave Koston
    Koston Consulting

  26. #26
    Join Date
    Sep 2004
    Location
    [UsA - MiChIgAn]
    Posts
    88
    Dang..
    So i was on irc and someone posted this link. about a '0-day' exploit in cpanel.. and stuff..

    http://it.slashdot.org/it/06/09/23/2218254.shtml so i came here.. .. .
    ~~ Bandit. S.

  27. #27
    Join Date
    Sep 2005
    Location
    In canada
    Posts
    3,213
    Quote Originally Posted by DaveDark
    We were able to verify the cause of the exploit and our patches are tested against it and some variations of it. If you're up to date, you'll be ok.

    Of note: This exploit requires the malicious user to already have access to the system. If you've been exploited, please take a look at your security policies and take proper steps to ensure the point of entry hole has been closed.
    How would i know if i have been exploited ? Would i have server dead ? If i have not been exloited yet can someone still have something left on server that can be used later? I have cleaned my tmp folder already and contacted my server admin to look into the issue.

    Thanks for the update but since your here on wht i just wanted to ask few things i see in my whm


    Like " FreeBSD Bind 9 Issue"
    &&
    "Security Notice:
    There are several known Linux kernel exploits which may allow local privilege escalation. These exploits have become commonplace in recent weeks and can be avoided by ensuring that your kernel is updated to the latest available version. While cPanel will help ensure your system services and software are up to date, kernel updates are outside the scope of cPanel. Kernels with known vulnerabilities include, but are not limited to, 2.6.9-22 and 2.6.9-34. Please check your running kernel for updates periodically. This will help ensure the overall integrity of your server and data. "


    Thanks

  28. #28
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,294
    http://layer2.cpanel.net/installer/sec092306.pl

    The actual patch if anyone is interested.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  29. #29
    Join Date
    Oct 2004
    Posts
    294
    Quote Originally Posted by Steven
    http://layer2.cpanel.net/installer/sec092306.pl

    The actual patch if anyone is interested.
    Do we have to apply it by ourself?

  30. #30
    Join Date
    Oct 2004
    Location
    India
    Posts
    491
    /scripts/upcp automagically runs that script too.
    ESC :wq!

  31. #31
    Join Date
    Mar 2002
    Location
    UK
    Posts
    1,262
    Since upgrading /scripts/upcp one of my servers has slowed down to a snail's pace and m,y vps fails to load www.mydomain.com/cpanel

  32. #32
    Join Date
    Dec 2004
    Location
    New York, NY
    Posts
    10,574
    Quote Originally Posted by grandad
    Since upgrading /scripts/upcp one of my servers has slowed down to a snail's pace and m,y vps fails to load www.mydomain.com/cpanel
    You probably had issues before hand, likely due to not updating cpanel for a while...

    /scripts/upcp --force

    should get you back in line.

    for those who just wanted to run the perl script with the fix:

    Code:
    wget http://layer2.cpanel.net/installer/sec092306.pl
    chmod 700 sec092306.pl
    ./sec092306.pl
    MediaLayer, LLC - www.medialayer.com Learn how we can make your website load faster, translating to better conversion rates for your business!
    The pioneers of optimized web hosting, featuring LiteSpeed Web Server & SSD Storage - Celebrating 10 Years in Business

  33. #33
    Join Date
    Sep 2000
    Location
    Alberta, Canada
    Posts
    3,109
    Ok, here's a question.

    It was mentioned somewhere that in order for the Iframe hack to be installed, one needs to first have access to an account hosted on the Server.

    Other than doing a 'find' for all accounts and pages, I'm presuming that in order to get the Iframe code inserted into pages the hacker first has to get their "install file" somewhere on the Server. For those that are aware of how it is done, is the file put into the Server 'tmp' dir. or run somehow directly from within the compromised account? Also, what is the name of this hacker file?
    PotentProducts.com - for all your Hosting needs
    Helping people Host, Create and Maintain their Web Site
    ServerAdmin Services also available

  34. #34
    Join Date
    Mar 2002
    Location
    UK
    Posts
    1,262
    Quote Originally Posted by layer0
    You probably had issues before hand, likely due to not updating cpanel for a while...

    /scripts/upcp --force

    should get you back in line.
    I get email notification of scripts update every 24 hours ... doesn't that include the cpanel update?

  35. #35
    Join Date
    Jun 2003
    Location
    UK
    Posts
    6,601
    Quote Originally Posted by grandad
    I get email notification of scripts update every 24 hours ... doesn't that include the cpanel update?
    That probably is though some people keep auto-updates turned off. For something like I would run it manually just to be safe
    Russ Foster - Industry Curmudgeon

  36. #36
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,294
    Quote Originally Posted by firestarter
    /scripts/upcp automagically runs that script too.


    DUH!! No kidding?! Some people do not want to run upcp.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  37. #37
    Join Date
    May 2006
    Location
    Florida, USA
    Posts
    362
    OK i have a question that's been bothering me since yesterday.

    Yes... congratulations to CPanel for fixing it so fast after they found out.
    Yes... thank you to all who helped spread the word about this major problem.

    Now: A local authenticated CPanel user had to do this right? Are you telling me that someone signed themselves up with HostGator as a customer and somehow got himself/herself placed in most of their servers? If that's true, he must have signed up with them about 80 times and requested a specific server each time in order to get to the boxes.

    I guess the point is: How did they break into the local user account to begin with? Brute force, a legal customer account (they paid to be a client?), or somehow else???

    By the way, without starting a big debate here, and let me tell you that I'm a certified MCSE for whatever that's worth, but it is CRIMINAL that this happenned yesterday and that microsoft has not put out a patch yet.

    thanks for letting me rant but someone please answer the local user account questions because the SOURCE of the problem is just as IMPORTANT as the fix.

    Host, YES!
    Reselling? Partner for profit instead!

  38. #38
    Join Date
    Apr 2000
    Location
    California
    Posts
    3,051
    We have a lot of users and out of them, a lot of users will use weak passwords, insecure scripts, the passwords for their accounts in scripts, configuration files, databases, etc., which can then allow an attacker to obtain the password in plain text from their own files and the attacker can then log in. However, most of them appear to be attributed to insecure scripts, such as Joomla (when isn't that insecure, am I right?), and this exploit allows the attacker to gain access/upload the script and then run it. It can be any one of hundreds of insecure scripts any number of your users run.

    We have pretty strict and involved mod_security rules to prevent most attacks, but it's not possible to catch them all/stop them all, given all of the different scripts users run that are insecure. So, don't assume you'd have to have a malicious user sign up to do this, there's far too many ways into far too many user accounts for an attacker to have to actually physically sign up these days anyway. That said, you should ensure that you or your resellers, if you have any, don't have any WHMAP, Clientexec, MB, etc. programs allow for automatic and instant account creation. Have at least some manual check/verification before activating the account.

  39. #39
    Join Date
    May 2006
    Location
    Florida, USA
    Posts
    362
    Thank you for the answer Tim....
    you should ensure that you or your resellers, if you have any, don't have any WHMAP, Clientexec, MB, etc. programs allow for automatic and instant account creation. Have at least some manual check/verification before activating the account.
    That makes sense and it's at least a starting point as to the cause(s)
    Host, YES!
    Reselling? Partner for profit instead!

  40. #40
    Join Date
    Apr 2006
    Location
    Dallas, Texas USA
    Posts
    71

    re

    Large resellers like hostgator, lunarpages etc will also be the first targets like this.

    Unlimited Reseller models like this are dangerous as you really have no idea (nor do you usually check) who is actually being setup on your servers.

    With hundreds or even thousands of users on one of your servers and only a small % of them being your direct customers you really lose a certain level of control.

    Established webhosting companies know about and fully understand internet fraud. However some of their smaller customers (newly established resellers) might not realize they will get more fraud sales than anything and are probably just happy to get the business. lol

    Ta-da they're in the system as a local user ready to exploit the next hole. lol
    - Comprehensive Server Management & End User Support
    - Now 100% U.S. Owned & Operated
    - Now offering instantly ready end-user support. 30secondsupport.com

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •