Results 1 to 25 of 64
-
09-23-2006, 02:19 PM #1Junior Guru Wannabe
- Join Date
- Apr 2006
- Location
- Dallas, Texas USA
- Posts
- 71
cPanel Exploit
Just a heads up.. looks like there's a root exploit out for cPanel servers. cPanel has been informed. Admin companies + Anyone else interested please Contact me for info how to atleast stop it until there's proper "fix" provided by cpanel.
I'm worried about posting the specifics on a public forum until there's a official patch/fix out.
Very serious: Gives attackers full root access, will not show up in rootkit checks. Many of your machines may already be affected..:: ServerSupportGuys.com ::.- Comprehensive Server Management & End User Support
- Now 100% U.S. Owned & Operated
- Now offering instantly ready end-user support. 30secondsupport.com
-
09-23-2006, 02:21 PM #2Web Hosting Master
- Join Date
- Apr 2000
- Location
- California
- Posts
- 3,051
Major security issue with Cpanel. Watch for updates.
This is just a notice to you guys to watch for updates and to ensure your system is updated once Cpanel fixes this.
We were hit by an issue with viruses being injected into random web pages (html, php, etc.) for any IE browsers. We cleaned the servers, but have located the method used.
We can't (and won't) release any details or hints about this issue, but it's been confirmed to be a security issue with Cpanel and we're contacting them at this time to inform them of this urgent issue.
This post is just a notice and warning to be aware that there will surely be an update from Cpanel that anyone running it will need to ensure its applied, so watch out for it soon.
-
09-23-2006, 02:22 PM #3Web Hosting Master
- Join Date
- Apr 2000
- Location
- California
- Posts
- 3,051
Who is this? :-)
-
09-23-2006, 02:25 PM #4Junior Guru Wannabe
- Join Date
- Apr 2006
- Location
- Dallas, Texas USA
- Posts
- 71
Looks like we both posted about the same issue.
.:: ServerSupportGuys.com ::.- Comprehensive Server Management & End User Support
- Now 100% U.S. Owned & Operated
- Now offering instantly ready end-user support. 30secondsupport.com
-
09-23-2006, 02:30 PM #5Aspiring Evangelist
- Join Date
- May 2006
- Location
- Florida, USA
- Posts
- 364
And how does one know that a server is infected please? What do we look for? I assume that this is the same thing that hit HostGator.
Host, YES! ™
Reselling? Partner for profit instead!
-
09-23-2006, 02:34 PM #6-=*/E=-
- Join Date
- Sep 2005
- Location
- In canada
- Posts
- 3,374
And how did you guys come to know of it ?
12+ years -same website , new server [SSD Inside] providing shared/reseller hosting only !
These things we do not provide/offer : Unlimited Storage ! Unlimited Bandwidth ! But Why? Cause, we were unable to put such a large number on our pages, it just would not fit.
So check out the numbers that actually fit >> << the page as well as your budget too !
-
09-23-2006, 02:35 PM #7-=*/E=-
- Join Date
- Sep 2005
- Location
- In canada
- Posts
- 3,374
Originally Posted by ServerSupportGuys12+ years -same website , new server [SSD Inside] providing shared/reseller hosting only !
These things we do not provide/offer : Unlimited Storage ! Unlimited Bandwidth ! But Why? Cause, we were unable to put such a large number on our pages, it just would not fit.
So check out the numbers that actually fit >> << the page as well as your budget too !
-
09-23-2006, 02:39 PM #8Aspiring Evangelist
- Join Date
- May 2006
- Location
- Florida, USA
- Posts
- 364
I believe Tim_Greer is from HostGator that's how he would know about it.
http://forums.hostgator.com/showthread.php?t=10928Host, YES! ™
Reselling? Partner for profit instead!
-
09-23-2006, 02:46 PM #9Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
I can confirm this finding.
Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
09-23-2006, 02:48 PM #10Junior Guru Wannabe
- Join Date
- Apr 2006
- Location
- Dallas, Texas USA
- Posts
- 71
I think that's a little irresponsible. I'm going to hold off until we hear from cPanel.
.:: ServerSupportGuys.com ::.- Comprehensive Server Management & End User Support
- Now 100% U.S. Owned & Operated
- Now offering instantly ready end-user support. 30secondsupport.com
-
09-23-2006, 02:53 PM #11Web Hosting Master
- Join Date
- Jul 2002
- Posts
- 3,734
What's irresponsible?
Should we just chown 000 /usr/local/cpanel until the patch is put out? (which I would assume would be today considering the severity)
-
09-23-2006, 02:55 PM #12Junior Guru Wannabe
- Join Date
- Apr 2006
- Location
- Dallas, Texas USA
- Posts
- 71
lol that would work...
.:: ServerSupportGuys.com ::.- Comprehensive Server Management & End User Support
- Now 100% U.S. Owned & Operated
- Now offering instantly ready end-user support. 30secondsupport.com
-
09-23-2006, 04:20 PM #13WHT Addict
- Join Date
- Mar 2002
- Location
- Austin, TX
- Posts
- 112
This has been confirmed and patched. Running /scripts/upcp will fix the vulnerability in all builds. Please note that this is a local exploit which requires access to a cPanel account.
Please send information such as this to security@cpanel.net to make us aware. The first communication we received was at 2:15pm CST. If you believe you have been exploited through this vulnerability, you are welcome to submit a support request for assistance. (https://tickets.cpanel.net/submit/in...eqtype=tickets)-Dave Koston
Koston Consulting
-
09-23-2006, 04:25 PM #14Junior Guru Wannabe
- Join Date
- Apr 2006
- Location
- Dallas, Texas USA
- Posts
- 71
Nice work. Thanks
.:: ServerSupportGuys.com ::.- Comprehensive Server Management & End User Support
- Now 100% U.S. Owned & Operated
- Now offering instantly ready end-user support. 30secondsupport.com
-
09-23-2006, 04:39 PM #15Newbie
- Join Date
- May 2001
- Location
- Anchorage, Alaska
- Posts
- 27
cPanel Auto Heal
When I ran /scripts/upcp from the SSH CLI, I see a well marked (in green) "cPanel Auto Heal 2.4 Running".
I'm asking for identification purpose to assure my servers are current: Is this the fix?
Thanks for the prompt response and updates.Dan
DanTech Services
-
09-23-2006, 04:43 PM #16WHT Addict
- Join Date
- Mar 2002
- Location
- Austin, TX
- Posts
- 112
Originally Posted by dafut-Dave Koston
Koston Consulting
-
09-23-2006, 04:45 PM #17Junior Guru Wannabe
- Join Date
- Apr 2006
- Location
- Dallas, Texas USA
- Posts
- 71
I'd encourage everyone to seriously do some auditing on their machines.
Check for anything that might seem out of place. If you have a file verification system/IDS (integrit, tripwire).. in place, i'd definitely suggest comparing to see what/if anything has been done on your system.
It will not show up in any tools like rkhunter/chkrootkit etc. but i can confirm that this has been "public" for ATLEAST a month. So even if nothing is happening right now, you might still have been affected by this.
Thanks again cPanel for the quick resolution..:: ServerSupportGuys.com ::.- Comprehensive Server Management & End User Support
- Now 100% U.S. Owned & Operated
- Now offering instantly ready end-user support. 30secondsupport.com
-
09-23-2006, 04:48 PM #18Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
I agre with serversupportguys. Who knows what can be laying dorment in your server.
Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
09-23-2006, 04:59 PM #19Retired Moderator
- Join Date
- Nov 2002
- Location
- WebHostingTalk
- Posts
- 8,901
Thanks to ServerSupportGuys for alerting the WHT Community to this exploit. Hopefully everyone takes heed and ensures their systems are up to date and secured.
SiriusI support the Human Rights Campaign!
Moving to the Tampa, Florida area? Check out life in the suburbs in Trinity, Florida.
-
09-23-2006, 05:02 PM #20Newbie
- Join Date
- May 2001
- Location
- Anchorage, Alaska
- Posts
- 27
Thanks DaveDark for the prompt response. And I echo my Customers that may not know how grateful they are to you and ServerSupportGuys plus all the others that have made this issue known.
Dan
DanTech Services
-
09-23-2006, 05:34 PM #21Web Hosting Master
- Join Date
- Aug 2004
- Location
- Houston, TX
- Posts
- 1,405
Thanks dave! I just got about 100 upcp's running so hopefully this will work.
Eleven2 Web Hosting - World-Wide Hosting, Done Right!
Shared Hosting | Reseller Hosting | Dedicated | Virtual Premium Servers
Server Locations in: Dallas | Los Angeles | Singapore | Amsterdam
-
09-23-2006, 06:48 PM #22-=*/E=-
- Join Date
- Sep 2005
- Location
- In canada
- Posts
- 3,374
Originally Posted by DaveDark
Like for example clean tmp folder etc etc. ??12+ years -same website , new server [SSD Inside] providing shared/reseller hosting only !
These things we do not provide/offer : Unlimited Storage ! Unlimited Bandwidth ! But Why? Cause, we were unable to put such a large number on our pages, it just would not fit.
So check out the numbers that actually fit >> << the page as well as your budget too !
-
09-23-2006, 07:18 PM #23Retired Moderator
- Join Date
- Jan 2003
- Posts
- 9,049
Just patch 100+ servers. Let's hope it's really patched. It's kind of a mystery what patch is applied if any, and without information it's kind of hard to tell.
••• Like us on Facebook to qualify for discounts! •••
••• http://www.sprintserve.net •••
••• Offering: | Internap FCP Bandwidth! | Rebootless Kernel Updates! | Magento Optimized Hosting | Wordpress Hosting | •••
••• Services: | Managed Multiple Cores 64bit Servers | Server Management | •••
-
09-23-2006, 07:25 PM #24Junior Guru Wannabe
- Join Date
- Apr 2006
- Location
- Dallas, Texas USA
- Posts
- 71
Have your sysadmin check over everything. I really suggest using a IDS or File verification system. It'll help take out some of the guesswork in the event something like this does happen.
Also, check to see if any ssh keys have been added to your /root/.ssh/authorized_keys
The ones I've seen so far have had this in common.
Originally Posted by paidhosting.:: ServerSupportGuys.com ::.- Comprehensive Server Management & End User Support
- Now 100% U.S. Owned & Operated
- Now offering instantly ready end-user support. 30secondsupport.com
-
09-23-2006, 07:27 PM #25WHT Addict
- Join Date
- Mar 2002
- Location
- Austin, TX
- Posts
- 112
Originally Posted by paidhosting
Of note: This exploit requires the malicious user to already have access to the system. If you've been exploited, please take a look at your security policies and take proper steps to ensure the point of entry hole has been closed.-Dave Koston
Koston Consulting