Page 1 of 3 123 LastLast
Results 1 to 25 of 64
  1. #1
    Join Date
    Apr 2006
    Location
    Dallas, Texas USA
    Posts
    71

    cPanel Exploit

    Just a heads up.. looks like there's a root exploit out for cPanel servers. cPanel has been informed. Admin companies + Anyone else interested please Contact me for info how to atleast stop it until there's proper "fix" provided by cpanel.

    I'm worried about posting the specifics on a public forum until there's a official patch/fix out.

    Very serious: Gives attackers full root access, will not show up in rootkit checks. Many of your machines may already be affected.
    - Comprehensive Server Management & End User Support
    - Now 100% U.S. Owned & Operated
    - Now offering instantly ready end-user support. 30secondsupport.com

  2. #2
    Join Date
    Apr 2000
    Location
    California
    Posts
    3,051

    Major security issue with Cpanel. Watch for updates.

    This is just a notice to you guys to watch for updates and to ensure your system is updated once Cpanel fixes this.

    We were hit by an issue with viruses being injected into random web pages (html, php, etc.) for any IE browsers. We cleaned the servers, but have located the method used.

    We can't (and won't) release any details or hints about this issue, but it's been confirmed to be a security issue with Cpanel and we're contacting them at this time to inform them of this urgent issue.

    This post is just a notice and warning to be aware that there will surely be an update from Cpanel that anyone running it will need to ensure its applied, so watch out for it soon.

  3. #3
    Join Date
    Apr 2000
    Location
    California
    Posts
    3,051
    Who is this? :-)

  4. #4
    Join Date
    Apr 2006
    Location
    Dallas, Texas USA
    Posts
    71
    Looks like we both posted about the same issue.
    - Comprehensive Server Management & End User Support
    - Now 100% U.S. Owned & Operated
    - Now offering instantly ready end-user support. 30secondsupport.com

  5. #5
    Join Date
    May 2006
    Location
    Florida, USA
    Posts
    364
    And how does one know that a server is infected please? What do we look for? I assume that this is the same thing that hit HostGator.
    Host, YES!
    Reselling? Partner for profit instead!

  6. #6
    Join Date
    Sep 2005
    Location
    In canada
    Posts
    3,374
    And how did you guys come to know of it ?
    12+ years -same website , new server [SSD Inside] providing shared/reseller hosting only !
    These things we do not provide/offer : Unlimited Storage ! Unlimited Bandwidth ! But Why? Cause, we were unable to put such a large number on our pages, it just would not fit.
    So check out the numbers that actually fit >> << the page as well as your budget too !

  7. #7
    Join Date
    Sep 2005
    Location
    In canada
    Posts
    3,374
    Quote Originally Posted by ServerSupportGuys
    Looks like we both posted about the same issue.
    Yup and can a fix be posted as well ?
    12+ years -same website , new server [SSD Inside] providing shared/reseller hosting only !
    These things we do not provide/offer : Unlimited Storage ! Unlimited Bandwidth ! But Why? Cause, we were unable to put such a large number on our pages, it just would not fit.
    So check out the numbers that actually fit >> << the page as well as your budget too !

  8. #8
    Join Date
    May 2006
    Location
    Florida, USA
    Posts
    364
    I believe Tim_Greer is from HostGator that's how he would know about it.

    http://forums.hostgator.com/showthread.php?t=10928
    Host, YES!
    Reselling? Partner for profit instead!

  9. #9
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    I can confirm this finding.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  10. #10
    Join Date
    Apr 2006
    Location
    Dallas, Texas USA
    Posts
    71
    I think that's a little irresponsible. I'm going to hold off until we hear from cPanel.
    - Comprehensive Server Management & End User Support
    - Now 100% U.S. Owned & Operated
    - Now offering instantly ready end-user support. 30secondsupport.com

  11. #11
    Join Date
    Jul 2002
    Posts
    3,734
    What's irresponsible?

    Should we just chown 000 /usr/local/cpanel until the patch is put out? (which I would assume would be today considering the severity)

  12. #12
    Join Date
    Apr 2006
    Location
    Dallas, Texas USA
    Posts
    71
    lol that would work...
    - Comprehensive Server Management & End User Support
    - Now 100% U.S. Owned & Operated
    - Now offering instantly ready end-user support. 30secondsupport.com

  13. #13
    Join Date
    Mar 2002
    Location
    Austin, TX
    Posts
    112
    This has been confirmed and patched. Running /scripts/upcp will fix the vulnerability in all builds. Please note that this is a local exploit which requires access to a cPanel account.

    Please send information such as this to security@cpanel.net to make us aware. The first communication we received was at 2:15pm CST. If you believe you have been exploited through this vulnerability, you are welcome to submit a support request for assistance. (https://tickets.cpanel.net/submit/in...eqtype=tickets)
    -Dave Koston
    Koston Consulting

  14. #14
    Join Date
    Apr 2006
    Location
    Dallas, Texas USA
    Posts
    71
    Nice work. Thanks
    - Comprehensive Server Management & End User Support
    - Now 100% U.S. Owned & Operated
    - Now offering instantly ready end-user support. 30secondsupport.com

  15. #15
    Join Date
    May 2001
    Location
    Anchorage, Alaska
    Posts
    27

    cPanel Auto Heal

    When I ran /scripts/upcp from the SSH CLI, I see a well marked (in green) "cPanel Auto Heal 2.4 Running".

    I'm asking for identification purpose to assure my servers are current: Is this the fix?

    Thanks for the prompt response and updates.
    Dan
    DanTech Services

  16. #16
    Join Date
    Mar 2002
    Location
    Austin, TX
    Posts
    112
    Quote Originally Posted by dafut
    When I ran /scripts/upcp from the SSH CLI, I see a well marked (in green) "cPanel Auto Heal 2.4 Running".

    I'm asking for identification purpose to assure my servers are current: Is this the fix?

    Thanks for the prompt response and updates.
    Upcp will fix the problem on all builds. It is seperate from cPanel Auto Heal. The cPanel Auto Heal system was used to distribute the patch though.
    -Dave Koston
    Koston Consulting

  17. #17
    Join Date
    Apr 2006
    Location
    Dallas, Texas USA
    Posts
    71
    I'd encourage everyone to seriously do some auditing on their machines.

    Check for anything that might seem out of place. If you have a file verification system/IDS (integrit, tripwire).. in place, i'd definitely suggest comparing to see what/if anything has been done on your system.

    It will not show up in any tools like rkhunter/chkrootkit etc. but i can confirm that this has been "public" for ATLEAST a month. So even if nothing is happening right now, you might still have been affected by this.

    Thanks again cPanel for the quick resolution.
    - Comprehensive Server Management & End User Support
    - Now 100% U.S. Owned & Operated
    - Now offering instantly ready end-user support. 30secondsupport.com

  18. #18
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    I agre with serversupportguys. Who knows what can be laying dorment in your server.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  19. #19
    Join Date
    Nov 2002
    Location
    WebHostingTalk
    Posts
    8,901
    Thanks to ServerSupportGuys for alerting the WHT Community to this exploit. Hopefully everyone takes heed and ensures their systems are up to date and secured.

    Sirius
    I support the Human Rights Campaign!
    Moving to the Tampa, Florida area? Check out life in the suburbs in Trinity, Florida.

  20. #20
    Join Date
    May 2001
    Location
    Anchorage, Alaska
    Posts
    27
    Thanks DaveDark for the prompt response. And I echo my Customers that may not know how grateful they are to you and ServerSupportGuys plus all the others that have made this issue known.
    Dan
    DanTech Services

  21. #21
    Join Date
    Aug 2004
    Location
    Houston, TX
    Posts
    1,405
    Thanks dave! I just got about 100 upcp's running so hopefully this will work.
    Eleven2 Web Hosting - World-Wide Hosting, Done Right!
    Shared Hosting | Reseller Hosting | Dedicated | Virtual Premium Servers
    Server Locations in: Dallas | Los Angeles | Singapore | Amsterdam

  22. #22
    Join Date
    Sep 2005
    Location
    In canada
    Posts
    3,374
    Quote Originally Posted by DaveDark
    Upcp will fix the problem on all builds. It is seperate from cPanel Auto Heal. The cPanel Auto Heal system was used to distribute the patch though.
    Thanks just ran the update and in green i saw succeeded . Hopeful its safe but is there anything we should run to make sure that server is safe and is not exploited ?

    Like for example clean tmp folder etc etc. ??
    12+ years -same website , new server [SSD Inside] providing shared/reseller hosting only !
    These things we do not provide/offer : Unlimited Storage ! Unlimited Bandwidth ! But Why? Cause, we were unable to put such a large number on our pages, it just would not fit.
    So check out the numbers that actually fit >> << the page as well as your budget too !

  23. #23
    Just patch 100+ servers. Let's hope it's really patched. It's kind of a mystery what patch is applied if any, and without information it's kind of hard to tell.
    ••• Like us on Facebook to qualify for discounts! •••
    ••• http://www.sprintserve.net •••
    ••• Offering: | Internap FCP Bandwidth! | Rebootless Kernel Updates! | Magento Optimized Hosting | Wordpress Hosting | •••
    ••• Services: | Managed Multiple Cores 64bit Servers | Server Management | •••

  24. #24
    Join Date
    Apr 2006
    Location
    Dallas, Texas USA
    Posts
    71
    Have your sysadmin check over everything. I really suggest using a IDS or File verification system. It'll help take out some of the guesswork in the event something like this does happen.

    Also, check to see if any ssh keys have been added to your /root/.ssh/authorized_keys

    The ones I've seen so far have had this in common.

    Quote Originally Posted by paidhosting
    Thanks just ran the update and in green i saw succeeded . Hopeful its safe but is there anything we should run to make sure that server is safe and is not exploited ?

    Like for example clean tmp folder etc etc. ??
    - Comprehensive Server Management & End User Support
    - Now 100% U.S. Owned & Operated
    - Now offering instantly ready end-user support. 30secondsupport.com

  25. #25
    Join Date
    Mar 2002
    Location
    Austin, TX
    Posts
    112
    Quote Originally Posted by paidhosting
    Hopeful its safe but is there anything we should run to make sure that server is safe and is not exploited ?

    Like for example clean tmp folder etc etc. ??
    We were able to verify the cause of the exploit and our patches are tested against it and some variations of it. If you're up to date, you'll be ok.

    Of note: This exploit requires the malicious user to already have access to the system. If you've been exploited, please take a look at your security policies and take proper steps to ensure the point of entry hole has been closed.
    -Dave Koston
    Koston Consulting

Page 1 of 3 123 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •