Results 1 to 5 of 5

Thread: cPanel, Inc. Announces Additional Internal Security Enhancements

  1. #1
    cPanel Product Evangelist Infopro's Avatar
    Join Date
    May 2003
    Location
    Pennsylvania
    Posts
    11,453
    cPanel Access Level

    Root Administrator

    Lightbulb cPanel, Inc. Announces Additional Internal Security Enhancements

    This is a follow up on the status of the security compromise that cPanel, Inc. experienced on Thursday, February 21, 2013.


    As mentioned in our email sent to cPanel Server Administrators who’ve opened a ticket with us in the past 6 months, on February 21 we discovered that one of the proxy servers we utilize in the technical support department had been compromised. The cPanel Security Team’s investigation into this matter is ongoing.

    We’d like to relay additional details about the intrusion that we have gathered with you here, and we want to explain what preventative measures we’re putting in place that will introduce additional layers of security to our new and existing systems, already in place.


    Here’s what we know:

    • The proxy machine compromised in this incident was, at the time, utilized to access customer servers by some of our Technical Analysts. It's intent was to provide a layer of security between local & remote workstations and customer servers.
    • This proxy machine was compromised by a malicious third-party by compromising a single workstation used by one of our Technical Analysts.
    • Only a small group of our Technical Analysts uses this particular machine for logins.
    • There is no evidence that any sensitive customer data was exposed and there is no evidence that the actual database was compromised.

    Documentation on how to Determine Your System's Status is available and we encourage System Administrators to use those details to determine the status of their servers.


    Here’s what we’re doing about it:

    We have restructured the process used to access customer servers to significantly reduce the risk of this type of sophisticated attack in the future. We have also been working on implementing multiple changes to our internal support systems and procedures as outlined for your information below.

    • Our system will now generate and provide you with a unique SSH key for each new support ticket submitted.
    • We are providing tools to authorize and de-authorize SSH keys and instructions on how to use them whenever you submit a ticket.
    • Our system will generate a single-use username and password credentials for accessing WebHost Manager that are only valid while our staff is logged into your server.
    • Additional enhancements are also planned behind the scene that should be transparent to our customers.

    With these new layers of security in place, it is now possible for our Technical Analysts to service your support requests without you providing your server’s password for nearly all requests involving machines running our cPanel & WHM product going forward. However, we will still offer the ability to provide your password for server migrations, or in the event you cannot use SSH keys.

    cPanel’s Internal Development Team has been working on an automated solution with the end goal of eliminating the need for our Technical Analysts to view any passwords you provide during the ticket submission process. We are testing this solution right now, and hope to have it fully implemented in the next few days.

    cPanel, Inc. understands your concerns expressed over the last few days, and we very much appreciate the cooperation and patience you have provided us during this time as we work through all of this.

    Thank you.

  2. #2
    Registered Member
    Join Date
    Apr 2006
    Location
    Disillusioned in England
    Posts
    327
    cPanel Access Level

    Root Administrator

    Default Re: cPanel, Inc. Announces Additional Internal Security Enhancements

    Regarding your article at Determine Your System's Status

    I believe for CentOS5.9 libkeyutils-1.2.so is also a permissable file

    ls -l /lib64/libkeyutils.so.1
    lrwxrwxrwx 1 root root 18 Apr 18 2012 /lib64/libkeyutils.so.1 -> libkeyutils-1.2.so*

    rpm -qf /lib64/libkeyutils-1.2.so
    keyutils-libs-1.2-1.el5

    Do correct me If I'm wrong please.

    You should verify which file is linked to the libkeyutils.so.1 file.

    Run the following command to see which file is linked to:

    [user@host]$ ls -l /lib64/libkeyutils.so.1

    Currently, the only acceptable file is the default file provided by the keyutils-libs package, which is libkeyutils.so.1.3. The following example shows the desired output:

    lrwxrwxrwx 1 root root 18 Feb 20 12:15 /lib64/libkeyutils.so.1 -> libkeyutils.so.1.3*

    If the /lib64/libkeyutils.so.1 file points to a file with one of the following names, then the server may be compromised:

    libkeyutils.so.1.9
    libkeyutils.so.1.3.2
    libkeyutils-1.2.so.2

  3. #3
    cPanel Staff Mario-cPanel's Avatar
    Join Date
    Oct 2007
    Location
    Houston, Texas, United States
    Posts
    72
    cPanel Access Level

    Website Owner

    Default Re: cPanel, Inc. Announces Additional Internal Security Enhancements

    Quote Originally Posted by ThinIce View Post
    Regarding your article at Determine Your System's Status

    I believe for CentOS5.9 libkeyutils-1.2.so is also a permissable file

    ls -l /lib64/libkeyutils.so.1
    lrwxrwxrwx 1 root root 18 Apr 18 2012 /lib64/libkeyutils.so.1 -> libkeyutils-1.2.so*

    rpm -qf /lib64/libkeyutils-1.2.so
    keyutils-libs-1.2-1.el5

    Do correct me If I'm wrong please.
    We had updated the documentation shortly after posting that, thanks for noticing that!
    Mario Rodriguez
    cPanel.net
    Strategic Partner Manager
    mario@cPanel.net
    415-894-5882 / aim: cpanelmario

  4. #4
    Registered Member
    Join Date
    Jul 2004
    Posts
    135

    Default Re: cPanel, Inc. Announces Additional Internal Security Enhancements

    Is there a solution instead of re-formating the server for this security issue? It seems it affect one of our servers too.

    strings /lib64/libkeyutils.so.1 | egrep 'connect|socket|inet_ntoa|gethostbyname'
    gethostbyname
    socket
    inet_ntoa
    connect

    This is on a CloudLinux server.

  5. #5
    Registered Member
    Join Date
    Mar 2010
    Posts
    47
    cPanel Access Level

    DataCenter Provider

    Default Re: cPanel, Inc. Announces Additional Internal Security Enhancements

    Quote Originally Posted by asmar View Post
    Is there a solution instead of re-formating the server for this security issue? It seems it affect one of our servers too.
    Not recommended. Once a malicious user had access to your machine, you never know what else they did. A host I used before I started doing my own hosting was once hacked and the host claimed they cleaned up everything ... until several customers found links in their MySQL databases (for Wordpress or similar) to certain undesirable parts of the internet. It was later traced to the same breach (I don't know how, I just know that they claim it was.)

    Once you are compromised, the only safe thing to do is start fresh.

Similar Threads

  1. Replies: 9
    Last Post: 07-12-2012, 04:22 PM
  2. cPanel Announces Bundling of SEO Tools by Attracta
    By cPanelDavidG in forum cPanel Announcements
    Replies: 18
    Last Post: 02-20-2012, 01:25 PM
  3. cPanel Announces Partnership with CloudLinux
    By cPanelDavidG in forum cPanel Announcements
    Replies: 0
    Last Post: 05-02-2011, 05:10 PM
  4. Replies: 1
    Last Post: 05-23-2007, 05:27 PM
bargain