cPanel Security

[198HOST]

Is this email true?

Salutations,

You are receiving this email because you have opened a ticket with our support staff in the last 6 months. cPanel, Inc. has discovered that one of the servers we utilize in the technical support department has been compromised. While we do not know if your machine is affected, you should change your root level password if you are not already using ssh keys. If you are using an unprivileged account with "sudo" or "su" for root logins, we recommend you change the account password. Even if you are using ssh keys we still recommend rotating keys on a regular basis.

As we do not know the exact nature of this compromise we are asking for customers to take immediate action on their own servers. cPanel's security team is continuing to investigate the nature of this security issue.



--cPanel Security Team

[UH-Matt]

We received it as well. Would really like *some* sort of further information around it.

[hicom]

We just got this email from cPanel:

======
Salutations,

You are receiving this email because you have opened a ticket with our support staff in the last 6 months. cPanel, Inc. has discovered that one of the servers we utilize in the technical support department has been compromised. While we do not know if your machine is affected, you should change your root level password if you are not already using ssh keys. If you are using an unprivileged account with "sudo" or "su" for root logins, we recommend you change the account password. Even if you are using ssh keys we still recommend rotating keys on a regular basis.

As we do not know the exact nature of this compromise we are asking for customers to take immediate action on their own servers. cPanel's security team is continuing to investigate the nature of this security issue.



--cPanel Security Team
========

The headers appear legit and coming from cPanel servers.

[hicom]

Are ticket logins older than 12 months affected? They don't seem to exist in cPanel support system anymore, so are these deleted? Just wondering what extense is the hack and how far back we need to go.

[prashant_ohol]

Hi Guys,

Any update on this??

I got this email too...

[Extreame]

Guys,

It is a good idea to change your SSH keys every so often anyway.

If in doubt, just change your keys and you should be ok, regardless if any SSH keys have been compromised on the cPanel server.

Good luck!

[Infopro]

Multiple threads merged on this topic.

As far as I know, this is not from cPanel. I've contacted the cPanel Security team concerning this thread.


Thanks for reporting this.

[nospa]

Code:

Return-path: <noreply@cpanel.net>
Envelope-to: xxxxxxx@xxxxxxxxxx
Delivery-date: Fri, 22 Feb 2013 01:48:37 +0100
Received: from mx1.cpanel.net ([208.74.121.68]:46936)
	by xxxxxxxxxxxxxxxxxxxxxx with esmtps (TLSv1:DHE-RSA-AES256-SHA:256)
	(Exim 4.80)
	(envelope-from <noreply@cpanel.net>)
	id 1U8goX-00020r-4G
	for xxxxxxxxxxxxxxxx; Fri, 22 Feb 2013 01:48:37 +0100
Received: from kangaroo.manage2.cpanel.net ([208.74.121.26]:35891)
	by mx1.cpanel.net with esmtps (TLSv1:DHE-RSA-AES256-SHA:256)
	(Exim 4.80)
	(envelope-from <noreply@cpanel.net>)
	id 1U8goV-0001Ht-Ca
	for xxxxxxxxxxxxxxxxxxxx; Thu, 21 Feb 2013 18:48:35 -0600
Received: from manage by kangaroo.manage2.cpanel.net with local (Exim 4.69)
	(envelope-from <noreply@cpanel.net>)
	id 1U8goV-0001hy-6L
	for xxxxxxxxxxxxxxxxxxx; Thu, 21 Feb 2013 18:48:35 -0600
Content-Disposition: inline
Content-Length: 828
Content-Transfer-Encoding: binary
Content-Type: text/plain
MIME-Version: 1.0
X-Mailer: MIME::Lite 3.01 (F2.74; T1.20; A2.08; B3.07; Q3.07)
Date: Fri, 22 Feb 2013 00:48:35 UT
From: no-reply@cpanel.net
To: xxxxxxxxxxxxxxxxxxxx
Subject: Important Security Alert (Action Required)
Message-Id: <E1U8goV-0001hy-6L@kangaroo.manage2.cpanel.net>
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - mx1.cpanel.net
X-AntiAbuse: Original Domain - xxxxxxxxxxxxxxx
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - cpanel.net
X-Get-Message-Sender-Via: mx1.cpanel.net: acl_c_relayhosts_text_entry: -unknown-@cpanel.net|cpanel.net
X-Antivirus-Scanner: Clean mail though you should still use an Antivirus

are you still thinking it is not from cPanel? So how it was send by their mx servers then?

[p123]

As far as I know, this is not from cPanel.

I am quite concerned about this statement as I've received this email as well. It would be greatly appreciated if an official statement would be pubblished. I've used cPanel's support twice over the last 6 months as far as I can recall however I've always changed the password once the operation has been completed. Also I've just seen to change the main root password about 1 week ago. Do I need to be worried now?

[prashant_ohol]

Guys,

Any updates?

[actived]

we got this email too.

[tomfrog]

You missed all the fun:

SSHD Rootkit Rolling around - Web Hosting Talk

@Steven from WHT discovered a rootkit and during the research to find the entry vector cPanel sent that email. A lot of big and small companies were hacked. So, let's not flame cPanel.

Yes. cPanel will learn from this. So should each one of us. Our root password or ssh private key is our business...

The fact that cpanel was an entry point for the installation of the rootkit does not mean that other entry vectors did not exist. We've had quite a few vulnerabilities: Java, flash.

I love cPanel. And I will support cPanel. I registered today to express my support to everyone at cPanel. I owe a lot to cPanel.

It's not perfect. But it's the best control panel.

[Infopro]

Greetings,

Please accept my apologies for responding erroneously to this thread last evening. I was visiting the forums off shift and was not aware of the situation at hand other than the threads posted here, nor had I received the email myself, yet.

The email that you and I have received is now confirmed, legitimate.

As explained in that email, you need to update any of your servers passwords provided to cPanel Technical Support via the ticket system in the past 6 months, right away. This situation is still being investigated, additional information aside from that, is not available at this time.

As soon as there is additional information available, a more formal announcement will be made available to all.


Thank you.

[dxer]

It is weird message and suspicious as i don't see that cPanel posted such warning anywhere on cpanel.net.

[Infopro]

It is weird message and suspicious as i don't see that cPanel posted such warning anywhere on cpanel.net.

There will be, as soon as there is proper information to share about this.