That's debatableOriginally Posted by budway
Hspher, Plesk, EnsimWhat other CP has their owner on forums communicting with their customers?
According to the news the issue was already communicated with cpanel previously. They failed to patch it when they were told to.I would like to put all my dep support to cPanel team and thank than for a fast work and a Job Well Done...
We were first informed of the problem on Saturday. I'm not sure where you heard this. Any time we learn of any security issue it is always given #1 priority.
I don't like debating other CP on cPanel forum because that's not right.
Let's not start a flame war and keep it realistic.
Thanks Nick for a Job well done.
How is that?
Hey There,
A lot of things here are being said, but I'd like to see some documentat that explains better the nature of the xploit.
Of course we cannot doi it as a how-to hack Cpanel, but we need some level os transparency here. "escalating privileges" and "internal access" is not enought 4 me.
I guess we all use open src solutions in our servers becose we can see everithing that's going on (good or bad). This information is usefull for us to know whats goning on, and, maybe "Patch ourselfs".
Tnx,
FeeL
-----------
FeeL Buarque
SysAdmin.
For a start, this is a "privilege escalation" exploit. This isn't actually as bad as it could be, as the exploiter must have a cpanel account already in order to exploit the vulnerability. In other words, they have to sign up with your hosting company and gain an account on the server in question in order to gain access through the exploit.
Everyone has missed the point.
Host gator's 200 servers were affected - Is anyone suggesting the hackers signed up to host gator and were able to gain a legitimate account on all 200 servers?
I don’t think so
I do miss the point occasionally, but in this case I hadn't (you're forgiven though as I hadn't made that at all clear, sorry, the phone rang, you know how it is!). The fact that multiple servers were compromised doesn't mean that it couldn't have been a privilege escalation from an existing account. A knowledgeable hacker only had to explore for a while to find out how to propagate to other servers once he/she had a beachhead inside Hostgator. Perhaps someone from Hostgator could confirm/deny this, it's certainly something for the rest of us to be careful about - ie making sure it's not possible to get access to all our servers once they've broken into one.Everyone has missed the point.
Host gator's 200 servers were affected - Is anyone suggesting the hackers signed up to host gator and were able to gain a legitimate account on all 200 servers?
I don’t think so
If it hadn't been a privilege escalation bug we would have heard from a lot more people saying they'd been hacked, and although I may have missed it I think there's been either few or none?
My theory is that the urgency for the fix was that once a hack like that is in use by someone with an agenda other large companies will be targeted in similar fashion, not so much because hosts could have been randomly scanned and compromised.
Last edited by brianoz; 09-29-2006 at 04:57 AM.
People in Glass houses shouldn't throw stones.
What is the status of the third party security review that was apparently going to happen?
search is your friend!
cPanel Specialist Certification::Technical
No, actually all they need to do is bruteforce some of the comically weak passwords people set on their accounts, or lift their cpanel login details from the trojans that are already installed on their pcs, or simply use the demo account (there are still hosts with this enabled), use a hole in other software running as an unpriveleged user that gains unpriveleged local shell, or exploit a vulnerable script on a users site such as phpbb to launch a bindshell or indeed execute arbitrary commands through the shell directly.
Buying an account unfortunately is far from the only way to get access to a shared hosting box as an unpriveleged user, and so a local privelege escalation bug is only a few degrees of seperation away from a fully remote exploit as far as importance is concerned.
You can reduce the risk from some of these vectors of attack on shared hosting boxes through the use of mod_security (cPanel doesn't support this out of the box), appropriate ingress and egress firewall rules (cPanel doesn't supply this as default), etc - bearing in mind this isn't offered by default by cPanel and many cPanel "administrators" never even think to apply extra security to their machines....
You're never going to be able to cover all the bases without maiming the functionality of the server, so it's important that all parts of the puzzle in a shared hosting server are as secure as they can be, and it's high time cPanel coughed up some cash for a security auditor to vet their existing codebase if they are unwilling to open the source up or unable to do it themselves (be it time or skill constrained).
After the upgrade to the recent cpanel version with the vuln fix,
it seems that MYSQL (or Apache?) cannot write to the /tmp any more
Can't create/write to file '/tmp/#sql_5b88_0.MYI
rendering my machines faulty
can you please verify/fix that?
ooooh yes please make cPanel open source oh please oh please. That way our control panel can be plagued with script kiddies like all the scripts that it installs.
GlowHost.com | Professional Managed Web Hosting Since 2002.
>> Fully Managed Dedicated, Cloud VDS, Reseller & Semi-Dedicated
>> Cloud Servers for Enterprise
Run...
# dir -ald /tmp
if it is rwxr-xr-x, set it back to 1777 (drwxrwxrwt)
# chmod 1777 /tmp
then restart mysql.
# /sbin/service mysql restart
open your eyes...
I make mine, your words, philb.
Its not that hard to get an Cpanel account on a server.
We cannot minimize any security issue, especially if it makes somebody root on your server!
Hackers needed to "signin in" to have a Cpanel account on your server is a complete naivety.
This is very serious thing. Of course that, if even noin cpanel users could exploit it, this would be, nor a serius thig, but a complete mess.
If you are a "kiddie" and want to try dumb scripts.. go ahead.
I'm still waiting for more details to know the real nature of this bug.
Cya.
-----------
FeeL Buarque
SysAdmin.
Naivety? Maybe on your server, but on my servers they either need telepathy, an external hole, or the ability to guess passwords which we ensure are secure. Good to hear some people run servers which are open to the world.
Well, reading the philb post, you'll understand what I am talking about. External hole and password guessing aren't that uncommon. Even the best sysadmin in the world cannot be 100% sure of all security aspects on a hosting / multi-users server with tons of 3rd part scripts and stuff (this last event proves that). What you CAN do is have a pro active atitude, and keep the possibility of holes smaller.Naivety? Maybe on your server, but on my servers they either need telepathy, an external hole, or the ability to guess passwords which we ensure are secure. Good to hear some people run servers which are open to the world.
We also have to keep in mind that "security holes" aren't only "privilege escalation" but also DDOS, SPAMs, etc..
When, this is becoming a "general security" discussion, but this thread is about the specific latest Cpanel Exploit.
Can we come back to talking about it?
Any news on this subject???
I still thing we know VERY few things about it, and this is not good!
-----------
FeeL Buarque
SysAdmin.
LinkBack URL
About LinkBacks
Reply With Quote