Major Exploit

[mchase]

Ack.. I just upgraded to CURRENT_13 earlier today when the exploit was first patched and now we're up to CURRENT_14 already. I hope (assume) the patch is applied on 14?

Edit: Apparently CURRENT_13 (that was released this afternoon after we had been told everything was fixed) didn't have the patch because when I upgraded to CURRENT_14 it said:

cPanel Layer 2 Install Complete

Patching Hooks (1)
Patching Hooks (2)
Patching Mysql (1)
Patching Mysql (2)
Patching Mysql (3)
Patching Mysql (4)

[nyjimbo]

Ack.. I just upgraded to CURRENT_13 earlier today when the exploit was first patched and now we're up to CURRENT_14 already. I hope (assume) the patch is applied on 14?

Edit: Apparently CURRENT_13 (that was released this afternoon after we had been told everything was fixed) didn't have the patch because when I upgraded to CURRENT_14 it said:

cPanel Layer 2 Install Complete

Patching Hooks (1)
Patching Hooks (2)
Patching Mysql (1)
Patching Mysql (2)
Patching Mysql (3)
Patching Mysql (4)

We went to 13 tonight and saw the same patching notes.

[mchase]

We went to 13 tonight and saw the same patching notes.

Are you on the Linux or FreeBSD tree? We're on the FBSD one, maybe that makes the difference.

[EWD]

Does anyone know any tell tales about this exploits?
Anyone know how to identify it?

There could be a lot of sitting zombies out there just waiting for the "master's" command.

[cpanelnick]

Does anyone know any tell tales about this exploits?
Anyone know how to identify it?

There could be a lot of sitting zombies out there just waiting for the "master's" command.

Here is a quick script to check. Its not fancy but should do the trick.

It will print out 'safe' or 'not safe'

[sparek-3]

I ran this on a release build and it reported not safe. Does this mean the security fix is not included in release?

[qwerty]

On latest RELEASE branch here as well and also get "not safe" ??? So has the patch been applied via upcp or not?

[xisn]

I am running WHM 10.8.0 cPanel 10.9.0-C19 and it reported safe Thanks Nick !

I ran this on a release build and it reported not safe. Does this mean the security fix is not included in release?

[dalem]

I did the same and after running upcp again it came back safe

[sparek-3]

I did the same and after running upcp again it came back safe

This does indeed appear to be the case. I'm just going on my own assumptions now, but apparently whatever the script that Nick posted checks, it was not updated in Release until just a few moments ago. Whether or not this means a "not safe" system is unpatched, I don't know. I know I did run upcp on all of our server this afternoon and they all appear to be reporting "not safe" until I rerun upcp. I suspect this is also the case for anyone running the Stable tree.

[cpanelnick]

On latest RELEASE branch here as well and also get "not safe" ??? So has the patch been applied via upcp or not?

Make sure to run upcp first. If you have a webcache on your connection you may need to clear it first.

[michaelfoo]

Hi,
Upgraded mine to C13 but I'm having issues with mailserver.

1. Squirrel mail is fine
2. Horde mail gives me this error message:

Internal Server Error

Unable to open engine binary (php) at cpsrvd-ssl.pl line 4396
main:hpHandler() called at cpsrvd-ssl.pl line 3305
main::dodoc_webmaild() called at cpsrvd-ssl.pl line 637
main::dodoc() called at cpsrvd-ssl.pl line 543

3. POP3 in Outlook Express unable to connect

Tried rebuilding exim but same problem.

Any idea?

Thanks.

[btrieve]

I am very annoyed at this problem and the lack of useful communication from cPanel. All we have is something in WHM telling us to update, no other information. I dont know about everyone else, but if there’s a security problem with the software we use to host 1000's of web sites, run our business and pay cPanel $1000's a month for the privilege, then I would like to know more information.

I would have to completely agree here. The least that could be done is a direct email to all technical contacts that have distributor/partner status with cPanel. We've had to gather a majority of our information from webhostingtalk/hostgator-forums and this thread.

[cpanelnick]

Hi,
Upgraded mine to C13 but I'm having issues with mailserver.

1. Squirrel mail is fine
2. Horde mail gives me this error message:

3. POP3 in Outlook Express unable to connect

Tried rebuilding exim but same problem.

Any idea?

Thanks.

might want to see what

ldd /usr/local/cpanel/3rdparty/bin/php

shows

[michaelfoo]

might want to see what

ldd /usr/local/cpanel/3rdparty/bin/php

shows

Good day,
Here you go:

Code:

root@host [/]# ldd /usr/local/cpanel/3rdparty/bin/php
        libcrypt.so.1 => /lib/libcrypt.so.1 (0x40020000)
        libpq.so.3 => /usr/local/cpanel/lib/libpq.so.3 (0x4004f000)
        libmysqlclient.so.14 => /usr/local/cpanel/lib/libmysqlclient.so.14 (0x40061000)
        libpam.so.0 => /lib/libpam.so.0 (0x40168000)
        libintl.so.3 => /usr/local/cpanel/lib/libintl.so.3 (0x40170000)
        libc.so.6 => /lib/tls/libc.so.6 (0x40179000)
        libpng.so.2 => /usr/local/cpanel/lib/libpng.so.2 (0x402a3000)
        libz.so.1 => /usr/local/cpanel/lib/libz.so.1 (0x402c7000)
        libresolv.so.2 => /lib/libresolv.so.2 (0x402d6000)
        libm.so.6 => /lib/tls/libm.so.6 (0x402e9000)
        libnsl.so.1 => /lib/libnsl.so.1 (0x4030c000)
        libxml2.so.2 => /usr/local/cpanel/lib/libxml2.so.2 (0x40322000)
        libdl.so.2 => /lib/libdl.so.2 (0x4043b000)
        libaudit.so.0 => /lib/libaudit.so.0 (0x40440000)
        /lib/ld-linux.so.2 (0x40000000)
root@host [/]#

Edit: Just upgraded to C19. No luck with it as well. Anyone encountering the same problem as mine?