Possible Major Cpanel Security Flaw - All Cpanel Servers Open To Be Hacked

**sitehostz** · 05-07-2003 01:31 PM

Somehow, Hackers have defaced every home pge for our clients on all of our cpanel servers. Our dataceter secured all of the servers and they have a high rate of success at this so there may possibly be a vulnerability within Cpanel that can allow hackers to change every main web page..

Here is a client domain which has been hacked.

http://all-about-pregnancy.com/

regards,
Chris

**sexy_guy** · 05-07-2003 02:14 PM

You running Kernel 2.4.18-14? I can see why you were rooted. You should be up to Kernel 2.4.18-27.7.x and anything less then this is very VULN to root exploits. Not necessarily a cPanel exploit. You should look into upgrading your Kernel first then clean up your box. Hopefully its fixable but unlikely.

**jamesbond** · 05-07-2003 02:18 PM

How do you know this is a CPanel security issue though?
Were you running secure kernels on all your servers, was all other software up to date?

How did the datacenter 'secure' your servers?

**sexy_guy** · 05-07-2003 02:25 PM

Originally posted by jamesbond
How do you know this is a CPanel security issue though?
Were you running secure kernels on all your servers, was all other software up to date?

How did the datacenter 'secure' your servers?

If you go to this site you will see the version of the Kernel his running, Kernel 2.4.18-14. Its displayed very prominently on the site for all to see. HINT HINT! Why do you think they displayed it? Insecure kernel exploit is what this is. And if you have questions howabout emailing the guy.

**jamesbond** · 05-07-2003 02:33 PM

Originally posted by sexy_guy
If you go to this site you will see the version of the Kernel his running, Kernel 2.4.18-14. Its displayed very prominently on the site for all to see. HINT HINT! Why do you think they displayed it? Insecure kernel exploit is what this is. And if you have questions howabout emailing the guy.

Calm down sexy_guy, you get worked up so easily in almost every thread I see you posting.

I didn't see your post until I submitted mine, if I had then I wouldn't have posted in this thread, since you already looked into it.

And why would I have to e-mail him if I have questions.
Is this a new policy on this forum :
Got any questions? Don't post , e-mail instead!

**sitehostz** · 05-07-2003 02:35 PM

The post was only to make people aware of the issue.

Spammers were getting email through formmail but the hackers or whomever replaced every home page didn't get into the server to do this.

This server just did go online so it's just luck I guess that they found a way get to the server.

Regards,
Chris

**sexy_guy** · 05-07-2003 02:37 PM

Originally posted by jamesbond
And why would I have to e-mail him if I have questions.
Is this a new policy on this forum :
Got any questions? Don't post , e-mail instead!

Im not worked up at all, i was stating what i saw. I didnt ask you to email anyone. I said if the site owner, the one who got hacked emailed the hacker at the email listed on the hacked site then usually he will tell you how he got root.

**sexy_guy** · 05-07-2003 02:41 PM

Originally posted by sitehostz
The post was only to make people aware of the issue.

Spammers were getting email through formmail but the hackers or whomever replaced every home page didn't get into the server to do this.

This server just did go online so it's just luck I guess that they found a way get to the server.

Regards,
Chris

What dont you email him? He will tell you exactly how he got in.

You should probably consider installing tripwire as well, on a clean box that is.

**jamesbond** · 05-07-2003 02:44 PM

Originally posted by sexy_guy
Im not worked up at all, i was stating what i saw. I didnt ask you to email anyone. I said if the site owner, the one who got hacked emailed the hacker at the email listed on the hacked site then usually he will tell you how he got root.

Well since you quoted my post I assumed you were talking to me. My apologies

**sexy_guy** · 05-07-2003 02:45 PM

Originally posted by jamesbond
Well since you quoted my post I assumed you were talking to me. My apologies

I quoted you by accident, im sorry too.

**H2Hosting.com** · 05-07-2003 11:55 PM

Originally posted by sitehostz
The post was only to make people aware of the issue.

Spammers were getting email through formmail but the hackers or whomever replaced every home page didn't get into the server to do this.

This server just did go online so it's just luck I guess that they found a way get to the server.

Regards,
Chris

If your kernel <2.4.20 with ptrace patch, your server can be hacked as 1-2-3

It is easy to do!

**sitehostz** · 05-08-2003 01:01 AM

Well, I hope they had fun advertising... I guess the joke was on us this time...

http://www.zone-h.org/en/defacements/view/id=260770/

http://www.zone-h.org/en/defacements

The images used on our defaced clients web sites came from there.
http://www.zone-h.org/defaced/2003/0...co.uk/w00t.jpg

**H2Hosting.com** · 05-08-2003 02:16 AM

If they defaced you, they have backdoor to your server under ROOT ! Check it out twice!

**WeMasterz5** · 05-08-2003 02:35 AM

quick question here

(sorry for your problems)

question...is there a way from shell to see the kernal ver running on the server?

**jamesbond** · 05-08-2003 02:37 AM

uname -a

LinkBack

Thread Tools