1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

cPanel Security

Discussion in 'Security' started by 198HOST, Feb 21, 2013.

  1. 198HOST

    198HOST New Member

    Joined:
    Jan 12, 2013
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Is this email true?

    Salutations,

    You are receiving this email because you have opened a ticket with our support staff in the last 6 months. cPanel, Inc. has discovered that one of the servers we utilize in the technical support department has been compromised. While we do not know if your machine is affected, you should change your root level password if you are not already using ssh keys. If you are using an unprivileged account with "sudo" or "su" for root logins, we recommend you change the account password. Even if you are using ssh keys we still recommend rotating keys on a regular basis.

    As we do not know the exact nature of this compromise we are asking for customers to take immediate action on their own servers. cPanel's security team is continuing to investigate the nature of this security issue.



    --cPanel Security Team
     
  2. UH-Matt

    UH-Matt New Member

    Joined:
    Oct 21, 2009
    Messages:
    25
    Likes Received:
    0
    Trophy Points:
    1
    We received it as well. Would really like *some* sort of further information around it.
     
  3. hicom

    hicom Member

    Joined:
    May 23, 2003
    Messages:
    256
    Likes Received:
    0
    Trophy Points:
    16
    cPanel support system hacked?

    We just got this email from cPanel:

    ======
    Salutations,

    You are receiving this email because you have opened a ticket with our support staff in the last 6 months. cPanel, Inc. has discovered that one of the servers we utilize in the technical support department has been compromised. While we do not know if your machine is affected, you should change your root level password if you are not already using ssh keys. If you are using an unprivileged account with "sudo" or "su" for root logins, we recommend you change the account password. Even if you are using ssh keys we still recommend rotating keys on a regular basis.

    As we do not know the exact nature of this compromise we are asking for customers to take immediate action on their own servers. cPanel's security team is continuing to investigate the nature of this security issue.



    --cPanel Security Team
    ========

    The headers appear legit and coming from cPanel servers.
     
  4. hicom

    hicom Member

    Joined:
    May 23, 2003
    Messages:
    256
    Likes Received:
    0
    Trophy Points:
    16
    Re: cPanel support system hacked?

    Are ticket logins older than 12 months affected? They don't seem to exist in cPanel support system anymore, so are these deleted? Just wondering what extense is the hack and how far back we need to go.
     
  5. prashant_ohol

    prashant_ohol Member

    Joined:
    Nov 22, 2004
    Messages:
    44
    Likes Received:
    0
    Trophy Points:
    6
    Re: cPanel support system hacked?

    Hi Guys,

    Any update on this??

    I got this email too...
     
  6. Extreame

    Extreame New Member

    Joined:
    Apr 23, 2012
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Re: cPanel support system hacked?

    Guys,

    It is a good idea to change your SSH keys every so often anyway.

    If in doubt, just change your keys and you should be ok, regardless if any SSH keys have been compromised on the cPanel server.

    Good luck!

    :)
     
  7. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    12,122
    Likes Received:
    32
    Trophy Points:
    48
    Location:
    Pennsylvania
    Multiple threads merged on this topic.

    As far as I know, this is not from cPanel. I've contacted the cPanel Security team concerning this thread.


    Thanks for reporting this.
     
  8. nospa

    nospa Member

    Joined:
    Apr 23, 2012
    Messages:
    108
    Likes Received:
    0
    Trophy Points:
    16
    Code:
    Return-path: <noreply@cpanel.net>
    Envelope-to: xxxxxxx@xxxxxxxxxx
    Delivery-date: Fri, 22 Feb 2013 01:48:37 +0100
    Received: from mx1.cpanel.net ([208.74.121.68]:46936)
    	by xxxxxxxxxxxxxxxxxxxxxx with esmtps (TLSv1:DHE-RSA-AES256-SHA:256)
    	(Exim 4.80)
    	(envelope-from <noreply@cpanel.net>)
    	id 1U8goX-00020r-4G
    	for xxxxxxxxxxxxxxxx; Fri, 22 Feb 2013 01:48:37 +0100
    Received: from kangaroo.manage2.cpanel.net ([208.74.121.26]:35891)
    	by mx1.cpanel.net with esmtps (TLSv1:DHE-RSA-AES256-SHA:256)
    	(Exim 4.80)
    	(envelope-from <noreply@cpanel.net>)
    	id 1U8goV-0001Ht-Ca
    	for xxxxxxxxxxxxxxxxxxxx; Thu, 21 Feb 2013 18:48:35 -0600
    Received: from manage by kangaroo.manage2.cpanel.net with local (Exim 4.69)
    	(envelope-from <noreply@cpanel.net>)
    	id 1U8goV-0001hy-6L
    	for xxxxxxxxxxxxxxxxxxx; Thu, 21 Feb 2013 18:48:35 -0600
    Content-Disposition: inline
    Content-Length: 828
    Content-Transfer-Encoding: binary
    Content-Type: text/plain
    MIME-Version: 1.0
    X-Mailer: MIME::Lite 3.01 (F2.74; T1.20; A2.08; B3.07; Q3.07)
    Date: Fri, 22 Feb 2013 00:48:35 UT
    From: no-reply@cpanel.net
    To: xxxxxxxxxxxxxxxxxxxx
    Subject: Important Security Alert (Action Required)
    Message-Id: <E1U8goV-0001hy-6L@kangaroo.manage2.cpanel.net>
    X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
    X-AntiAbuse: Primary Hostname - mx1.cpanel.net
    X-AntiAbuse: Original Domain - xxxxxxxxxxxxxxx
    X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
    X-AntiAbuse: Sender Address Domain - cpanel.net
    X-Get-Message-Sender-Via: mx1.cpanel.net: acl_c_relayhosts_text_entry: -unknown-@cpanel.net|cpanel.net
    X-Antivirus-Scanner: Clean mail though you should still use an Antivirus
    
    are you still thinking it is not from cPanel? So how it was send by their mx servers then?
     
  9. p123

    p123 New Member

    Joined:
    Aug 20, 2011
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Bangkok
    I am quite concerned about this statement as I've received this email as well. It would be greatly appreciated if an official statement would be pubblished. I've used cPanel's support twice over the last 6 months as far as I can recall however I've always changed the password once the operation has been completed. Also I've just seen to change the main root password about 1 week ago. Do I need to be worried now?
     
  10. prashant_ohol

    prashant_ohol Member

    Joined:
    Nov 22, 2004
    Messages:
    44
    Likes Received:
    0
    Trophy Points:
    6
    Guys,

    Any updates?
     
  11. actived

    actived Member

    Joined:
    Mar 30, 2012
    Messages:
    46
    Likes Received:
    0
    Trophy Points:
    6
    we got this email too.
     
  12. tomfrog

    tomfrog New Member

    Joined:
    Feb 22, 2013
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    You missed all the fun:

    SSHD Rootkit Rolling around - Web Hosting Talk

    @Steven from WHT discovered a rootkit and during the research to find the entry vector cPanel sent that email. A lot of big and small companies were hacked. So, let's not flame cPanel.

    Yes. cPanel will learn from this. So should each one of us. Our root password or ssh private key is our business...

    The fact that cpanel was an entry point for the installation of the rootkit does not mean that other entry vectors did not exist. We've had quite a few vulnerabilities: Java, flash.

    I love cPanel. And I will support cPanel. I registered today to express my support to everyone at cPanel. I owe a lot to cPanel.

    It's not perfect. But it's the best control panel.
     
  13. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    12,122
    Likes Received:
    32
    Trophy Points:
    48
    Location:
    Pennsylvania
    Greetings,

    Please accept my apologies for responding erroneously to this thread last evening. I was visiting the forums off shift and was not aware of the situation at hand other than the threads posted here, nor had I received the email myself, yet.

    The email that you and I have received is now confirmed, legitimate.

    As explained in that email, you need to update any of your servers passwords provided to cPanel Technical Support via the ticket system in the past 6 months, right away. This situation is still being investigated, additional information aside from that, is not available at this time.

    As soon as there is additional information available, a more formal announcement will be made available to all.


    Thank you.
     
  14. dxer

    dxer Member

    Joined:
    Sep 9, 2002
    Messages:
    287
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Europe
    It is weird message and suspicious as i don't see that cPanel posted such warning anywhere on cpanel.net.
     
  15. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    12,122
    Likes Received:
    32
    Trophy Points:
    48
    Location:
    Pennsylvania
    There will be, as soon as there is proper information to share about this.
     
  16. prashant_ohol

    prashant_ohol Member

    Joined:
    Nov 22, 2004
    Messages:
    44
    Likes Received:
    0
    Trophy Points:
    6
    Guys,

    Any recent update on this?
     
  17. ruzbehraja

    ruzbehraja Member

    Joined:
    May 19, 2011
    Messages:
    333
    Likes Received:
    0
    Trophy Points:
    16
    - link removed -

    That thread should give you the latest information.
     
    #17 ruzbehraja, Feb 26, 2013
    Last edited by a moderator: Feb 26, 2013
  18. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    12,122
    Likes Received:
    32
    Trophy Points:
    48
    Location:
    Pennsylvania
    This is incorrect. The two matters are not related as far as I know.

    News will be posted soon. Thanks.
     

Share This Page