cPanel Security

We received it as well. Would really like *some* sort of further information around it.

 

cPanel support system hacked?

We just got this email from cPanel:

======
Salutations,

You are receiving this email because you have opened a ticket with our support staff in the last 6 months. cPanel, Inc. has discovered that one of the servers we utilize in the technical support department has been compromised. While we do not know if your machine is affected, you should change your root level password if you are not already using ssh keys. If you are using an unprivileged account with "sudo" or "su" for root logins, we recommend you change the account password. Even if you are using ssh keys we still recommend rotating keys on a regular basis.

As we do not know the exact nature of this compromise we are asking for customers to take immediate action on their own servers. cPanel's security team is continuing to investigate the nature of this security issue.



--cPanel Security Team
========

The headers appear legit and coming from cPanel servers.

 

Re: cPanel support system hacked?

Are ticket logins older than 12 months affected? They don't seem to exist in cPanel support system anymore, so are these deleted? Just wondering what extense is the hack and how far back we need to go.

 

Re: cPanel support system hacked?

Hi Guys,

Any update on this??

I got this email too...

 

Re: cPanel support system hacked?

Guys,

It is a good idea to change your SSH keys every so often anyway.

If in doubt, just change your keys and you should be ok, regardless if any SSH keys have been compromised on the cPanel server.

Good luck!

 

Code:

Return-path: <noreply@cpanel.net>
Envelope-to: xxxxxxx@xxxxxxxxxx
Delivery-date: Fri, 22 Feb 2013 01:48:37 +0100
Received: from mx1.cpanel.net ([208.74.121.68]:46936)
	by xxxxxxxxxxxxxxxxxxxxxx with esmtps (TLSv1:DHE-RSA-AES256-SHA:256)
	(Exim 4.80)
	(envelope-from <noreply@cpanel.net>)
	id 1U8goX-00020r-4G
	for xxxxxxxxxxxxxxxx; Fri, 22 Feb 2013 01:48:37 +0100
Received: from kangaroo.manage2.cpanel.net ([208.74.121.26]:35891)
	by mx1.cpanel.net with esmtps (TLSv1:DHE-RSA-AES256-SHA:256)
	(Exim 4.80)
	(envelope-from <noreply@cpanel.net>)
	id 1U8goV-0001Ht-Ca
	for xxxxxxxxxxxxxxxxxxxx; Thu, 21 Feb 2013 18:48:35 -0600
Received: from manage by kangaroo.manage2.cpanel.net with local (Exim 4.69)
	(envelope-from <noreply@cpanel.net>)
	id 1U8goV-0001hy-6L
	for xxxxxxxxxxxxxxxxxxx; Thu, 21 Feb 2013 18:48:35 -0600
Content-Disposition: inline
Content-Length: 828
Content-Transfer-Encoding: binary
Content-Type: text/plain
MIME-Version: 1.0
X-Mailer: MIME::Lite 3.01 (F2.74; T1.20; A2.08; B3.07; Q3.07)
Date: Fri, 22 Feb 2013 00:48:35 UT
From: no-reply@cpanel.net
To: xxxxxxxxxxxxxxxxxxxx
Subject: Important Security Alert (Action Required)
Message-Id: <E1U8goV-0001hy-6L@kangaroo.manage2.cpanel.net>
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - mx1.cpanel.net
X-AntiAbuse: Original Domain - xxxxxxxxxxxxxxx
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - cpanel.net
X-Get-Message-Sender-Via: mx1.cpanel.net: acl_c_relayhosts_text_entry: -unknown-@cpanel.net|cpanel.net
X-Antivirus-Scanner: Clean mail though you should still use an Antivirus

are you still thinking it is not from cPanel? So how it was send by their mx servers then?

 

I am quite concerned about this statement as I've received this email as well. It would be greatly appreciated if an official statement would be pubblished. I've used cPanel's support twice over the last 6 months as far as I can recall however I've always changed the password once the operation has been completed. Also I've just seen to change the main root password about 1 week ago. Do I need to be worried now?

 

Guys,

Any updates?

 

we got this email too.

 

You missed all the fun:

SSHD Rootkit Rolling around - Web Hosting Talk

@Steven from WHT discovered a rootkit and during the research to find the entry vector cPanel sent that email. A lot of big and small companies were hacked. So, let's not flame cPanel.

Yes. cPanel will learn from this. So should each one of us. Our root password or ssh private key is our business...

The fact that cpanel was an entry point for the installation of the rootkit does not mean that other entry vectors did not exist. We've had quite a few vulnerabilities: Java, flash.

I love cPanel. And I will support cPanel. I registered today to express my support to everyone at cPanel. I owe a lot to cPanel.

It's not perfect. But it's the best control panel.

 

It is weird message and suspicious as i don't see that cPanel posted such warning anywhere on cpanel.net.

 

Guys,

Any recent update on this?

 

- link removed -

That thread should give you the latest information.