198HOST

Registered
Jan 12, 2013
4
0
1
cPanel Access Level
Root Administrator
Is this email true?

Salutations,

You are receiving this email because you have opened a ticket with our support staff in the last 6 months. cPanel, Inc. has discovered that one of the servers we utilize in the technical support department has been compromised. While we do not know if your machine is affected, you should change your root level password if you are not already using ssh keys. If you are using an unprivileged account with "sudo" or "su" for root logins, we recommend you change the account password. Even if you are using ssh keys we still recommend rotating keys on a regular basis.

As we do not know the exact nature of this compromise we are asking for customers to take immediate action on their own servers. cPanel's security team is continuing to investigate the nature of this security issue.



--cPanel Security Team
 

UH-Matt

Active Member
Oct 21, 2009
30
1
58
We received it as well. Would really like *some* sort of further information around it.
 

hicom

Well-Known Member
May 23, 2003
296
7
168
cPanel support system hacked?

We just got this email from cPanel:

======
Salutations,

You are receiving this email because you have opened a ticket with our support staff in the last 6 months. cPanel, Inc. has discovered that one of the servers we utilize in the technical support department has been compromised. While we do not know if your machine is affected, you should change your root level password if you are not already using ssh keys. If you are using an unprivileged account with "sudo" or "su" for root logins, we recommend you change the account password. Even if you are using ssh keys we still recommend rotating keys on a regular basis.

As we do not know the exact nature of this compromise we are asking for customers to take immediate action on their own servers. cPanel's security team is continuing to investigate the nature of this security issue.



--cPanel Security Team
========

The headers appear legit and coming from cPanel servers.
 

hicom

Well-Known Member
May 23, 2003
296
7
168
Re: cPanel support system hacked?

Are ticket logins older than 12 months affected? They don't seem to exist in cPanel support system anymore, so are these deleted? Just wondering what extense is the hack and how far back we need to go.
 

Extreame

Registered
Apr 23, 2012
1
0
51
cPanel Access Level
Root Administrator
Re: cPanel support system hacked?

Guys,

It is a good idea to change your SSH keys every so often anyway.

If in doubt, just change your keys and you should be ok, regardless if any SSH keys have been compromised on the cPanel server.

Good luck!

:)
 

nospa

Well-Known Member
Apr 23, 2012
110
0
66
cPanel Access Level
Reseller Owner
Code:
Return-path: <[email protected]>
Envelope-to: [email protected]
Delivery-date: Fri, 22 Feb 2013 01:48:37 +0100
Received: from mx1.cpanel.net ([208.74.121.68]:46936)
	by xxxxxxxxxxxxxxxxxxxxxx with esmtps (TLSv1:DHE-RSA-AES256-SHA:256)
	(Exim 4.80)
	(envelope-from <[email protected]>)
	id 1U8goX-00020r-4G
	for xxxxxxxxxxxxxxxx; Fri, 22 Feb 2013 01:48:37 +0100
Received: from kangaroo.manage2.cpanel.net ([208.74.121.26]:35891)
	by mx1.cpanel.net with esmtps (TLSv1:DHE-RSA-AES256-SHA:256)
	(Exim 4.80)
	(envelope-from <[email protected]>)
	id 1U8goV-0001Ht-Ca
	for xxxxxxxxxxxxxxxxxxxx; Thu, 21 Feb 2013 18:48:35 -0600
Received: from manage by kangaroo.manage2.cpanel.net with local (Exim 4.69)
	(envelope-from <[email protected]>)
	id 1U8goV-0001hy-6L
	for xxxxxxxxxxxxxxxxxxx; Thu, 21 Feb 2013 18:48:35 -0600
Content-Disposition: inline
Content-Length: 828
Content-Transfer-Encoding: binary
Content-Type: text/plain
MIME-Version: 1.0
X-Mailer: MIME::Lite 3.01 (F2.74; T1.20; A2.08; B3.07; Q3.07)
Date: Fri, 22 Feb 2013 00:48:35 UT
From: [email protected]
To: xxxxxxxxxxxxxxxxxxxx
Subject: Important Security Alert (Action Required)
Message-Id: <[email protected]>
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - mx1.cpanel.net
X-AntiAbuse: Original Domain - xxxxxxxxxxxxxxx
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - cpanel.net
X-Get-Message-Sender-Via: mx1.cpanel.net: acl_c_relayhosts_text_entry: [email protected]|cpanel.net
X-Antivirus-Scanner: Clean mail though you should still use an Antivirus
are you still thinking it is not from cPanel? So how it was send by their mx servers then?
 

p123

Member
Aug 20, 2011
17
0
51
Bangkok
As far as I know, this is not from cPanel.
I am quite concerned about this statement as I've received this email as well. It would be greatly appreciated if an official statement would be pubblished. I've used cPanel's support twice over the last 6 months as far as I can recall however I've always changed the password once the operation has been completed. Also I've just seen to change the main root password about 1 week ago. Do I need to be worried now?
 

tomfrog

Registered
Feb 22, 2013
4
0
1
cPanel Access Level
Root Administrator
You missed all the fun:

SSHD Rootkit Rolling around - Web Hosting Talk

@Steven from WHT discovered a rootkit and during the research to find the entry vector cPanel sent that email. A lot of big and small companies were hacked. So, let's not flame cPanel.

Yes. cPanel will learn from this. So should each one of us. Our root password or ssh private key is our business...

The fact that cpanel was an entry point for the installation of the rootkit does not mean that other entry vectors did not exist. We've had quite a few vulnerabilities: Java, flash.

I love cPanel. And I will support cPanel. I registered today to express my support to everyone at cPanel. I owe a lot to cPanel.

It's not perfect. But it's the best control panel.
 

Infopro

Well-Known Member
May 20, 2003
17,075
524
613
Pennsylvania
cPanel Access Level
Root Administrator
Twitter
Greetings,

Please accept my apologies for responding erroneously to this thread last evening. I was visiting the forums off shift and was not aware of the situation at hand other than the threads posted here, nor had I received the email myself, yet.

The email that you and I have received is now confirmed, legitimate.

As explained in that email, you need to update any of your servers passwords provided to cPanel Technical Support via the ticket system in the past 6 months, right away. This situation is still being investigated, additional information aside from that, is not available at this time.

As soon as there is additional information available, a more formal announcement will be made available to all.


Thank you.
 

dxer

Well-Known Member
Sep 9, 2002
308
0
166
Europe
It is weird message and suspicious as i don't see that cPanel posted such warning anywhere on cpanel.net.