The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Cpanel Step57 Exploit

Discussion in 'General Discussion' started by jenlepp, Apr 4, 2006.

  1. jenlepp

    jenlepp Well-Known Member

    Joined:
    Jul 4, 2005
    Messages:
    116
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Liberty Hill, TX
    cPanel Access Level:
    DataCenter Provider
    I just had a site report that they were hit by the Step57 exploit:

    http://step57.info/exploits/Spaiz_Step57.txt

    And I can find relatively little information on the exploit, or security surrounding it. I am using Cpanel's internal backup. Most of the info that I can find seems to suggest that it's injected via PHP files with permissions of 777, but I'm running PHPSuExec and that seems to not have been enough of a security deterrent.

    Has anyone been hit with this, have any tips or tricks to keep it from happening other than dropping the use of Cpanel's backup?
     
  2. rs-freddo

    rs-freddo Well-Known Member

    Joined:
    May 13, 2003
    Messages:
    832
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Australia
    cPanel Access Level:
    Root Administrator
    If you're running phpsuexec then php files chmod'ded 777 will give an internal server error.
     
  3. jackie46

    jackie46 BANNED

    Joined:
    Jul 25, 2005
    Messages:
    537
    Likes Received:
    0
    Trophy Points:
    0
    Dont even know what this is since your link fails.
     
  4. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    18
    Just type the website url in your browser or search for the exploit in google. It has been released on march the 19th. The exploit extracts passwords from backups.
     
  5. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    The proper link is here:

    http://www.step57.info/exploits/CPanel_Step57.txt

    However, I fail to see how it's much of an exploit:

    1. The clients site needs to be compromised to get the script uploaded (i.e. have vulnerable php/CGI app installed)

    2. It'll only reveal the encrypted password of the account compromised since cPanel backup files are chmod 600

    3. The revealed password is still encrypted and so will still need to be cracked using brute-force

    4. It'll only work on servers where phpsuexec is enabled

    5. If php suexec is enabled, there's no need to go through all the trouble with accessing backup files as the encrypted password is easily accessible anyway

    Lessons:

    1. Have hard to decrypt passwords

    2. Blame yourself for having vulnerable scripts on your site in the first place

    Feel free to CMIIAW
     
Loading...

Share This Page