mass defacement

[alex.bogatu]

Hello!
My name is Alex Bogatu and i am an system engineer. I have in my administration a cPanel server with almost 1300 sites hosted. A couple a days ago this server was the target of an mass defacement attack and there were almost 1000 sites affected. The attacker apparently replaced the content of each site with his own index.html. This attacker name is Islamic Ghost Team and zone-h.com is saying that there were 30000 sites affected in just 3 or 4 days.

The big problem is that i detected that the attacker changed the root password on my server. So he, somehow, uploaded a privilege escalation script or something like that. My question is: is there some vulnerability in cPanel not yet made public? Or is there someone who got the same problem. I read on google that this is not the first time those guys crack sites.

I have version 11.36.1 (build 6).

Thanks

 

[cPanelMichael]

Hello

It's always recommended to reinstall the OS if your server was rooted. It's a good idea to consult with a qualified system administrator or security specialist if your system has been exploited and you have little experience with security. Some companies list their services for this in the cPanel application catalog:

cPanel Application Catalog - System Administration Services

There are also several threads on this forum with users asking similar questions that should be helpful to you. If you are concerned that a vulnerability exists in cPanel that allowed this to happen, you should open a support ticket via:

Submit A Ticket

Thank you.

 

[alex.bogatu]

The attack was a mass defacement. There are no rootkits on the system. I wanted to know if there are vulnerabilities known in the last stable version of cpanel. This attack affected 30000 sites from multiple countries. My opinion is that this attack is an exploit based on a vulnerability in cpanel. I wanted to know if someone else had this problem. I know it was a similar attack in 2011

 

[nospa]

Just verify cpanel access_logs to find if someone executed any command using WHM or cPanel user account.

 

[alex.bogatu]

I already done that. I searched every possible log file. There is no trace. But...the fact that he hacked so many sites (almost 1000 just on my server)....is not possible to be a cpanel vulnerability not yet reported?

 

[LDHosting]

The big problem is that i detected that the attacker changed the root password on my server. So he, somehow, uploaded a privilege escalation script or something like that.

You really will need to reinstall that server and restore the accounts from backups, if they have had root, that server cannot be trusted.

There have been a few kernel exploits recently, were you running an up to date kernel? Have you restored any cPanel backups recently?

 

[alex.bogatu]

My kernel version is 2.6.32-220.13.1.el6.x86_64 running on Red Hat Enterprise Linux Server release 6.2 (Santiago).

No restore was made recently. The only exploit i know is this one Linux Kernel CVE-2013-2094 Local Privilege Escalation Vulnerability

Thank you

 

[Infopro]

My kernel version is 2.6.32-220.13.1.el6.x86_64 running on Red Hat Enterprise Linux Server release 6.2 (Santiago).
...

Thank you

Redhat:
kernel-2.6.32-220.13.1.el6.src.rpm
File outdated by: RHSA-2013:0830

The Red Hat Security Response Team has rated this update as having important security impact.

CentOS:
This package is obsolete. Try find newer kernel-devel