Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Possible 0-day vulnerability being exploited

Discussion in 'Security' started by andy.dills, Nov 20, 2010.

  1. andy.dills

    andy.dills Registered

    Joined:
    Nov 20, 2010
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    51
    I started getting some emails from our cpanel server, indicating syslogd and exim were failing.

    When I logged into the server, I noticed strong indications of a misapplied root kit. When I ran ps, top, ls, netstat, md5sum, etc...I get "ELF binary type 0 not known". But not for everything, just certain typically rootkitted binaries.

    See, we run cpanel on FreeBSD 8. That message is typical of trying to run a linux binary in that environment. Somebody applied a Linux rootkit to our FreeBSD cpanel box. This makes me suspect that the actual vulnerability is not OS-specific, or they wouldn't have been using the wrong rootkit.

    Investigating further confirmed my suspicions; the files were the wrong size and owned by the wrong UID.

    Unfortunately, I did not have time to do much in the way of forensics; I restored from backup to get our users back online.

    Looking through the system, post "restore over top" (and not to a clean drive)I'm seeing this:

    cpanel# find / -uid 102
    /lib/libsh.so/shhk
    /lib/libsh.so/shhk.pub
    /lib/libsh.so/shrs
    /sbin/ttyload
    /sbin/ttymon
    /usr/lib/libsh/.bashrc
    /usr/lib/libsh/.sniff/shsniff
    /usr/lib/libsh/.sniff/shp
    /usr/lib/libsh/shsb
    /usr/lib/libsh/hide

    We have cpanel update nightly. It was running 11.28.42 at the time of the attack, I ran a manual update afterword and it's now on 11.28.45 (but nothing in the changelog indicates anything noteworthy).

    I'm going to look into it further, but I wanted to get this out there ASAP, because my gut feeling is there is a new 0-day being exploited.
     
  2. syslint

    syslint Well-Known Member

    Joined:
    Oct 9, 2006
    Messages:
    262
    Likes Received:
    6
    Trophy Points:
    168
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Twitter:
    Some one using the ssh sniffer . There is a chance to make harmful , because openssh protocol is same for bsd and linux. And it is not a kernel related exploit too .
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. andy.dills

    andy.dills Registered

    Joined:
    Nov 20, 2010
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    51
    By ssh sniffer, I'm assuming you mean a man-in-the-middle attack? Because I'm not aware of any recent ssh protocol vulnerabilities that we could have somehow been subject to.

    Regarding "mitm attacks", I do not believe that is how they gained access to the server, as we only have a handful of people hosted on the cpanel server, and none access their account via ssh. Plus, that would then require them to get root locally once they compromised a user account, which would in turn require them understanding it was a FreeBSD server (and would require them exploiting a bug which is currently unpublished), all of which is contra-indicated by the use of a linux rootkit.


    I understand there is no evidence at this point as to where the vulnerability is...all I know is I run a datacenter with countless FreeBSD servers, and none of those got hacked. Just the one running cpanel.
     
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice