The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Possible 0-day vulnerability being exploited

Discussion in 'Security' started by andy.dills, Nov 20, 2010.

  1. andy.dills

    andy.dills Registered

    Joined:
    Nov 20, 2010
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    I started getting some emails from our cpanel server, indicating syslogd and exim were failing.

    When I logged into the server, I noticed strong indications of a misapplied root kit. When I ran ps, top, ls, netstat, md5sum, etc...I get "ELF binary type 0 not known". But not for everything, just certain typically rootkitted binaries.

    See, we run cpanel on FreeBSD 8. That message is typical of trying to run a linux binary in that environment. Somebody applied a Linux rootkit to our FreeBSD cpanel box. This makes me suspect that the actual vulnerability is not OS-specific, or they wouldn't have been using the wrong rootkit.

    Investigating further confirmed my suspicions; the files were the wrong size and owned by the wrong UID.

    Unfortunately, I did not have time to do much in the way of forensics; I restored from backup to get our users back online.

    Looking through the system, post "restore over top" (and not to a clean drive)I'm seeing this:

    cpanel# find / -uid 102
    /lib/libsh.so/shhk
    /lib/libsh.so/shhk.pub
    /lib/libsh.so/shrs
    /sbin/ttyload
    /sbin/ttymon
    /usr/lib/libsh/.bashrc
    /usr/lib/libsh/.sniff/shsniff
    /usr/lib/libsh/.sniff/shp
    /usr/lib/libsh/shsb
    /usr/lib/libsh/hide

    We have cpanel update nightly. It was running 11.28.42 at the time of the attack, I ran a manual update afterword and it's now on 11.28.45 (but nothing in the changelog indicates anything noteworthy).

    I'm going to look into it further, but I wanted to get this out there ASAP, because my gut feeling is there is a new 0-day being exploited.
     
  2. syslint

    syslint Well-Known Member

    Joined:
    Oct 9, 2006
    Messages:
    249
    Likes Received:
    6
    Trophy Points:
    18
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Twitter:
    Some one using the ssh sniffer . There is a chance to make harmful , because openssh protocol is same for bsd and linux. And it is not a kernel related exploit too .
     
  3. andy.dills

    andy.dills Registered

    Joined:
    Nov 20, 2010
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    By ssh sniffer, I'm assuming you mean a man-in-the-middle attack? Because I'm not aware of any recent ssh protocol vulnerabilities that we could have somehow been subject to.

    Regarding "mitm attacks", I do not believe that is how they gained access to the server, as we only have a handful of people hosted on the cpanel server, and none access their account via ssh. Plus, that would then require them to get root locally once they compromised a user account, which would in turn require them understanding it was a FreeBSD server (and would require them exploiting a bug which is currently unpublished), all of which is contra-indicated by the use of a linux rootkit.


    I understand there is no evidence at this point as to where the vulnerability is...all I know is I run a datacenter with countless FreeBSD servers, and none of those got hacked. Just the one running cpanel.
     
Loading...

Share This Page