The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

**** Possible Major Cpanel Security Flaw - All Cpanel Servers Open To Be Hacked ****

Discussion in 'Security' started by sitehostz, May 7, 2003.

  1. sitehostz

    sitehostz Well-Known Member

    Joined:
    Nov 30, 2002
    Messages:
    66
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Delaware
    Somehow, Hackers have defaced every home pge for our clients on all of our cpanel servers. Our dataceter secured all of the servers and they have a high rate of success at this so there may possibly be a vulnerability within Cpanel that can allow hackers to change every main web page..

    Here is a client domain which has been hacked.

    http://all-about-pregnancy.com/

    regards,
    Chris
     
  2. sexy_guy

    sexy_guy Well-Known Member

    Joined:
    Mar 19, 2003
    Messages:
    848
    Likes Received:
    0
    Trophy Points:
    16
    You running Kernel 2.4.18-14? I can see why you were rooted. You should be up to Kernel 2.4.18-27.7.x and anything less then this is very VULN to root exploits. Not necessarily a cPanel exploit. You should look into upgrading your Kernel first then clean up your box. Hopefully its fixable but unlikely.
     
    #2 sexy_guy, May 7, 2003
    Last edited: May 7, 2003
  3. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    18
    How do you know this is a CPanel security issue though?
    Were you running secure kernels on all your servers, was all other software up to date?

    How did the datacenter 'secure' your servers?
     
  4. sexy_guy

    sexy_guy Well-Known Member

    Joined:
    Mar 19, 2003
    Messages:
    848
    Likes Received:
    0
    Trophy Points:
    16
    If you go to this site you will see the version of the Kernel his running, Kernel 2.4.18-14. Its displayed very prominently on the site for all to see. HINT HINT! Why do you think they displayed it? Insecure kernel exploit is what this is. And if you have questions howabout emailing the guy.
     
  5. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    18
    Calm down sexy_guy, you get worked up so easily in almost every thread I see you posting. :rolleyes:
    I didn't see your post until I submitted mine, if I had then I wouldn't have posted in this thread, since you already looked into it.

    And why would I have to e-mail him if I have questions.
    Is this a new policy on this forum :
    Got any questions? Don't post , e-mail instead!
     
  6. sitehostz

    sitehostz Well-Known Member

    Joined:
    Nov 30, 2002
    Messages:
    66
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Delaware
    The post was only to make people aware of the issue.

    Spammers were getting email through formmail but the hackers or whomever replaced every home page didn't get into the server to do this.

    This server just did go online so it's just luck I guess that they found a way get to the server.

    Regards,
    Chris
     
  7. sexy_guy

    sexy_guy Well-Known Member

    Joined:
    Mar 19, 2003
    Messages:
    848
    Likes Received:
    0
    Trophy Points:
    16
    Im not worked up at all, i was stating what i saw. I didnt ask you to email anyone. I said if the site owner, the one who got hacked emailed the hacker at the email listed on the hacked site then usually he will tell you how he got root. :rolleyes:
     
  8. sexy_guy

    sexy_guy Well-Known Member

    Joined:
    Mar 19, 2003
    Messages:
    848
    Likes Received:
    0
    Trophy Points:
    16
    What dont you email him? He will tell you exactly how he got in.

    You should probably consider installing tripwire as well, on a clean box that is.
     
    #8 sexy_guy, May 7, 2003
    Last edited: May 7, 2003
  9. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    18
    Well since you quoted my post I assumed you were talking to me. My apologies :)
     
  10. sexy_guy

    sexy_guy Well-Known Member

    Joined:
    Mar 19, 2003
    Messages:
    848
    Likes Received:
    0
    Trophy Points:
    16
    I quoted you by accident, im sorry too.
     
  11. H2Hosting.com

    H2Hosting.com Well-Known Member

    Joined:
    Sep 4, 2001
    Messages:
    192
    Likes Received:
    0
    Trophy Points:
    16
    If your kernel <2.4.20 with ptrace patch, your server can be hacked as 1-2-3 ;) It is easy to do!
     
  12. sitehostz

    sitehostz Well-Known Member

    Joined:
    Nov 30, 2002
    Messages:
    66
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Delaware
    #12 sitehostz, May 8, 2003
    Last edited: May 8, 2003
  13. H2Hosting.com

    H2Hosting.com Well-Known Member

    Joined:
    Sep 4, 2001
    Messages:
    192
    Likes Received:
    0
    Trophy Points:
    16
    If they defaced you, they have backdoor to your server under ROOT ! Check it out twice!
     
  14. WeMasterz5

    WeMasterz5 Well-Known Member

    Joined:
    Feb 24, 2003
    Messages:
    361
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Miami
    quick question here

    (sorry for your problems)


    question...is there a way from shell to see the kernal ver running on the server?
     
  15. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    18
  16. WeMasterz5

    WeMasterz5 Well-Known Member

    Joined:
    Feb 24, 2003
    Messages:
    361
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Miami
    root@bliss [/]# uname -a
    Linux bliss.###.net 2.4.18-27.8.0 #1 Fri Mar 14 07:36:43 EST 2003 i686 athlon i386 GNU/Linux



    thanks
     
  17. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    38
    Cpanel is not secure and it's sure (still the users will not be chrooted and everyone will be able to play around the server
    Cpanel cannot be considered safe),

    however why are you talking about a Cpanel exploit ?

    checklist
    1) did you was providing Cpanel Demo ?
    (a lot of hackers start from there...)
    2) Or you did you have a kernel which was not updated ?
    3) Was you regularly using red hat network to update
    your packages , or you had some notupdated package?
    4) Was you providing SSH for your clients ?
    5) Was you running a firewall to make the hacker life harder ?
    6) Was you providing php with php safe mode off ?


    Did you run chkrootkit ? Results ?
    how many 0:0 values do you have on your /etc/passwd ?
     
    #17 Radio_Head, May 8, 2003
    Last edited: May 9, 2003
  18. H2Hosting.com

    H2Hosting.com Well-Known Member

    Joined:
    Sep 4, 2001
    Messages:
    192
    Likes Received:
    0
    Trophy Points:
    16
    oops. Uprade kernel ASAP! Any server user can hack your server and get ROOT access! Also check your /tmp directory, search yabb 1.4.1 forum, locate directory with name "...", locate backdoor.php, install chkroot package etc

    ......300% that hackers still have control over your server!
     
  19. Angel78

    Angel78 Well-Known Member

    Joined:
    May 9, 2002
    Messages:
    413
    Likes Received:
    1
    Trophy Points:
    16
    2.4.18-27.8.0 and 2.4.18-27.7.7.x are vulnerable?
     
  20. H2Hosting.com

    H2Hosting.com Well-Known Member

    Joined:
    Sep 4, 2001
    Messages:
    192
    Likes Received:
    0
    Trophy Points:
    16
    I think - YES, you are in trouble. Upgrade your kernel ASAP!
     
Loading...

Share This Page