**** Possible Major Cpanel Security Flaw - All Cpanel Servers Open To Be Hacked ****

[sitehostz]

Somehow, Hackers have defaced every home pge for our clients on all of our cpanel servers. Our dataceter secured all of the servers and they have a high rate of success at this so there may possibly be a vulnerability within Cpanel that can allow hackers to change every main web page..

Here is a client domain which has been hacked.

http://all-about-pregnancy.com/

regards,
Chris

 

[sexy_guy]

You running Kernel 2.4.18-14? I can see why you were rooted. You should be up to Kernel 2.4.18-27.7.x and anything less then this is very VULN to root exploits. Not necessarily a cPanel exploit. You should look into upgrading your Kernel first then clean up your box. Hopefully its fixable but unlikely.

 

[jamesbond]

How do you know this is a CPanel security issue though?
Were you running secure kernels on all your servers, was all other software up to date?

How did the datacenter 'secure' your servers?

 

[sexy_guy]

Originally posted by jamesbond
How do you know this is a CPanel security issue though?
Were you running secure kernels on all your servers, was all other software up to date?

How did the datacenter 'secure' your servers?

If you go to this site you will see the version of the Kernel his running, Kernel 2.4.18-14. Its displayed very prominently on the site for all to see. HINT HINT! Why do you think they displayed it? Insecure kernel exploit is what this is. And if you have questions howabout emailing the guy.

 

[jamesbond]

Originally posted by sexy_guy
If you go to this site you will see the version of the Kernel his running, Kernel 2.4.18-14. Its displayed very prominently on the site for all to see. HINT HINT! Why do you think they displayed it? Insecure kernel exploit is what this is. And if you have questions howabout emailing the guy.

Calm down sexy_guy, you get worked up so easily in almost every thread I see you posting.
I didn't see your post until I submitted mine, if I had then I wouldn't have posted in this thread, since you already looked into it.

And why would I have to e-mail him if I have questions.
Is this a new policy on this forum :
Got any questions? Don't post , e-mail instead!

 

[sitehostz]

The post was only to make people aware of the issue.

Spammers were getting email through formmail but the hackers or whomever replaced every home page didn't get into the server to do this.

This server just did go online so it's just luck I guess that they found a way get to the server.

Regards,
Chris

 

[sexy_guy]

Originally posted by jamesbond
And why would I have to e-mail him if I have questions.
Is this a new policy on this forum :
Got any questions? Don't post , e-mail instead!

Im not worked up at all, i was stating what i saw. I didnt ask you to email anyone. I said if the site owner, the one who got hacked emailed the hacker at the email listed on the hacked site then usually he will tell you how he got root.

 

[sexy_guy]

Originally posted by sitehostz
The post was only to make people aware of the issue.

Spammers were getting email through formmail but the hackers or whomever replaced every home page didn't get into the server to do this.

This server just did go online so it's just luck I guess that they found a way get to the server.

Regards,
Chris

What dont you email him? He will tell you exactly how he got in.

You should probably consider installing tripwire as well, on a clean box that is.

 

[jamesbond]

Originally posted by sexy_guy
Im not worked up at all, i was stating what i saw. I didnt ask you to email anyone. I said if the site owner, the one who got hacked emailed the hacker at the email listed on the hacked site then usually he will tell you how he got root.

Well since you quoted my post I assumed you were talking to me. My apologies

 

[sexy_guy]

Originally posted by jamesbond
Well since you quoted my post I assumed you were talking to me. My apologies

I quoted you by accident, im sorry too.

 

[H2Hosting.com]

Originally posted by sitehostz
The post was only to make people aware of the issue.

Spammers were getting email through formmail but the hackers or whomever replaced every home page didn't get into the server to do this.

This server just did go online so it's just luck I guess that they found a way get to the server.

Regards,
Chris

If your kernel <2.4.20 with ptrace patch, your server can be hacked as 1-2-3 It is easy to do!

 

[sitehostz]

Well, I hope they had fun advertising... I guess the joke was on us this time...

http://www.zone-h.org/en/defacements/view/id=260770/

http://www.zone-h.org/en/defacements

The images used on our defaced clients web sites came from there.
http://www.zone-h.org/defaced/2003/01/20/www.criffel.co.uk/w00t.jpg

 

[H2Hosting.com]

If they defaced you, they have backdoor to your server under ROOT ! Check it out twice!

 

[WeMasterz5]

quick question here

(sorry for your problems)


question...is there a way from shell to see the kernal ver running on the server?

 

[jamesbond]

uname -a

 

[WeMasterz5]

[email protected] [/]# uname -a
Linux bliss.###.net 2.4.18-27.8.0 #1 Fri Mar 14 07:36:43 EST 2003 i686 athlon i386 GNU/Linux



thanks

 

[Radio_Head]

Cpanel is not secure and it's sure (still the users will not be chrooted and everyone will be able to play around the server
Cpanel cannot be considered safe),

however why are you talking about a Cpanel exploit ?

checklist
1) did you was providing Cpanel Demo ?
(a lot of hackers start from there...)
2) Or you did you have a kernel which was not updated ?
3) Was you regularly using red hat network to update
your packages , or you had some notupdated package?
4) Was you providing SSH for your clients ?
5) Was you running a firewall to make the hacker life harder ?
6) Was you providing php with php safe mode off ?


Did you run chkrootkit ? Results ?
how many 0:0 values do you have on your /etc/passwd ?

 

[H2Hosting.com]

Originally posted by WeMasterz5
[email protected] [/]# uname -a
Linux bliss.###.net 2.4.18-27.8.0 #1 Fri Mar 14 07:36:43 EST 2003 i686 athlon i386 GNU/Linux



thanks

oops. Uprade kernel ASAP! Any server user can hack your server and get ROOT access! Also check your /tmp directory, search yabb 1.4.1 forum, locate directory with name "...", locate backdoor.php, install chkroot package etc

......300% that hackers still have control over your server!

 

[Angel78]

2.4.18-27.8.0 and 2.4.18-27.7.7.x are vulnerable?

 

[H2Hosting.com]

Originally posted by Angel78
2.4.18-27.8.0 and 2.4.18-27.7.7.x are vulnerable?

I think - YES, you are in trouble. Upgrade your kernel ASAP!