**** Possible Major Cpanel Security Flaw - All Cpanel Servers Open To Be Hacked ****

sitehostz

Well-Known Member
Nov 30, 2002
66
0
156
Delaware
Somehow, Hackers have defaced every home pge for our clients on all of our cpanel servers. Our dataceter secured all of the servers and they have a high rate of success at this so there may possibly be a vulnerability within Cpanel that can allow hackers to change every main web page..

Here is a client domain which has been hacked.

http://all-about-pregnancy.com/

regards,
Chris
 

sexy_guy

Well-Known Member
Mar 19, 2003
848
0
166
You running Kernel 2.4.18-14? I can see why you were rooted. You should be up to Kernel 2.4.18-27.7.x and anything less then this is very VULN to root exploits. Not necessarily a cPanel exploit. You should look into upgrading your Kernel first then clean up your box. Hopefully its fixable but unlikely.
 
Last edited:

jamesbond

Well-Known Member
Oct 9, 2002
738
1
168
How do you know this is a CPanel security issue though?
Were you running secure kernels on all your servers, was all other software up to date?

How did the datacenter 'secure' your servers?
 

sexy_guy

Well-Known Member
Mar 19, 2003
848
0
166
Originally posted by jamesbond
How do you know this is a CPanel security issue though?
Were you running secure kernels on all your servers, was all other software up to date?

How did the datacenter 'secure' your servers?
If you go to this site you will see the version of the Kernel his running, Kernel 2.4.18-14. Its displayed very prominently on the site for all to see. HINT HINT! Why do you think they displayed it? Insecure kernel exploit is what this is. And if you have questions howabout emailing the guy.
 

jamesbond

Well-Known Member
Oct 9, 2002
738
1
168
Originally posted by sexy_guy
If you go to this site you will see the version of the Kernel his running, Kernel 2.4.18-14. Its displayed very prominently on the site for all to see. HINT HINT! Why do you think they displayed it? Insecure kernel exploit is what this is. And if you have questions howabout emailing the guy.
Calm down sexy_guy, you get worked up so easily in almost every thread I see you posting. :rolleyes:
I didn't see your post until I submitted mine, if I had then I wouldn't have posted in this thread, since you already looked into it.

And why would I have to e-mail him if I have questions.
Is this a new policy on this forum :
Got any questions? Don't post , e-mail instead!
 

sitehostz

Well-Known Member
Nov 30, 2002
66
0
156
Delaware
The post was only to make people aware of the issue.

Spammers were getting email through formmail but the hackers or whomever replaced every home page didn't get into the server to do this.

This server just did go online so it's just luck I guess that they found a way get to the server.

Regards,
Chris
 

sexy_guy

Well-Known Member
Mar 19, 2003
848
0
166
Originally posted by jamesbond
And why would I have to e-mail him if I have questions.
Is this a new policy on this forum :
Got any questions? Don't post , e-mail instead!
Im not worked up at all, i was stating what i saw. I didnt ask you to email anyone. I said if the site owner, the one who got hacked emailed the hacker at the email listed on the hacked site then usually he will tell you how he got root. :rolleyes:
 

sexy_guy

Well-Known Member
Mar 19, 2003
848
0
166
Originally posted by sitehostz
The post was only to make people aware of the issue.

Spammers were getting email through formmail but the hackers or whomever replaced every home page didn't get into the server to do this.

This server just did go online so it's just luck I guess that they found a way get to the server.

Regards,
Chris
What dont you email him? He will tell you exactly how he got in.

You should probably consider installing tripwire as well, on a clean box that is.
 
Last edited:

jamesbond

Well-Known Member
Oct 9, 2002
738
1
168
Originally posted by sexy_guy
Im not worked up at all, i was stating what i saw. I didnt ask you to email anyone. I said if the site owner, the one who got hacked emailed the hacker at the email listed on the hacked site then usually he will tell you how he got root. :rolleyes:
Well since you quoted my post I assumed you were talking to me. My apologies :)
 

H2Hosting.com

Well-Known Member
Sep 4, 2001
192
0
316
Originally posted by sitehostz
The post was only to make people aware of the issue.

Spammers were getting email through formmail but the hackers or whomever replaced every home page didn't get into the server to do this.

This server just did go online so it's just luck I guess that they found a way get to the server.

Regards,
Chris
If your kernel <2.4.20 with ptrace patch, your server can be hacked as 1-2-3 ;) It is easy to do!
 

WeMasterz5

Well-Known Member
Feb 24, 2003
361
0
166
Miami
quick question here

(sorry for your problems)


question...is there a way from shell to see the kernal ver running on the server?
 

Radio_Head

Well-Known Member
Verifed Vendor
Feb 15, 2002
2,051
1
343
Cpanel is not secure and it's sure (still the users will not be chrooted and everyone will be able to play around the server
Cpanel cannot be considered safe),

however why are you talking about a Cpanel exploit ?

checklist
1) did you was providing Cpanel Demo ?
(a lot of hackers start from there...)
2) Or you did you have a kernel which was not updated ?
3) Was you regularly using red hat network to update
your packages , or you had some notupdated package?
4) Was you providing SSH for your clients ?
5) Was you running a firewall to make the hacker life harder ?
6) Was you providing php with php safe mode off ?


Did you run chkrootkit ? Results ?
how many 0:0 values do you have on your /etc/passwd ?
 
Last edited:

H2Hosting.com

Well-Known Member
Sep 4, 2001
192
0
316
Originally posted by WeMasterz5
[email protected] [/]# uname -a
Linux bliss.###.net 2.4.18-27.8.0 #1 Fri Mar 14 07:36:43 EST 2003 i686 athlon i386 GNU/Linux



thanks
oops. Uprade kernel ASAP! Any server user can hack your server and get ROOT access! Also check your /tmp directory, search yabb 1.4.1 forum, locate directory with name "...", locate backdoor.php, install chkroot package etc

......300% that hackers still have control over your server!