Security Issue of unknown cause

rodxxx

Registered
Jul 4, 2010
1
0
51
Hi there,
i just wanted to inform or get some information on how this can be possible:

recently my own server is being 'attacked' by some bots from various domains:

/http://l1.fancytech.com/cgi-sys/defaultwebpage.cgi
/http://ve01.venezuelahosting.com/cgi-sys/defaultwebpage.cgi
/http://root.thecpanel.com/cgi-sys/defaultwebpage.cgi
/http://174.123.155.226/cgi-sys/defaultwebpage.cgi

all these domains have one thing in common: they all are running CPanel

it is very likely that those system have been hacked and are used as relays to attack other system.

as i don't know anything about CPanel and it's flaws or possible user-based flaws .. i just want to state that there is a possible security risk withhin the CPanel software allowing attackers to gain unwanted access.

thank you
 
Last edited by a moderator:

WiredTree Joe

Well-Known Member
Dec 13, 2006
68
1
158
Chicago, IL
There is no security risk with cPanel... at least not right now!

cPanel isn't itself insecure. The issue is that there is most likely websites on those servers, that just happen to be running cPanel, of which have insecure software installs inside the account's document roots (WordPress, Joomla, Drupal, etc etc) or the account has been compromised in some other way (Malware installed on the cPanel account owners computer which steals the cPanel username/password).

This allows the people that gained access to the servers, the ability to launch attacks, scans and other exploits. The issue lies with the hosting accounts that are created and sold to end users. If people do not keep their website code up to date, and there is security flaws that come out down the road; there is nothing that cPanel can do to prevent the attackers from attacking your servers. This also goes for end user account security. I have seen in our Abuse department, over the past few years, where it is very common to see end users catch a virus/mailware on their PC of which then keylogs the FTP/cPanel Username and Password and sends it to the "Bad Guys".

From there they log right into the users account, upload their scripts and they start scanning for other targets or they email your father about some nice blue pills that they have for sale (at a great price mind you), or even worse, they launch a DOS attack (udp.pl is so fun!) at some other website that made them angry... until they are caught and shut down. Again, there is nothing that cPanel can do to prevent this and it certainly doesn't mean cPanel is insecure. The problem lies within the owners and end users of said servers.

cPanel out of the box is pretty darn secure. It has been for years... for the most part... :p If it wasn't it wouldn't be one of the leading hosting control panel software on the market today.

If you want to report these attacks/scans on your servers/network, contact the server owners. Below is a quick break down on how to do it:

Get the IP of the offending server:
[[email protected]:~]$ dig l1.fancytech.com +short
74.200.215.226

Do a whois on said IP:
[[email protected]:~]$ whois 74.200.215.226

OrgName: Layered Technologies, Inc.
OrgID: LAYER-3
Address: 5085 W Park Blvd
Address: Suite 700
City: Plano
StateProv: TX
PostalCode: 75093
Country: US

ReferralServer: rwhois://rwhois.layeredtech.com:4321

NetRange: 74.200.192.0 - 74.200.255.255
CIDR: 74.200.192.0/18
OriginAS: AS16805, AS22576
NetName: LAYERED-TECH-CHI
NetHandle: NET-74-200-192-0-1
Parent: NET-74-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.FASTSERVERS.NET
NameServer: NS2.FASTSERVERS.NET
Comment:
RegDate: 2006-11-14
Updated: 2009-09-01

OrgAbuseHandle: LAT-ARIN
OrgAbuseName: LT Abuse Team
OrgAbusePhone: +1-972-398-7998
OrgAbuseEmail: [email protected]

Get the [email protected] address for the IP address owner. (In this case it is our pals at Layered Tech.)

Email their abuse department stating the time of the attacks, with any logs that show the activity in question and let them contact their customer to get the issue solved.

I hope this helps clear things up for you.
 
Last edited:
  • Like
Reactions: Infopro