The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Security Issue of unknown cause

Discussion in 'Security' started by rodxxx, Jul 4, 2010.

  1. rodxxx

    rodxxx Registered

    Joined:
    Jul 4, 2010
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Hi there,
    i just wanted to inform or get some information on how this can be possible:

    recently my own server is being 'attacked' by some bots from various domains:

    /http://l1.fancytech.com/cgi-sys/defaultwebpage.cgi
    /http://ve01.venezuelahosting.com/cgi-sys/defaultwebpage.cgi
    /http://root.thecpanel.com/cgi-sys/defaultwebpage.cgi
    /http://174.123.155.226/cgi-sys/defaultwebpage.cgi

    all these domains have one thing in common: they all are running CPanel

    it is very likely that those system have been hacked and are used as relays to attack other system.

    as i don't know anything about CPanel and it's flaws or possible user-based flaws .. i just want to state that there is a possible security risk withhin the CPanel software allowing attackers to gain unwanted access.

    thank you
     
    #1 rodxxx, Jul 4, 2010
    Last edited by a moderator: Jul 4, 2010
  2. WiredTree Joe

    WiredTree Joe Well-Known Member
    PartnerNOC

    Joined:
    Dec 13, 2006
    Messages:
    68
    Likes Received:
    1
    Trophy Points:
    8
    Location:
    Chicago, IL
    There is no security risk with cPanel... at least not right now!

    cPanel isn't itself insecure. The issue is that there is most likely websites on those servers, that just happen to be running cPanel, of which have insecure software installs inside the account's document roots (WordPress, Joomla, Drupal, etc etc) or the account has been compromised in some other way (Malware installed on the cPanel account owners computer which steals the cPanel username/password).

    This allows the people that gained access to the servers, the ability to launch attacks, scans and other exploits. The issue lies with the hosting accounts that are created and sold to end users. If people do not keep their website code up to date, and there is security flaws that come out down the road; there is nothing that cPanel can do to prevent the attackers from attacking your servers. This also goes for end user account security. I have seen in our Abuse department, over the past few years, where it is very common to see end users catch a virus/mailware on their PC of which then keylogs the FTP/cPanel Username and Password and sends it to the "Bad Guys".

    From there they log right into the users account, upload their scripts and they start scanning for other targets or they email your father about some nice blue pills that they have for sale (at a great price mind you), or even worse, they launch a DOS attack (udp.pl is so fun!) at some other website that made them angry... until they are caught and shut down. Again, there is nothing that cPanel can do to prevent this and it certainly doesn't mean cPanel is insecure. The problem lies within the owners and end users of said servers.

    cPanel out of the box is pretty darn secure. It has been for years... for the most part... :p If it wasn't it wouldn't be one of the leading hosting control panel software on the market today.

    If you want to report these attacks/scans on your servers/network, contact the server owners. Below is a quick break down on how to do it:

    Get the IP of the offending server:
    [jdoss@bfx:~]$ dig l1.fancytech.com +short
    74.200.215.226

    Do a whois on said IP:
    [jdoss@bfx:~]$ whois 74.200.215.226

    OrgName: Layered Technologies, Inc.
    OrgID: LAYER-3
    Address: 5085 W Park Blvd
    Address: Suite 700
    City: Plano
    StateProv: TX
    PostalCode: 75093
    Country: US

    ReferralServer: rwhois://rwhois.layeredtech.com:4321

    NetRange: 74.200.192.0 - 74.200.255.255
    CIDR: 74.200.192.0/18
    OriginAS: AS16805, AS22576
    NetName: LAYERED-TECH-CHI
    NetHandle: NET-74-200-192-0-1
    Parent: NET-74-0-0-0-0
    NetType: Direct Allocation
    NameServer: NS1.FASTSERVERS.NET
    NameServer: NS2.FASTSERVERS.NET
    Comment:
    RegDate: 2006-11-14
    Updated: 2009-09-01

    OrgAbuseHandle: LAT-ARIN
    OrgAbuseName: LT Abuse Team
    OrgAbusePhone: +1-972-398-7998
    OrgAbuseEmail: abuse@layeredtech.com

    Get the abuse@ address for the IP address owner. (In this case it is our pals at Layered Tech.)

    Email their abuse department stating the time of the attacks, with any logs that show the activity in question and let them contact their customer to get the issue solved.

    I hope this helps clear things up for you.
     
    #2 WiredTree Joe, Jul 11, 2010
    Last edited: Jul 11, 2010
    Infopro likes this.
Loading...

Share This Page