Status
Not open for further replies.

lbeachmike

Well-Known Member
Dec 27, 2001
306
1
316
Long Beach, NY
cPanel Access Level
Root Administrator
Jesse / Jeff - You are recommending a reformat/rebuild - however, with such a large volume of servers breached and the specific vulnerability unknown, how are you protecting yourself with a rebuild? We'd first have to know how to avoid the breach in order for a rebuild to not suffer from the very same vulnerability.
 

BianchiDude

Well-Known Member
PartnerNOC
Jul 2, 2005
619
0
166
Is there currently any benefit to reinstalling ssh or to turning off ssh in WHM's service manager until the source of the vulnerability and resolution is found?
May be a good idea, however there is no evidence at this point its an SSH vulnerablity.
 

lbeachmike

Well-Known Member
Dec 27, 2001
306
1
316
Long Beach, NY
cPanel Access Level
Root Administrator
If you follow the thread at SSHD Rootkit Rolling around - Page 21 - Web Hosting Talk you will find there is nothing solid on any thing yet still under investigation by many
I've been following the thread. I did not want to post there because I don't want to disrupt the investigation efforts. However, my question here was whether or not turning off ssh entirely (on an already-infected box) would seem to serve any useful purpose? From the WHT point, I'm not perfectly clear on the point re: whether or not ssh must actually be active in order for the attacker behavior to be occurring. A few of the details are beyond my level of expertise.

Thanks.
 

biodocs

Member
Jun 27, 2008
7
0
51
Regina
There are conflicting options on that subject, some say its only part of the issue. It getting way above my head i must say.
 

TheVisitors

Active Member
Mar 19, 2012
30
0
56
cPanel Access Level
Root Administrator
I had a fresh copy of CentOS 6.3 updated with a fresh copy of cPanel current (updated), just installed yesterday.

Surprise!

Guess I'll need to wait for a fix on this.
 

lbeachmike

Well-Known Member
Dec 27, 2001
306
1
316
Long Beach, NY
cPanel Access Level
Root Administrator
I had a fresh copy of CentOS 6.3 updated with a fresh copy of cPanel current (updated), just installed yesterday.

Surprise!

Guess I'll need to wait for a fix on this.
Saw your post there. Wondering if any boxes with SSH entirely disabled were vulnerable. Though it wouldn't prove anything, because they simply may not have been targeted. Though it's noteworthy that non-standard port SSH boxes were hit, which somewhat argues against the password authentication theory (which I believe was disproven either way.)
 

biodocs

Member
Jun 27, 2008
7
0
51
Regina
Its seems this is not fixed with new install either glad i didnt take that option earlier.

see the whm thread i quote

Originally Posted by TheVisitors
Well doesn't it figure....

I install a fresh copy of CentOS 6.3 with cPanel current and in less than 2 hours.... BAM

I had changed Ssh ports and made a pass code over 400 letters, numbers, and symbols long.... Still got despite all this.

Little "tool" keeps changing my ssh log-in now. Can't turn it off, we need ssh.
 

BianchiDude

Well-Known Member
PartnerNOC
Jul 2, 2005
619
0
166
I've been following the thread. I did not want to post there because I don't want to disrupt the investigation efforts. However, my question here was whether or not turning off ssh entirely (on an already-infected box) would seem to serve any useful purpose? From the WHT point, I'm not perfectly clear on the point re: whether or not ssh must actually be active in order for the attacker behavior to be occurring. A few of the details are beyond my level of expertise.

Thanks.
It seems no, as they seem to be getting in, at least initially without SSH, but it hasn't been conclusively disproven that this is not an SSH exploit.
 

Tam

Well-Known Member
Jul 31, 2004
109
2
168
We haven't had any of our boxes compromised as detailed, but we lock down SSH...

disable password authorisation
use SSH keys
close port 22 allowing certain IP addresses only
 

lbeachmike

Well-Known Member
Dec 27, 2001
306
1
316
Long Beach, NY
cPanel Access Level
Root Administrator
Although I realize this has been seen on non-cpanel boxes, I'm wondering if cPanel is using internal resources to investigate this as well, given the suggestion that it would seem cpanel has access to a lot of data points and resources which could prove extremely productive for this investigation.

Given the current line of thinking on the WHT thread, looking for correlation to possible a possible tainted RPM, I can't help but think about the fact that cPanel had recently converted to RPM-based install.

My system had complained about Munin's RPM on Jan 31, I did a YUM Update late Feb 1, and my changed file date on the hacked file is Feb 2 just about four hours thereafter.

I've posted more extensive details on the WHT thread.

SSHD Rootkit Rolling around - Page 28 - Web Hosting Talk
 

lbeachmike

Well-Known Member
Dec 27, 2001
306
1
316
Long Beach, NY
cPanel Access Level
Root Administrator
No I have a few different versions.
My version shows as follows -

[email protected] [~]# curl --version
curl 7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.13.1.0 zlib/1.2.3 libidn/1.18 libssh2/1.2.2
Protocols: tftp ftp telnet dict ldap ldaps http file https ftps scp sftp
Features: GSS-Negotiate IDN IPv6 Largefile NTLM SSL libz

Looks like I need to upgrade via EasyApache? Does anybody know what the current EasyApache version being installed is? This is odd, because I just did an EasyApache rebuild a couple days ago ...
 

BianchiDude

Well-Known Member
PartnerNOC
Jul 2, 2005
619
0
166
That exploit seems to be for the curl binary and not the curl module for php installed via easy apache.

There's not a PoC for it that I've found so its not likely that is MoE
 

Tam

Well-Known Member
Jul 31, 2004
109
2
168
Doubtful, on a compromised machine curl-7.19.7 was installed.
 
Status
Not open for further replies.