Status
Not open for further replies.

nibb

Well-Known Member
Mar 22, 2008
319
5
68
Im not infected. I just posted the above info to see if this security hole is related to it.

And if yes, then we can find a patch for it. I don´t know if this is related, but the some the libraries mentioned here as affected, are used with curl, on compilation.
 

oshs

Well-Known Member
PartnerNOC
Sep 5, 2004
146
0
166
Hi,

So has anyone had a server hacked which had SSH password authentication disabled?

Does anyone have any idea of how the privileges are escalated?

What script is being used to do this?
 

LeadDogGraphics

Well-Known Member
Feb 25, 2012
97
1
58
West Palm Beach, FL
cPanel Access Level
Root Administrator
No one knows anything yet with any level of certainty. Steven @ rack 911, is thinking it very well could be a workstation key logger on the admins workstation, however that idea is under debate seeing that there were some servers that had key auth only set.

There are a lot of very knowledgeable people looking at this, I would imagine in the next day or two something should come to light.
 

mcongosto

Active Member
Aug 1, 2011
26
3
53
Action required:
------------------------------
Our managed cPanel customers need not do anything unless contacted directly
by us. Self managed customers will need to do the following to detect the
file in question and correct the exploit:

1. SSH to server
2. Run 'updatedb'
3. Run 'locate libkeyutils.so.1.9'

Please follow the steps below to clear the expliot.

1. SSH to the server
2. cd /lib64/
3. rm libkeyutils.so.1.9
4. rm libkeyutils.so.1
5. ln -s libkeyutils.so.1.3 libkeyutils.so.1
6. Restart ssh
7. yum update kernel and Reboot to close any active connections
In my case, centos 5.9, i had to do

5. ln -s libkeyutils-1.2.so libkeyutils.so.1
 

Tam

Well-Known Member
Jul 31, 2004
109
2
168
In my case, centos 5.9, i had to do

5. ln -s libkeyutils-1.2.so libkeyutils.so.1
Sound advice! A number of boxes have been taken out of action thanks to some silly script that someone keeps posting on WHT because it doesn't even check which version is in use. Also if your box has been rooted like this, a reinstall is the wisest thing to do.
 

Greenhost

Well-Known Member
Jan 22, 2013
92
0
6
cPanel Access Level
Root Administrator

Tam

Well-Known Member
Jul 31, 2004
109
2
168
A new exploit file has been discovered named strings libkeyutils-1.2.so.2

Note that CSF (ConfigServer Firewall) checks for both exploit files from version 5.79
 

Tam

Well-Known Member
Jul 31, 2004
109
2
168
AVG Free Edition For Linux also detects the exploited files - /http://forums.avg.com/ww-en/avg-forums?sec=thread&act=show&id=171255
 
Last edited:

lbeachmike

Well-Known Member
Dec 27, 2001
306
1
316
Long Beach, NY
cPanel Access Level
Root Administrator
I'm currently not fully caught up on the WHT thread (at page 74 of 77) - seems there is evidence of a keylogger being at the root (no pun!) of all this and mention of MalwareBytes detecting it.

Does anybody have additional details?

Also - if this is the root cause, my servers appear to have been infected shortly after opening a ticket with cpanel support on an alert for the new RPM detection finding something wrong with the Munin RPM and suggesting to fix.

I'm wondering if -

1. Anybody had a similar scenario
2. Has cPanel scanned all office and personal machines to ensure there are no malware present? I have not found malware on any of my machines with updated MalwareBytes - but also important for me to emphasize that cPanel was not the only company who had access to my root login credentials

Thanks.

Mike
 

patchwork

Well-Known Member
Nov 2, 2001
95
0
316
I'm currently not fully caught up on the WHT thread (at page 74 of 77) - seems there is evidence of a keylogger being at the root (no pun!) of all this and mention of MalwareBytes detecting it.

Does anybody have additional details?

Also - if this is the root cause, my servers appear to have been infected shortly after opening a ticket with cpanel support on an alert for the new RPM detection finding something wrong with the Munin RPM and suggesting to fix.

I'm wondering if -

1. Anybody had a similar scenario
2. Has cPanel scanned all office and personal machines to ensure there are no malware present? I have not found malware on any of my machines with updated MalwareBytes - but also important for me to emphasize that cPanel was not the only company who had access to my root login credentials

Thanks.

Mike
I'm in the same position as you, I'm also malware free (scanned with MalwareBytes pro and latest NOD32), I have 2 servers hacked, cPanel, Configserver and the datacenter had copies of the passwords.
 

southbay

Member
Aug 17, 2011
7
0
51
This is off-subject, but openDNS is blocking the WHT site!!? I'm not a member on WHT so I couldn't post over there, but wonder why?
 

Tam

Well-Known Member
Jul 31, 2004
109
2
168
I'm currently not fully caught up on the WHT thread (at page 74 of 77) - seems there is evidence of a keylogger being at the root (no pun!) of all this and mention of MalwareBytes detecting it.

Does anybody have additional details?

Also - if this is the root cause, my servers appear to have been infected shortly after opening a ticket with cpanel support on an alert for the new RPM detection finding something wrong with the Munin RPM and suggesting to fix.

I'm wondering if -

1. Anybody had a similar scenario
2. Has cPanel scanned all office and personal machines to ensure there are no malware present? I have not found malware on any of my machines with updated MalwareBytes - but also important for me to emphasize that cPanel was not the only company who had access to my root login credentials

Thanks.

Mike

I'm in the same position as you, I'm also malware free (scanned with MalwareBytes pro and latest NOD32), I have 2 servers hacked, cPanel, Configserver and the datacenter had copies of the passwords.
You are not alone with this, I very much doubt that cPanel have an office full of support personnel, they are probably mostly remote.
Check the source in the headers of any email you received about the issue that lead to them asking for access to your box.
 

chrismfz

Well-Known Member
Jul 4, 2007
125
1
68
Greece
cPanel Access Level
DataCenter Provider
Any updates over this ?

I've heard lots of scenarios.
a) remote root exploit ? If yes, exploit of what?
a.1) ssh ?
a.2) something else ?

b) infected workstations ? If yes from what ?
b.1) flash ?
b.2) acrobat ?
b.3) something else ?
 

WhiteDog

Well-Known Member
Feb 19, 2008
142
6
68
Some open questions on my mind...

- People also reported boxes being hacked which had lpassword logons disabled. This has been debunked?
- Since DirectAdmin boxes were also compromised, I doubt the source is (partly) cPanel staff. I doubt cPanel staff also works for other admin panels and I also doubt this is a coordinated attack.

And last but not least: you're probably already using random passwords. Change them from time to time and especially after you have handed them out for support reasons.
 

WhiteDog

Well-Known Member
Feb 19, 2008
142
6
68
Just received this:

Salutations,

You are receiving this email because you have opened a ticket with our support staff in the last 6 months. cPanel, Inc. has discovered that one of the servers we utilize in the technical support department has been compromised. While we do not know if your machine is affected, you should change your root level password if you are not already using ssh keys. If you are using an unprivileged account with "sudo" or "su" for root logins, we recommend you change the account password. Even if you are using ssh keys we still recommend rotating keys on a regular basis.

As we do not know the exact nature of this compromise we are asking for customers to take immediate action on their own servers. cPanel's security team is continuing to investigate the nature of this security issue.

--cPanel Security Team
 
Status
Not open for further replies.