Best-Selling Hosting
- Colocation Hosting
- Shared Hosting
- VPS Hosting
- Reseller Hosting
- Windows Hosting
- PHP Hosting
- Multiple Domain Hosting
- ASP Hosting
- Best Web Hosting Companies
- Dedicated Servers
- Java Hosting
- Managed Servers
- Coldfusion Hosting
- Linux Hosting
- Database Hosting
- > All Hosting Services
Top Rated Providers
Editors Pick
0 Day cPanel Exploit in Wild
Published: Sep 24, 2006
-
Rating
1/5
Rating
1/5A new 0 Day cPanel Exploit in the wild that allows the attacker to gain root access has been spotted in multiple hosting providers and continues to be found.
0 Day cPanel Exploit in Wild
UGRENT THE /scripts/upcp fix that cPanel has claimed to fix your server DOES NOT. Read below!
A new 0 day cPanel exploit for root access is in the wild affecting hosts. News of this is spreading very quickly around the web and cPanel has released a band aid patch fix. You can patch your server by simply running /scripts/upcp from shell. The update will not change your release or build number either.
Notes on the cPanel Exploit:
- This is a 0 day issue, and a patch from cPanel for it was just relased on Sept. 23, 2006
- This exploit gives the attacker root access
- You will not detect this with rkhunter/chkrootkit
- You will not know you have been rooted
- It has been confirmed to be affecting more than just one hosting provider in different datacenters.
This was first seen targeting HostGator.com one of the largest shared and reseller cPanel hosts out there.
NetCraft Reports of cPanel exploit
Slashdot picks up the story
Post 1 on WHT about the alert
Post 2 on WHT about the issue
How to Fix:
From Dave of cPanel, Inc.
"Upcp will fix the problem on all builds. It is seperate from cPanel Auto Heal. The cPanel Auto Heal system was used to distribute the patch though."
Login as root and run /scripts/upcp this will patch your server. cPanel has NOT increased the build # after you've been patched, I have no idea why since this is a major hole.
UPDATE: This is NOT true. See my testing results of how to REALLY fix your server
Nice work cpanel, you tell us we're patched when your patch isn't working.
I HOPE this is a bug in your cpanel checker only but somehow I really really doubt it.
Guys /scripts/upcp doesn't fix your server, you HAVE to force it.
See http://forums.cpanel.net/showthread....d=1#post272856
Here's the post if you don't have access:
You MUST run /scripts/upcp --force
I just confirmed this on about 3 servers. Here are the findings.
I did a /scripts/upcp on this box last night right after the fix was announced and to DO a /scripts/upcp
So let me test their patcher... I should be safe right, WRONG.
root@ocean [~]# wget http://layer2.cpanel.net/installer/sec092306.pl
--13:57:23-- http://layer2.cpanel.net/installer/sec092306.pl
=> `sec092306.pl'
Resolving layer2.cpanel.net... 69.90.250.34, 69.90.250.35, 69.90.250.36, ...
Connecting to layer2.cpanel.net[69.90.250.34]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5,479 [text/plain]
100%[====================================>] 5,479 --.--K/s
13:57:23 (75.73 MB/s) - `sec092306.pl' saved [5,479/5,479]
root@ocean [~]# perl sec092306.pl
cPanel Security Patch (sec092306) v2
Patching Mysql (1)
Patching Mysql (2)
Patching Mysql (3)
Patching Mysql (4)
Patching Mysql (1)
Patching Mysql (2)
Patching Mysql (3)
Patching Mysql (4)
Patch Complete
Checking for safety...
not safe
Done
root@ocean [~]# /usr/local/cpanel/cpanel -V
10.8.2-RELEASE_119
/scripts/upcp
All packages are currently up to date
Done
BIND 9.2.4
Succeeded
Fetching http://httpupdate.cpanel.net/cpanels...cpanel/version (0)[email protected] ...100%......Done
Using mail permissions style: NEW
Patching Mysql (1)
Patching Mysql (2)
Patching Mysql (3)
Patching Mysql (4)
Patching Mysql (1)
Patching Mysql (2)
Patching Mysql (3)
Patching Mysql (4)
Versions Match! (10.8.2-RELEASE_119). You are running the latest RELEASE.
Updating addon type
cripts addonhpBB version:2.0.19-1.0.......Done
Updating addon typecripts addon:AdvancedGuestBook version:latest.......Done
Updating addon type:modules addon:clamavconnector version:0.88.4-1.8.......Done
Updating addon type:modules addonro version:1.0rc36.......Done
Updating addon type:modules addonpamdconf version:0.5.......Done
Rebuilding Process List...Done
Scanning for new mail senders.....Done
Scanning suexec_log.Done
root@ocean [~]# perl sec092306.pl
cPanel Security Patch (sec092306) v2
Patching Mysql (1)
Patching Mysql (2)
Patching Mysql (3)
Patching Mysql (4)
Patching Mysql (1)
Patching Mysql (2)
Patching Mysql (3)
Patching Mysql (4)
Patch Complete
Checking for safety...
not safe
Done
root@ocean [~]#
WTF
/scripts/upcp --force
All packages are currently up to date
Done
BIND 9.2.4
Succeeded
Fetching http://httpupdate.cpanel.net/cpanels...cpanel/version (0)....@ 100%......Done
Using mail permissions style: NEW
Patching Mysql (1)
Patching Mysql (2)
Patching Mysql (3)
Patching Mysql (4)
Patching Mysql (1)
Patching Mysql (2)
Patching Mysql (3)
Patching Mysql (4)
Installed Version: forced install
Newest Version: 10.8.2-RELEASE_119
....lots of lines later....
aiting for cppop to shutdown......Done
Waiting for cppop-ssl to shutdown......Done
==> Starting SSL tunnel...
Waiting for cpsrvd to shutdown......Done
Waiting for cpsrvd-ssl to shutdown......Done
==> Start Melange Chat Services...
==> Post Install Complete
Broadcast message from root (Sun Sep 24 14:08:17 2006):
cPanel Layer 2 Install Complete
Patching Mysql (1)
Patching Mysql (2)
Patching Mysql (3)
Patching Mysql (4)
Patching Mysql (1)
Patching Mysql (2)
Patching Mysql (3)
Patching Mysql (4)
Patching Mysql (1)
Patching Mysql (2)
Patching Mysql (3)
Patching Mysql (4)
Updating addon typecripts addonhpBB version:2.0.19-1.0.......Done
Updating addon typecripts addon:AdvancedGuestBook version:latest......Done
Updating addon type:modules addon:clamavconnector version:0.88.4-1.8.......Done
Updating addon type:modules addonro version:1.0rc36.......Done
Updating addon type:modules addonpamdconf version:0.5.......Done
Rebuilding Process List...Done
Rebuilding Process List...Done
Scanning for new mail senders.....Done
Scanning suexec_log.Done
Lets check now
root@ocean [~]# perl sec092306.pl
cPanel Security Patch (sec092306) v2
Patching Mysql (1)
Patching Mysql (2)
Patching Mysql (3)
Patching Mysql (4)
Patching Mysql (1)
Patching Mysql (2)
Patching Mysql (3)
Patching Mysql (4)
Patch Complete
Checking for safety...
safe
Done
root@ocean [
Nice work guys... lol
How to tell if you're already infected?
We can review your server and provide a detailed report and see if the exploit has infected your servers.
But I have a Firewall and run things like Mod_security, would I still be infected?
Yes! You were still 100% open to the exploit and may be infected.
Related Articles
- ResellersPanel.com Launches Private DNS Cluster Packages
- Hostingcon Announces Three Keynote Speakers
- Web Hosting Company Voxtreme acquires rival - HTTPme
- Updated kernel packages resolve security vulnerabilities
- HostVoice.net Launches '$20 CashBack' Promotion
- Hosting company reveals hacks, citing disclosure law
- Advisory: cPanel can list all users accounts
- Server Matrix/The Planet experience network downtime
- PRIMUS Telecommunications Named to the Fortune 1000
- HostingCon 2004 pre-registration now available
- Stop using sub-domains, or cough up
Comments (3)
-
Rudi 21:24, September 24, 2006Funny, the fix fixed my cPanel without a problem. Your problem might be related to certtain configuration settings.
-
anonymous 23:47, September 24, 2006# patch link updated:<br />
wget http://layer1.cpanel.net/installer/sec092406.pl; perl sec092406.pl; rm -f sec092406.pl -
None 04:50, October 1, 2006cpanel support (techs) are the dumbest flock of fools that ever was known to this industry
Add Your Thoughts
WebHostGear.com is a hosting directory, not a web host.
Copyright © 1998-2024 WebHostGear.com