Categories:
Printer Friendly
Send to a friend
0 Day cPanel Exploit in Wild
UGRENT THE /scripts/upcp fix that cPanel has claimed to fix your server DOES NOT. Read below!
A new 0 day cPanel exploit for root access is in the wild affecting hosts. News of this is spreading very quickly around the web and cPanel has released a band aid patch fix. You can patch your server by simply running /scripts/upcp from shell. The update will not change your release or build number either.
Notes on the cPanel Exploit:
- This is a 0 day issue, and a patch from cPanel for it was just relased on Sept. 23, 2006
- This exploit gives the attacker root access
- You will not detect this with rkhunter/chkrootkit
- You will not know you have been rooted
- It has been confirmed to be affecting more than just one hosting provider in different datacenters.
This was first seen targeting HostGator.com one of the largest shared and reseller cPanel hosts out there.
NetCraft Reports of cPanel exploit
Slashdot picks up the story
Post 1 on WHT about the alert
Post 2 on WHT about the issue
How to Fix:
From Dave of cPanel, Inc.
"Upcp will fix the problem on all builds. It is seperate from cPanel Auto Heal. The cPanel Auto Heal system was used to distribute the patch though."
Login as root and run /scripts/upcp this will patch your server. cPanel has NOT increased the build # after you've been patched, I have no idea why since this is a major hole.
UPDATE: This is NOT true. See my testing results of how to REALLY fix your server
Nice work cpanel, you tell us we're patched when your patch isn't working.
I HOPE this is a bug in your cpanel checker only but somehow I really really doubt it.
Guys /scripts/upcp doesn't fix your server, you HAVE to force it.
See http://forums.cpanel.net/showthread....d=1#post272856
Here's the post if you don't have access:
You MUST run /scripts/upcp --force
I just confirmed this on about 3 servers. Here are the findings.
I did a /scripts/upcp on this box last night right after the fix was announced and to DO a /scripts/upcp
So let me test their patcher... I should be safe right, WRONG.
root@ocean [~]# wget http://layer2.cpanel.net/installer/sec092306.pl
--13:57:23-- http://layer2.cpanel.net/installer/sec092306.pl
=> `sec092306.pl'
Resolving layer2.cpanel.net... 69.90.250.34, 69.90.250.35, 69.90.250.36, ...
Connecting to layer2.cpanel.net[69.90.250.34]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5,479 [text/plain]
100%[====================================>] 5,479 --.--K/s
13:57:23 (75.73 MB/s) - `sec092306.pl' saved [5,479/5,479]
root@ocean [~]# perl sec092306.pl
cPanel Security Patch (sec092306) v2
Patching Mysql (1)
Patching Mysql (2)
Patching Mysql (3)
Patching Mysql (4)
Patching Mysql (1)
Patching Mysql (2)
Patching Mysql (3)
Patching Mysql (4)
Patch Complete
Checking for safety...
not safe
Done
root@ocean [~]# /usr/local/cpanel/cpanel -V
10.8.2-RELEASE_119
/scripts/upcp
All packages are currently up to date
Done
BIND 9.2.4
Succeeded
Fetching http://httpupdate.cpanel.net/cpanels...cpanel/version (0)....@198.66.78.12......connected......receiving ...100%......Done
Using mail permissions style: NEW
Patching Mysql (1)
Patching Mysql (2)
Patching Mysql (3)
Patching Mysql (4)
Patching Mysql (1)
Patching Mysql (2)
Patching Mysql (3)
Patching Mysql (4)
Versions Match! (10.8.2-RELEASE_119). You are running the latest RELEASE.
Updating addon type
cripts addonhpBB version:2.0.19-1.0.......Done
Updating addon typecripts addon:AdvancedGuestBook version:latest.......Done
Updating addon type:modules addon:clamavconnector version:0.88.4-1.8.......Done
Updating addon type:modules addonro version:1.0rc36.......Done
Updating addon type:modules addonpamdconf version:0.5.......Done
Rebuilding Process List...Done
Scanning for new mail senders.....Done
Scanning suexec_log.Done
root@ocean [~]# perl sec092306.pl
cPanel Security Patch (sec092306) v2
Patching Mysql (1)
Patching Mysql (2)
Patching Mysql (3)
Patching Mysql (4)
Patching Mysql (1)
Patching Mysql (2)
Patching Mysql (3)
Patching Mysql (4)
Patch Complete
Checking for safety...
not safe
Done
root@ocean [~]#
WTF
/scripts/upcp --force
All packages are currently up to date
Done
BIND 9.2.4
Succeeded
Fetching http://httpupdate.cpanel.net/cpanels...cpanel/version (0)....@ 100%......Done
Using mail permissions style: NEW
Patching Mysql (1)
Patching Mysql (2)
Patching Mysql (3)
Patching Mysql (4)
Patching Mysql (1)
Patching Mysql (2)
Patching Mysql (3)
Patching Mysql (4)
Installed Version: forced install
Newest Version: 10.8.2-RELEASE_119
....lots of lines later....
aiting for cppop to shutdown......Done
Waiting for cppop-ssl to shutdown......Done
==> Starting SSL tunnel...
Waiting for cpsrvd to shutdown......Done
Waiting for cpsrvd-ssl to shutdown......Done
==> Start Melange Chat Services...
==> Post Install Complete
Broadcast message from root (Sun Sep 24 14:08:17 2006):
cPanel Layer 2 Install Complete
Patching Mysql (1)
Patching Mysql (2)
Patching Mysql (3)
Patching Mysql (4)
Patching Mysql (1)
Patching Mysql (2)
Patching Mysql (3)
Patching Mysql (4)
Patching Mysql (1)
Patching Mysql (2)
Patching Mysql (3)
Patching Mysql (4)
Updating addon typecripts addonhpBB version:2.0.19-1.0.......Done
Updating addon typecripts addon:AdvancedGuestBook version:latest......Done
Updating addon type:modules addon:clamavconnector version:0.88.4-1.8.......Done
Updating addon type:modules addonro version:1.0rc36.......Done
Updating addon type:modules addonpamdconf version:0.5.......Done
Rebuilding Process List...Done
Rebuilding Process List...Done
Scanning for new mail senders.....Done
Scanning suexec_log.Done
Lets check now
root@ocean [~]# perl sec092306.pl
cPanel Security Patch (sec092306) v2
Patching Mysql (1)
Patching Mysql (2)
Patching Mysql (3)
Patching Mysql (4)
Patching Mysql (1)
Patching Mysql (2)
Patching Mysql (3)
Patching Mysql (4)
Patch Complete
Checking for safety...
safe
Done
root@ocean [
Nice work guys... lol
How to tell if you're already infected?
We can review your server and provide a detailed report and see if the exploit has infected your servers.
But I have a Firewall and run things like Mod_security, would I still be infected?
Yes! You were still 100% open to the exploit and may be infected.
Funny, the fix fixed my cPanel without a problem. Your problem might be related to certtain configuration settings.