0 Day cPanel Exploit in Wild Published: Sep 24, 2006
  • Rating

    1/5

A new 0 Day cPanel Exploit in the wild that allows the attacker to gain root access has been spotted in multiple hosting providers and continues to be found.

0 Day cPanel Exploit in Wild

UGRENT THE /scripts/upcp fix that cPanel has claimed to fix your server DOES NOT. Read below!

A new 0 day cPanel exploit for root access is in the wild affecting hosts. News of this is spreading very quickly around the web and cPanel has released a band aid patch fix. You can patch your server by simply running /scripts/upcp from shell. The update will not change your release or build number either.

Notes on the cPanel Exploit:

- This is a 0 day issue, and a patch from cPanel for it was just relased on Sept. 23, 2006
- This exploit gives the attacker root access
- You will not detect this with rkhunter/chkrootkit
- You will not know you have been rooted
- It has been confirmed to be affecting more than just one hosting provider in different datacenters.

This was first seen targeting HostGator.com one of the largest shared and reseller cPanel hosts out there.
NetCraft Reports of cPanel exploit
Slashdot picks up the story
Post 1 on WHT about the alert
Post 2 on WHT about the issue

How to Fix:

From Dave of cPanel, Inc.
"Upcp will fix the problem on all builds. It is seperate from cPanel Auto Heal. The cPanel Auto Heal system was used to distribute the patch though."
Login as root and run /scripts/upcp this will patch your server. cPanel has NOT increased the build # after you've been patched, I have no idea why since this is a major hole.

UPDATE: This is NOT true. See my testing results of how to REALLY fix your server

Nice work cpanel, you tell us we're patched when your patch isn't working.
I HOPE this is a bug in your cpanel checker only but somehow I really really doubt it.

Guys /scripts/upcp doesn't fix your server, you HAVE to force it.

See http://forums.cpanel.net/showthread....d=1#post272856


Here's the post if you don't have access:

You MUST run /scripts/upcp --force

I just confirmed this on about 3 servers. Here are the findings.


I did a /scripts/upcp on this box last night right after the fix was announced and to DO a /scripts/upcp

So let me test their patcher... I should be safe right, WRONG.


root@ocean [~]# wget http://layer2.cpanel.net/installer/sec092306.pl
--13:57:23-- http://layer2.cpanel.net/installer/sec092306.pl
=> `sec092306.pl'
Resolving layer2.cpanel.net... 69.90.250.34, 69.90.250.35, 69.90.250.36, ...
Connecting to layer2.cpanel.net[69.90.250.34]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5,479 [text/plain]

100%[====================================>] 5,479 --.--K/s

13:57:23 (75.73 MB/s) - `sec092306.pl' saved [5,479/5,479]

root@ocean [~]# perl sec092306.pl
cPanel Security Patch (sec092306) v2
Patching Mysql (1)
Patching Mysql (2)
Patching Mysql (3)
Patching Mysql (4)
Patching Mysql (1)
Patching Mysql (2)
Patching Mysql (3)
Patching Mysql (4)
Patch Complete
Checking for safety...

not safe

Done

root@ocean [~]# /usr/local/cpanel/cpanel -V
10.8.2-RELEASE_119


/scripts/upcp


All packages are currently up to date
Done
BIND 9.2.4
Succeeded
Fetching http://httpupdate.cpanel.net/cpanels...cpanel/version (0)....@198.66.78.12......connected......receiving ...100%......Done
Using mail permissions style: NEW
Patching Mysql (1)
Patching Mysql (2)
Patching Mysql (3)
Patching Mysql (4)
Patching Mysql (1)
Patching Mysql (2)
Patching Mysql (3)
Patching Mysql (4)
Versions Match! (10.8.2-RELEASE_119). You are running the latest RELEASE.
Updating addon typecripts addonhpBB version:2.0.19-1.0.......Done
Updating addon typecripts addon:AdvancedGuestBook version:latest.......Done
Updating addon type:modules addon:clamavconnector version:0.88.4-1.8.......Done
Updating addon type:modules addonro version:1.0rc36.......Done
Updating addon type:modules addonpamdconf version:0.5.......Done
Rebuilding Process List...Done
Scanning for new mail senders.....Done
Scanning suexec_log.Done


root@ocean [~]# perl sec092306.pl
cPanel Security Patch (sec092306) v2
Patching Mysql (1)
Patching Mysql (2)
Patching Mysql (3)
Patching Mysql (4)
Patching Mysql (1)
Patching Mysql (2)
Patching Mysql (3)
Patching Mysql (4)
Patch Complete
Checking for safety...

not safe

Done
root@ocean [~]#




WTF

/scripts/upcp --force

All packages are currently up to date
Done
BIND 9.2.4
Succeeded
Fetching http://httpupdate.cpanel.net/cpanels...cpanel/version (0)....@ 100%......Done
Using mail permissions style: NEW
Patching Mysql (1)
Patching Mysql (2)
Patching Mysql (3)
Patching Mysql (4)
Patching Mysql (1)
Patching Mysql (2)
Patching Mysql (3)
Patching Mysql (4)
Installed Version: forced install
Newest Version: 10.8.2-RELEASE_119

....lots of lines later....


aiting for cppop to shutdown......Done
Waiting for cppop-ssl to shutdown......Done
==> Starting SSL tunnel...
Waiting for cpsrvd to shutdown......Done
Waiting for cpsrvd-ssl to shutdown......Done
==> Start Melange Chat Services...
==> Post Install Complete

Broadcast message from root (Sun Sep 24 14:08:17 2006):

cPanel Layer 2 Install Complete
Patching Mysql (1)
Patching Mysql (2)
Patching Mysql (3)
Patching Mysql (4)
Patching Mysql (1)
Patching Mysql (2)
Patching Mysql (3)
Patching Mysql (4)
Patching Mysql (1)
Patching Mysql (2)
Patching Mysql (3)
Patching Mysql (4)
Updating addon typecripts addonhpBB version:2.0.19-1.0.......Done
Updating addon typecripts addon:AdvancedGuestBook version:latest......Done
Updating addon type:modules addon:clamavconnector version:0.88.4-1.8.......Done
Updating addon type:modules addonro version:1.0rc36.......Done
Updating addon type:modules addonpamdconf version:0.5.......Done
Rebuilding Process List...Done
Rebuilding Process List...Done
Scanning for new mail senders.....Done
Scanning suexec_log.Done


Lets check now
root@ocean [~]# perl sec092306.pl
cPanel Security Patch (sec092306) v2
Patching Mysql (1)
Patching Mysql (2)
Patching Mysql (3)
Patching Mysql (4)
Patching Mysql (1)
Patching Mysql (2)
Patching Mysql (3)
Patching Mysql (4)
Patch Complete
Checking for safety...

safe

Done
root@ocean [


Nice work guys... lol

How to tell if you're already infected?
We can review your server and provide a detailed report and see if the exploit has infected your servers.

But I have a Firewall and run things like Mod_security, would I still be infected?
Yes! You were still 100% open to the exploit and may be infected.

  • Rating

    1/5

Related Articles

Comments (3)

  • Gravatar - Rudi
    Rudi 21:24, September 24, 2006
    Funny, the fix fixed my cPanel without a problem. Your problem might be related to certtain configuration settings.
  • Gravatar - anonymous
    anonymous 23:47, September 24, 2006
    # patch link updated:<br />
    wget http://layer1.cpanel.net/installer/sec092406.pl; perl sec092406.pl; rm -f sec092406.pl
  • Gravatar - None
    None 04:50, October 1, 2006
    cpanel support (techs) are the dumbest flock of fools that ever was known to this industry

Add Your Thoughts

WebHostGear.com is a hosting directory, not a web host.

Copyright © 1998-2014 WebHostGear.com