Warning for all people who have websites

Ask the few things google does not know

Moderator: Dictators in Training

Warning for all people who have websites

Postby Gidan » Sat Sep 23, 2006 1:43 pm

If you either own or admin a server, or you have an account with a webhost this is for you.

If the server your website is on, or you admin is running cPanel. Get off that box. I can’t give any details, just trust me when I tell you, do not do anything on any server that is running cPanel.

That is all.
For to win one hundred victories in one hundred battles is not the acme of skill. To subdue the enemy without fighting is the acme of skill.
User avatar
Gidan
Admin Abuse Squad
Admin Abuse Squad
 
Posts: 2892
Joined: Tue Jan 04, 2005 11:01 am

Postby Tikker » Sat Sep 23, 2006 1:45 pm

erm, no need infoz

i'm assuming cPanel has been compromised
Tikker
NT Legend
NT Legend
 
Posts: 14294
Joined: Tue Mar 09, 2004 5:22 pm

Postby Gidan » Sat Sep 23, 2006 2:39 pm

Oh and add this

http://news.netcraft.com/archives/2006/ ... ploit.html

USE FIREFOX atleast until MS patches IE for this.
For to win one hundred victories in one hundred battles is not the acme of skill. To subdue the enemy without fighting is the acme of skill.
User avatar
Gidan
Admin Abuse Squad
Admin Abuse Squad
 
Posts: 2892
Joined: Tue Jan 04, 2005 11:01 am

Postby Gidan » Sat Sep 23, 2006 9:30 pm

ger
For to win one hundred victories in one hundred battles is not the acme of skill. To subdue the enemy without fighting is the acme of skill.
User avatar
Gidan
Admin Abuse Squad
Admin Abuse Squad
 
Posts: 2892
Joined: Tue Jan 04, 2005 11:01 am

Re: Warning for all people who have websites

Postby Diekan » Sat Sep 23, 2006 9:51 pm

Gidan wrote:If you either own or admin a server, or you have an account with a webhost this is for you.

If the server your website is on, or you admin is running cPanel. Get off that box. I can’t give any details, just trust me when I tell you, do not do anything on any server that is running cPanel.

That is all.


Dude... it's the Internet... not the CIA.
User avatar
Diekan
NT Deity
NT Deity
 
Posts: 5736
Joined: Fri Mar 12, 2004 10:14 am

Postby Gidan » Sat Sep 23, 2006 10:03 pm

I could get fired if I give details, would prefer not to.
For to win one hundred victories in one hundred battles is not the acme of skill. To subdue the enemy without fighting is the acme of skill.
User avatar
Gidan
Admin Abuse Squad
Admin Abuse Squad
 
Posts: 2892
Joined: Tue Jan 04, 2005 11:01 am

Postby Tikker » Sun Sep 24, 2006 1:00 am

In other words, Gidan was supposed to patch something, forgot, and they got jabowned!


ps, i'm kidding
Tikker
NT Legend
NT Legend
 
Posts: 14294
Joined: Tue Mar 09, 2004 5:22 pm

Postby Gidan » Sun Sep 24, 2006 7:42 am

Now that cPanel has made a public statement of sorts.


One of our hosts had a large chunk of their boxes rooted all at once. We are not talking 10 or 20, we are talking 3 0's on the number of servers for this customer that were rooted. It was done through a backdoor in cPanel that effected any and all versions of cPanel. This vulnerability was so bad that there was no way to secure your server against it. The only thing you needed to root the server was ftp and http access to the server, meaning any person paying $5 a month for a website could have rooted the server at will.

cPanel says they have fixed it, and they do seem to have closed it for now (I spent a good 30 mins trying to crack it and it does appear to be a good fix). On Monday, cPanel should be releasing a full statement, they just want to wait until they are reasonably sure all servers running cPanel have run their auto update before doing so.

I have seen and played with the script that was used, all I can say is cPanel and many of the hosts out there are VERY lucky that it was written by an idiot who wasn't concerned with being found out. Had they taken 10 seconds to clean up a bit in the script, no one would have had any clue.

What made this whole thing worse was the true result of this attack. The guy went into the servers he rooted and changed mod_layout in such a way that every single site on every single server had iframs that loaded sites that had viruses that exploited a security hole in IE. Thousands of users found that they had been infected immediatly after having gone to these websites. Those who used firefox were not effected.
For to win one hundred victories in one hundred battles is not the acme of skill. To subdue the enemy without fighting is the acme of skill.
User avatar
Gidan
Admin Abuse Squad
Admin Abuse Squad
 
Posts: 2892
Joined: Tue Jan 04, 2005 11:01 am


Return to Tech Support

Who is online

Users browsing this forum: No registered users and 33 guests

cron