If you either own or admin a server, or you have an account with a webhost this is for you.
If the server your website is on, or you admin is running cPanel. Get off that box. I can’t give any details, just trust me when I tell you, do not do anything on any server that is running cPanel.
That is all.
namelesstavern.net
Watch where you step
Warning for all people who have websites
Moderator: Dictators in Training
8 posts • Page 1 of 1
Warning for all people who have websites
by Gidan » Sat Sep 23, 2006 1:43 pm
For to win one hundred victories in one hundred battles is not the acme of skill. To subdue the enemy without fighting is the acme of skill.
-
Gidan - Admin Abuse Squad
- Posts: 2892
- Joined: Tue Jan 04, 2005 11:01 am
by Gidan » Sat Sep 23, 2006 2:39 pm
Oh and add this
http://news.netcraft.com/archives/2006/ ... ploit.html
USE FIREFOX atleast until MS patches IE for this.
http://news.netcraft.com/archives/2006/ ... ploit.html
USE FIREFOX atleast until MS patches IE for this.
For to win one hundred victories in one hundred battles is not the acme of skill. To subdue the enemy without fighting is the acme of skill.
-
Gidan - Admin Abuse Squad
- Posts: 2892
- Joined: Tue Jan 04, 2005 11:01 am
Re: Warning for all people who have websites
by Diekan » Sat Sep 23, 2006 9:51 pm
Gidan wrote:If you either own or admin a server, or you have an account with a webhost this is for you.
If the server your website is on, or you admin is running cPanel. Get off that box. I can’t give any details, just trust me when I tell you, do not do anything on any server that is running cPanel.
That is all.
Dude... it's the Internet... not the CIA.
-
Diekan - NT Deity
- Posts: 5736
- Joined: Fri Mar 12, 2004 10:14 am
by Gidan » Sat Sep 23, 2006 10:03 pm
I could get fired if I give details, would prefer not to.
For to win one hundred victories in one hundred battles is not the acme of skill. To subdue the enemy without fighting is the acme of skill.
-
Gidan - Admin Abuse Squad
- Posts: 2892
- Joined: Tue Jan 04, 2005 11:01 am
by Gidan » Sun Sep 24, 2006 7:42 am
Now that cPanel has made a public statement of sorts.
One of our hosts had a large chunk of their boxes rooted all at once. We are not talking 10 or 20, we are talking 3 0's on the number of servers for this customer that were rooted. It was done through a backdoor in cPanel that effected any and all versions of cPanel. This vulnerability was so bad that there was no way to secure your server against it. The only thing you needed to root the server was ftp and http access to the server, meaning any person paying $5 a month for a website could have rooted the server at will.
cPanel says they have fixed it, and they do seem to have closed it for now (I spent a good 30 mins trying to crack it and it does appear to be a good fix). On Monday, cPanel should be releasing a full statement, they just want to wait until they are reasonably sure all servers running cPanel have run their auto update before doing so.
I have seen and played with the script that was used, all I can say is cPanel and many of the hosts out there are VERY lucky that it was written by an idiot who wasn't concerned with being found out. Had they taken 10 seconds to clean up a bit in the script, no one would have had any clue.
What made this whole thing worse was the true result of this attack. The guy went into the servers he rooted and changed mod_layout in such a way that every single site on every single server had iframs that loaded sites that had viruses that exploited a security hole in IE. Thousands of users found that they had been infected immediatly after having gone to these websites. Those who used firefox were not effected.
One of our hosts had a large chunk of their boxes rooted all at once. We are not talking 10 or 20, we are talking 3 0's on the number of servers for this customer that were rooted. It was done through a backdoor in cPanel that effected any and all versions of cPanel. This vulnerability was so bad that there was no way to secure your server against it. The only thing you needed to root the server was ftp and http access to the server, meaning any person paying $5 a month for a website could have rooted the server at will.
cPanel says they have fixed it, and they do seem to have closed it for now (I spent a good 30 mins trying to crack it and it does appear to be a good fix). On Monday, cPanel should be releasing a full statement, they just want to wait until they are reasonably sure all servers running cPanel have run their auto update before doing so.
I have seen and played with the script that was used, all I can say is cPanel and many of the hosts out there are VERY lucky that it was written by an idiot who wasn't concerned with being found out. Had they taken 10 seconds to clean up a bit in the script, no one would have had any clue.
What made this whole thing worse was the true result of this attack. The guy went into the servers he rooted and changed mod_layout in such a way that every single site on every single server had iframs that loaded sites that had viruses that exploited a security hole in IE. Thousands of users found that they had been infected immediatly after having gone to these websites. Those who used firefox were not effected.
For to win one hundred victories in one hundred battles is not the acme of skill. To subdue the enemy without fighting is the acme of skill.
-
Gidan - Admin Abuse Squad
- Posts: 2892
- Joined: Tue Jan 04, 2005 11:01 am
8 posts • Page 1 of 1
Who is online
Users browsing this forum: No registered users and 13 guests