cPanel Exploit Used to Circulate IE Exploit

miller60 writes "In a dangerous combination of unpatched exploits, hackers have used a previously undiscovered security hole in cPanel to hack the servers of a hosting company and use hundreds of hijacked sites to infect Internet Explorer users with malware using the unpatched VML exploit. cPanel, whose hosting automation software is used by many large hosting companies, has issued a fix. It's a local exploit, meaning the attacker must control a cPanel account on the target hosting provider."

firefox

[ronanbear (924575)]

I feel so much safer. I know that only part of this is due to IE and the larger lesson is that you can't even trust websites you know and trust because they could be compromised.

Sure there are places where you'll get attacked often and there are others which are unlikely to be compromised but it's not enough in itself to just avoid places that look suspicious.

Re:firefox

[Marcion (876801)]

I use webmin/usermin (BSD licence) instead of Cpanel (proprietary).

It seems a bit odd to stick a proprietary web control panel to control a load of open-source software on an open-source web-server running on an open-source operating system.

But thats just me....

Re:

[Jimmy King (828214)]

I use webmin/usermin (BSD licence) instead of Cpanel (proprietary).

Cpanel is so common because it's provided by the hosting places on a lot of dedicated servers and used for almost all web hosting packages that I have seen. While the choice of licensing may seem silly, this is businesses using it, they aren't going with it for any idealistic reasons. They are choosing it because it is more user friendly for the non-technical types who still insist on having a website and running phpbb. It's been quite a

Re:

[Kangburra (911213)]

Also cPanel has an Admin module for the server owner and that installs user cPanels as they create the user accounts. It IS simple, that's why it's so widely used.

Re:

[wfberg (24378)]

Cpanel is so common because it's provided by the hosting places on a lot of dedicated servers and used for almost all web hosting packages that I have seen.

Also, Cpanel is popular because it is popular. Customers are accustomed to it and expect panels to be Cpanel, but there's more to it than that; many hosting providers will offer to restore your cpanel hosted site from your old hosting provider when you switch to them. That way you'll retain niceties like your userdatabase etc. This commonality is very us

Re:firefox

[oneski (812190)]

I use webmin/usermin (BSD licence) instead of Cpanel (proprietary).

I hope your'e patched up. Script kids have been doing the rounds with a file disclosure exploit in Webmin/Usermin for a while now. Thousands of machines have been compromised by it.

Check the miniserv.log for "..%01/..%01/..%01" or similar strings.

Temporary Fix

[gooman (709147)]

This Windows exploit is similar to the WMF exploit, and just like it, Microsoft is going to take their time fixing it. If you must use Windows avoid IE and Outlook but that's not always possible.

And to be completely safe you can unregister the .dll as follows...

Copy the following command to clipboard and Paste into Run:

regsvr32 -u "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll"

Then when Microsoft gets around to fixing this (Probably on the next patch Tuesday) you can restore it:

regsvr32 "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll"

Want to bet this code is in Vista somewhere?

Re:Temporary Fix

[The MAZZTer (911996)]

Best part is, regsvr32 only deals with Windows Explorer and Internet Explorer extensions, so this won't affect any Office functionality.

Re:

[MioTheGreat (926975)]

What would give you that idea? I'm sure I could fire up regsvr32 and break Office quite easily. regsvr32 is just for registering and unregistering any COM stuff.

Re:

[TheSpoom (715771)]

And I'm pretty Office does have publically registered COM components (.NET at least, those I have used). Whether or not unregistering them would break Office itself I don't know, but it would certainly break anything that tried to use it.

Re:

[Firehed (942385)]

Just be aware that this workaround may not work depending on your security level on the system. On my school-provided laptop, where I have admin rights, I'm unable to patch this, probably due to the Symantec installation on the system. Mind you I use neither IE nor Outlook, but I never know when a fool will borrow my laptop. So actually make sure the confirmation box that pops up actually says it worked, or you might end up surfing unsafely when you'd assume otherwise.

Re:Temporary Fix

[walstib (620771)]

This Windows exploit is similar to the WMF exploit

which is similar to the WTF exploit...

As always..

[madsheep (984404)]

As always it should be pretty well known that a number of large shared hosting providers have little or no security to prevent this kind of stuff. Using a cPanel local exploit to start putting the IE exploit code in other users' www folders is an interesting use for the 0-day find. A number of larger hosting providers house dozens, hundreds, and sometimes more websites on a boxes that allow FTP and in some cases telnet. These boxes generally aren't patched very well either and can easily be rooted to all

Re:As always..

[by Anonymous Coward]

In hostgator's defense, they do have a good security team and this had nothing to do with ftp. It's interesting to read through the following thread to see how they were handling the problem:
http://forums.hostgator.com/showthread.php?t=10928 [hostgator.com]

I'm a customer whose site didn't have problems, but I am satisfied with how they got on this problem. Not perfect, but definetly good. Of course when I read this headline I was shitting bricks for a moment or two.

Re:

[madsheep (984404)]

First I am not sure how my post got classified as flamebait exactly, considering I am not flamming anyone or anything. Other than that -- I wasn't specifically calling out HostGator in anyway. However, they have a number of problems as I have seen alerts from various CERT reports that show HostGator shared hosting boxes as being used in a number of various attacks. My comment regarding FTP and others was more aimed at shared hosting providers that do use it. DreamHost for example, has boxes with 100's o

cPanel fix

[maggeth (793549)]

If you admin a server with cPanel, run /scripts/upcp to apply the patch. Otherwise, so long as you have not turned off the nightly UPCP update, then your server will be patched overnight tonight automatically.

Owner of hostgator here

[hostgator (1004865)]

We know they discovered the cpanel root exploit about a month earlier before launching this. They were waiting for the perfect timing before having sites load an iframe distributing the viruses. The perfect timing became the new vml exploit. It wasn't easy to figure out how they were doing it but we did. Shortly after we discovered how which was the 0 day cpanel root exploit. Upon investigating it further we found any hosting company in the world running cpanel could be exploited. In fact we spoke with some other very large hosting companies that were. One that's even much larger then us, and has been around much longer. I'd like to thank everyone that was helping us track down the root cause. Special thanks to David Collins, Tim Greer, Brad, Idefense.com, and the other hosting companies who cooperated with us once we alerted them.

CPanel bugs and malware hosting combo old

[jofny (540291)]

People have been exploiting CPanel bugs to compromise shared hosting for the purposes of hosting clientside (IE) exploit code for ages - this isn't new. The first time I know of for a fact was 2 or more years ago. For as many large providers as use CPanel, the code really needs to be more closely audited...

Re:

[by Anonymous Coward]

> For as many large providers as use CPanel, the code really needs to be more closely audited...

Unfortunately cPanel consists of several million lines of uncommented perl code. Integral parts of almost every operation go through a large closed-source binary generated from perl code which makes it impossible to audit.

You may be also interested in knowing that cPanel was started by someone when they were around 12 years old, and much of that code still is still in use. None of the cPanel developers have

Hostgator support forum discussion on the virus

[by Anonymous Coward]

Discussion on the hosting company's (HostGator) support forum: http://forums.hostgator.com/showthread.php?t=10928 [hostgator.com]

Bluehost issued a fix.

[Aceheaton (986774)]

This is Matt Heaton, President of Bluehost.com. We were working with Brent at Hostgator and had issued a fix before Cpanel finally got around to doing so. There are STILL multiple root exploits that we know FOR SURE work on Cpanel that have yet to be fixed. In one case it is a simple one liner that will pop root on any Cpanel install. This still works even after their "patch". Security is always an afterthought for the Cpanel guys and never designed in as it should be from the start. We were happy that Hostgator asked us for help as we were happy to help and would hope that they would do the same for us if need be. Don't blame the hosting companies in this case, blame Cpanel for knowing about their multitude of scripts that run with root priviledges without properly parsing all data passed to and from their suid c programs!! We have been complaining about this for at least 2 years with little or no help for the issue. We have at least 20 bandaids for Cpanels scripts to fix problems that they refuse to deal with in their "stable" and "current" versions. Hopefully this incident will help them to move in the right direction, but given past exploits and their "resolutions" I HIGHLY doubt ti!

Re:Bluehost issued a fix.

[KmArT (1109)]

Er, so you run a hosting company and cPanel is confirmed buggy, by you, and yet you continue to run it? And why should I ever consider hosting with you? Rather than moan and complain about the bugs, find another software package that is more secure. Or write your own... Tolerance of poor software is why it still exists..

Re:Bluehost issued a fix.

[Aceheaton (986774)]

We supply what the users want and from a users perspective Cpanel is pretty good, but from an administrative viewpoint it is a nightmare. We host more than 200,000 domains on our two brands. It would be virtually impossible for us to switch now. Believe me, I often wish I could :)

Re:

[demon (1039)]

No. cPanel in particular gets its tentacles into many aspects of the system, and each major control panel (cPanel, Plesk, Ensim, Interworx, DirectAdmin, ...) has its own different way of running the show. They will *not* play nice together on the same system. cPanel is certainly one of the poorer ones from a perspective of security and administration; sadly, customers synonymize control panels with cPanel, so unfortunately any of them *expect* it, regardless of its (lack of) quality. (Oh, and it's more expe

Re:

[mp3phish (747341)]

Business solution to a business problem:

For the extra cost it takes you to manage, deal with bugs, fix with wrappers, and pay for licensing for cPanel, pass that cost on to customers via monthly fee.

For the customers who choose the more robust packages which have cheaper, or no licensing fees, which cost your admin staff less money to operate and keep patched, charge those customers a cheaper rate. It's not that you would lose revenue by discounting the service, you would keep the alternate controller at yo

Re:

[uss_valiant (760602)]

Don't blame the hosting companies in this case, blame Cpanel for knowing about their multitude of scripts that run with root priviledges without properly parsing all data passed to and from their suid c programs!!

What about Plesk and other options?

Re:

[Aceheaton (986774)]

Plesk is an ok option, but is known primarily for their windows hosting though they do offer a linux option. They are far more common in the VPS market as their VPS offering (Virtuozzo) is often sold along with Plesk. It is good from the end users perspective, but not nearly as good as Cpanel. I just wish Cpanel would get it together for the admins then it would be the best of both worlds.... Ahhh... Wishful thinking!

Re:

[psykocrime (61037)]

Maybe a few of the big hosting company CEOs should get together and talk about contributing to jointly
develop a CPanel replacement? Maybe see if there's anything even roughly equivelant out there in FLOSS
land and if so, pay some developers to bring it up to CPanel level of functionality... If not, hell, start
a project from scratch.

Re:

[mabu (178417)]

Don't blame the hosting companies in this case, blame Cpanel

So in other words, the people at Cpanel held a gun to your head and forced you to install their software for your customers?

Re:

[heybo (667563)]

Try ISPConfig. It is easy to use from a users stand point. Its secure and it is open source. The BIG plus is that it uses the OS's commands and scripts. It doesn't depend on its own properity scripts to preform operations. Is also fairly easy to convert over to.

Re:

[satch89450 (186046)]

Sorry, BULLSHIT. I like ISPConfig because it interfaces with PostFix, the MTA of choice around my shop. CPanel uses EXIM, Plesk uses QMail (hi, Dr. Ex-Lax!), with its many unaudited patches and workarounds to modern mail problems. (I have front-ended QMail with PostFix edge servers so that I don't have to deal with the many holes in QMail.) But it's an immature interface, and lacking some features that customers want.

As you might guess, I work for a web house that uses Ensim, Plesk for Windows, Plesk

Re:

[Aceheaton (986774)]

Its not really our fault. It doesn't mean that we aren't responsible to our customers, it just means often our hands are tied. Its been two years and at least 7 root exploits. In each case we contacted Cpanel directly. If we made it public it was fixed in hours, if we didn't it would sit on the shelf and often not addressed at all. As the customer is paying us we certainly are responsible to the customer, but it is out of our hands to fix. If we can we will Strace the software and write wrappers to fi

News about crappy software...

[kosmosik (654958)]

So well first we have a web browser with well established history of being crappy and insecure. Thousands of exploits, hundreds of successful global scale exploits attacking Microsoft Internet Explorer. Product well known to be one of least secure of probably all of software products. The king of insecurity - MSIE (with Windows underneath - but you can't have it otherwise, consider MSIE for Mac dead).

Secondly we have some closed source software called cPanel. An ugly hack on system administration, you know

So... as a hosting customer...

[Elwood P Dowd (16933)]

How do I check if my host's cPanel is fixed without logging in & handing them my password?

I mean, I could contact my hosting provider, but I would prefer to check before harassing them.

Also, as good as they've been, I haven't really tested their professionalism before. I'd like to check w/o logging in, whether or not they say they've installed the patch. Is this remotely feasible?

Re:

[BiggerIsBetter (682164)]

I mean, I could contact my hosting provider, but I would prefer to check before harassing them.

Customer service is not harrassment.

Odd occurrence today

[robogun (466062)]

I don't know if this is related, but I hit a webpage today that tried to access my router at 192.168.1.1.

My router's password dialog appears when hitting the page.

I don't think I've seen that one before.

Re:

[robogun (466062)]

No the router password is not the default

Browsing with Windows / Mozilla 1.7 / NoScript

Here's the page if you want to haev a look (NSFW): http://www.geocities.com/Colosseum/Gym/1661/ [geocities.com]

Re:

[Hymer (856453)]

nice girl... but I can't see the router page anywhere... just a "Welcome to Anna Kournikowa"-popup...
am I pwned now ?

Re:

[robogun (466062)]

Probably not - I think it's being served up by their adserver

When it happens I get blank ads

Probably just bad code

Cpanels patch doesn't work! Read!!

[hostgator (1004865)]

Brent with hostgator.com here again. We have just discovered cpanels patch /scripts/upcp doesn't do anything. If you think you were autopatched last night or ran upcp your still very hackable. What you need to do is run /scripts/upcp --force A way to confirm our findings is to run http://layer2.cpanel.net/installer/sec092306.pl [cpanel.net] which is their patch checker. If your not safe it will say "not safe" if your safe it will say "safe" After all this even after running and being told "safe" I don't believe it

Re:Someone has to....

[WilliamSChips (793741)]

Actually, cPanel does run in Linux. But it's Perl, so it doesn't count.

Re:

[rts008 (812749)]

I don't know anything about cPanel- I'll gladly take your word on it, but I was more focused on the IE vector of attack, yet again.
An exploit using cPanel to attack IE on my *nix boxes is gonna be one confused, helpless puppy!

Re:

[WilliamSChips (793741)]

True: IE is still the vector of attack. Which isn't surprising--using IE as a web browser is the internet equivalent of unprotected sex with a crack whore.

Re:

[karnal (22275)]

Damn.

There's a lot of people out there having unprotected sex with a crack whore!

Re:

[Phillup (317168)]

Still doesn't make it right, or smart.

not remote, M$ is weak link as usual.

[twitter (104583)]

cPanel does run in Linux. But it's Perl, so it doesn't count.

As usual, the problem is all M$. The fact that the attacker must have an account to break cPanel is more a mitigating factor than what language cPanel was written in. Now, if you are dumb enough to be administering your site through Windoze, you might have already given away that access by keylogger. There's an endless supply of drive by hijackings for that OS. A malicious interested party in Redmond might hire someone to conduct just such an

Re:

[by Anonymous Coward]

twitter, please read this carefully. Following this advice will make Slashdot a better place for everyone, including yourself.

• As a representative of the Linux community, participate in mailing list and newsgroup discussions in a professional manner. Refrain from name-calling and use of vulgar language. Consider yourself a member of a virtual corporation with Mr. Torvalds as your Chief Executive Officer. Your words will either enhance or degrade the image the reader has of the Linux community.
• Avoid hyper

Re:

[WilliamSChips (793741)]

You'll like this, twitter--cPanel is proprietary.

Re:

[Keith Russell (4440)]

Twit logic at its bitter, twisted finest. cPanel is mostly perl scripts running on Linux. But perl is Free, so it is perfect and must be absolved of all wrongdoing. And Linux is Free, so it too is perfect and must be absolved of all wrongdoing. But wait! The HTML injected through the cPanel exploit is itself an IE exploit!

It all makes sense now! If Microsoft didn't build such shitty software, nobody would have ever been LOOKING for an exploit in cPanel in the first place. So it's all Microsoft's fault, an

Not Perl

[WilliamSChips (793741)]

cPanel does run in Linux, but the Perl comment was a mistake(something I thought I had heard). It's still proprietary, though, and running important things on proprietary software is by default a liability.