Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

cPanel Exploit Used to Circulate IE Exploit

Posted by Zonk on Sat Sep 23, 2006 06:27 PM
from the ouroboros dept.
The Internet Internet Explorer Security
miller60 writes "In a dangerous combination of unpatched exploits, hackers have used a previously undiscovered security hole in cPanel to hack the servers of a hosting company and use hundreds of hijacked sites to infect Internet Explorer users with malware using the unpatched VML exploit. cPanel, whose hosting automation software is used by many large hosting companies, has issued a fix. It's a local exploit, meaning the attacker must control a cPanel account on the target hosting provider."
This discussion has been archived. No new comments can be posted.
cPanel Exploit Used to Circulate IE Exploit | Log In/Create an Account | Top | 95 comments | Search Discussion
Display Options Threshold:
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • firefox (Score:1, Insightful)

    by ronanbear (924575) on Saturday September 23 2006, @06:34PM (#16170951)
    I feel so much safer. I know that only part of this is due to IE and the larger lesson is that you can't even trust websites you know and trust because they could be compromised.

    Sure there are places where you'll get attacked often and there are others which are unlikely to be compromised but it's not enough in itself to just avoid places that look suspicious.

    • Re:firefox (Score:5, Interesting)

      by Marcion (876801) on Saturday September 23 2006, @07:50PM (#16171453)
      (http://commandline.org.uk/ | Last Journal: Wednesday May 30, @05:49AM)
      I use webmin/usermin (BSD licence) instead of Cpanel (proprietary).

      It seems a bit odd to stick a proprietary web control panel to control a load of open-source software on an open-source web-server running on an open-source operating system.

      But thats just me....
      [ Parent ]
      • Re:firefox by Jimmy King (Score:3) Saturday September 23 2006, @08:12PM
        • Re:firefox by Kangburra (Score:3) Saturday September 23 2006, @08:59PM
        • Re:firefox by wfberg (Score:2) Sunday September 24 2006, @01:14PM

      • Re:firefox (Score:4, Informative)

        by oneski (812190) on Sunday September 24 2006, @12:30AM (#16172607)
        I use webmin/usermin (BSD licence) instead of Cpanel (proprietary).

        I hope your'e patched up. Script kids have been doing the rounds with a file disclosure exploit in Webmin/Usermin for a while now. Thousands of machines have been compromised by it.

        Check the miniserv.log for "..%01/..%01/..%01" or similar strings.

        [ Parent ]
        • Re:firefox by Zulkarnain TT075910 (Score:1) Sunday September 24 2006, @05:06AM

  • Temporary Fix (Score:5, Informative)

    by gooman (709147) on Saturday September 23 2006, @06:52PM (#16171077)
    (Last Journal: Monday November 05, @02:21AM)
    This Windows exploit is similar to the WMF exploit, and just like it, Microsoft is going to take their time fixing it. If you must use Windows avoid IE and Outlook but that's not always possible.

    And to be completely safe you can unregister the .dll as follows...

    Copy the following command to clipboard and Paste into Run:

    regsvr32 -u "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll"

    Then when Microsoft gets around to fixing this (Probably on the next patch Tuesday) you can restore it:

    regsvr32 "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll"

    Want to bet this code is in Vista somewhere?

  • As always.. (Score:2, Interesting)

    by madsheep (984404) on Saturday September 23 2006, @06:54PM (#16171085)
    (http://www.securityzone.org/)
    As always it should be pretty well known that a number of large shared hosting providers have little or no security to prevent this kind of stuff. Using a cPanel local exploit to start putting the IE exploit code in other users' www folders is an interesting use for the 0-day find. A number of larger hosting providers house dozens, hundreds, and sometimes more websites on a boxes that allow FTP and in some cases telnet. These boxes generally aren't patched very well either and can easily be rooted to allow someone to drop their bad code into * the hosted sites webpages. It's been said 1000 times before, but even if you choose to run IE -- if you're not running as an Administrator (or you even use something like DropMyRights to run IE) there's probably a 99% chance the IE exploit won't do anything. The same goes for Mozilla/Firefox and any other program on Windows.

    • Re:As always.. (Score:5, Informative)

      by Anonymous Coward on Saturday September 23 2006, @07:07PM (#16171187)
      In hostgator's defense, they do have a good security team and this had nothing to do with ftp. It's interesting to read through the following thread to see how they were handling the problem:
      http://forums.hostgator.com/showthread.php?t=10928 [hostgator.com]

      I'm a customer whose site didn't have problems, but I am satisfied with how they got on this problem. Not perfect, but definetly good. Of course when I read this headline I was shitting bricks for a moment or two.
      [ Parent ]
      • Re:As always.. by madsheep (Score:2) Sunday September 24 2006, @12:46AM
    • 1 reply beneath your current threshold.

  • cPanel fix (Score:5, Informative)

    by maggeth (793549) on Saturday September 23 2006, @07:05PM (#16171159)
    If you admin a server with cPanel, run /scripts/upcp to apply the patch. Otherwise, so long as you have not turned off the nightly UPCP update, then your server will be patched overnight tonight automatically.

  • Owner of hostgator here (Score:4, Informative)

    by hostgator (1004865) on Saturday September 23 2006, @07:17PM (#16171261)
    We know they discovered the cpanel root exploit about a month earlier before launching this. They were waiting for the perfect timing before having sites load an iframe distributing the viruses. The perfect timing became the new vml exploit. It wasn't easy to figure out how they were doing it but we did. Shortly after we discovered how which was the 0 day cpanel root exploit. Upon investigating it further we found any hosting company in the world running cpanel could be exploited. In fact we spoke with some other very large hosting companies that were. One that's even much larger then us, and has been around much longer. I'd like to thank everyone that was helping us track down the root cause. Special thanks to David Collins, Tim Greer, Brad, Idefense.com, and the other hosting companies who cooperated with us once we alerted them.
    • 1 reply beneath your current threshold.

  • CPanel bugs and malware hosting combo old (Score:4, Interesting)

    by jofny (540291) on Saturday September 23 2006, @07:20PM (#16171285)
    (http://sintixerr.wordpress.com/)
    People have been exploiting CPanel bugs to compromise shared hosting for the purposes of hosting clientside (IE) exploit code for ages - this isn't new. The first time I know of for a fact was 2 or more years ago. For as many large providers as use CPanel, the code really needs to be more closely audited...

  • Hostgator support forum discussion on the virus (Score:5, Informative)

    by Anonymous Coward on Saturday September 23 2006, @07:39PM (#16171395)
    Discussion on the hosting company's (HostGator) support forum: http://forums.hostgator.com/showthread.php?t=10928 [hostgator.com]
    • 1 reply beneath your current threshold.

  • Hosting companies should use homemade CP (Score:1)

    by lapaille (724747) on Saturday September 23 2006, @10:08PM (#16172047)
    Web hosting companies should use everything custom-coded and not rely on third-party scripts anyway. I host at Yellowpipe Hosting [yellowpipe.com].
    It does not really minimize the risk for errors, but at least it prevents exploits from spreading on the Internet.

  • Bluehost issued a fix. (Score:4, Interesting)

    by Aceheaton (986774) on Saturday September 23 2006, @10:18PM (#16172079)
    This is Matt Heaton, President of Bluehost.com. We were working with Brent at Hostgator and had issued a fix before Cpanel finally got around to doing so. There are STILL multiple root exploits that we know FOR SURE work on Cpanel that have yet to be fixed. In one case it is a simple one liner that will pop root on any Cpanel install. This still works even after their "patch". Security is always an afterthought for the Cpanel guys and never designed in as it should be from the start. We were happy that Hostgator asked us for help as we were happy to help and would hope that they would do the same for us if need be. Don't blame the hosting companies in this case, blame Cpanel for knowing about their multitude of scripts that run with root priviledges without properly parsing all data passed to and from their suid c programs!! We have been complaining about this for at least 2 years with little or no help for the issue. We have at least 20 bandaids for Cpanels scripts to fix problems that they refuse to deal with in their "stable" and "current" versions. Hopefully this incident will help them to move in the right direction, but given past exploits and their "resolutions" I HIGHLY doubt ti!
  • So well first we have a web browser with well established history of being crappy and insecure. Thousands of exploits, hundreds of successful global scale exploits attacking Microsoft Internet Explorer. Product well known to be one of least secure of probably all of software products. The king of insecurity - MSIE (with Windows underneath - but you can't have it otherwise, consider MSIE for Mac dead).

    Secondly we have some closed source software called cPanel. An ugly hack on system administration, you know the one that gives you root-like privileges over WWW. I don't know cPanel record of security but I don't care really - closed source, and unusefull (to me) stuff.

    So you are using MSIE and clicking in some web frontend to administer other system. And you thought it was secure? Why?
  • How do I check if my host's cPanel is fixed without logging in & handing them my password?

    I mean, I could contact my hosting provider, but I would prefer to check before harassing them.

    Also, as good as they've been, I haven't really tested their professionalism before. I'd like to check w/o logging in, whether or not they say they've installed the patch. Is this remotely feasible?

  • Odd occurrence today (Score:3, Interesting)

    by robogun (466062) on Sunday September 24 2006, @01:09AM (#16172723)
    I don't know if this is related, but I hit a webpage today that tried to access my router at 192.168.1.1.

    My router's password dialog appears when hitting the page.

    I don't think I've seen that one before.

  • cPanel synonym if unpatch (Score:1)

    by vz3phyre (1003163) on Sunday September 24 2006, @05:09AM (#16173505)
    cPanel = cracker panel

  • Cpanels patch doesn't work! Read!! (Score:2, Informative)

    by hostgator (1004865) on Sunday September 24 2006, @02:49PM (#16177477)
    Brent with hostgator.com here again. We have just discovered cpanels patch /scripts/upcp doesn't do anything. If you think you were autopatched last night or ran upcp your still very hackable. What you need to do is run /scripts/upcp --force A way to confirm our findings is to run http://layer2.cpanel.net/installer/sec092306.pl [cpanel.net] which is their patch checker. If your not safe it will say "not safe" if your safe it will say "safe" After all this even after running and being told "safe" I don't believe it's truly fixed. We'll all be very lucky if something doesn't spawn off this or another cpanel wrapper exploit doesn't hit the market. Cpanel please provide us with some source so we can help you audit. We're not asking for all of it just parts that we know aren't secure such as wrapper.

  • Demo accounts... (Score:1)

    by Julz (9310) on Sunday September 24 2006, @04:10PM (#16177989)
    So basically any hosting company that allows people access to a demo of cPanel would be affected. Yikes. From what I've seen that's quite a few.

  • exploit running from hostprince.com as well? (Score:1)

    by Wookie_CD (639534) on Sunday September 24 2006, @06:12PM (#16178867)
    I think hostprince.com has been affected too - I keep a personal links page there and a fresh PC got infected last night, which is a very rare occurrence for me. They seem to have disabled cpanel access as well.

  • Re:Someone has to.... (Score:4, Informative)

    by WilliamSChips (793741) <full.infinity@NOsPam.gmail.com> on Saturday September 23 2006, @06:46PM (#16171029)
    (Last Journal: Tuesday January 30 2007, @08:29PM)
    Actually, cPanel does run in Linux. But it's Perl, so it doesn't count.
    [ Parent ]
  • 8 replies beneath your current threshold.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2008 SourceForge, Inc.