Whm/cpanel Users Beware -- Read

[ephekt]

Hi,
We have found a user exploiting our WHM servers (luckily he/she is not very smart.) ...

Here is the e-mail log we trapped in the mail queue. this user knows some form of exploit that will share the login and password of every account on your whm/cpanel system.

1GW9wb-00067g-Nq-H
root 0 0
<*****@tryingto.plantthebomb.com>
1160218933 0
-ident *****
-received_protocol local
-body_linecount 34902
-auth_id root
-auth_sender ****@tryingto.plantthebomb.com
-allow_unqualified_recipient
-allow_unqualified_sender
-local
XX
1
crash4deus@yahoo.com

152P Received: from root by tryingto.plantthebomb.com with local (Exim 4.52)
id 1GW9wb-00067g-Nq
for crash4deus@yahoo.com; Sat, 07 Oct 2006 04:02:13 -0700
025T To: crash4deus@yahoo.com
020 Subject: sniff@LaUr
058I Message-Id: <E1GW9wb-00067g-Nq@tryingto.plantthebomb.com>
044F From: root <*******@tryingto.plantthebomb.com>
038 Date: Sat, 07 Oct 2006 04:02:13 -0700

Thats the header, here is part of the message:

1GW9wb-00067g-Nq-D
08:14:06 up 19 days, 20:49, 1 user, load average: 0.00, 0.02, 0.00
-----------------
09/29/06 16:06:53 tcp S*******du.42307 -> 179.1*****.21 (ftp)
USER ******
PASS **********

The asterisks were not in the e-mail - i put those in for my own security so no one else see's user names and such information. I would check against that email on your servers and especially check to make sure none of these style e-mails have been sent. Good luck! We will see if we can find the ip's that called the command to do this and let you know.

Mike

[tumble]

so ahh what does this do? the e-mail i mean.

[ephekt]

It will generate an email of every account on your server and e-mail the passwords and account names to that email.

[tumble]

What has cpanel to say about this? Is there a fix or do we have to look at ever-e-mail that passses thru the server?

[Fried]

This seems interesting.
So, this email tricks the server into saying all the username and passwords?

It's best if you report it to the cPanel development team.
Also it's good that you didn't post the full code out - Hackers could of found this usefull.

[krakjoe]

Description:
Arab VieruZ has discovered a vulnerability in cPanel, allowing malicious people to execute certain system commands on a vulnerable system.

The problem is that user input passed to the "user" parameter in the "resetpass" section isn't properly verified before being used. This can be exploited to inject various commands by supplying shell meta characters.

The vulnerability affects builds on all platforms up to and including version 9.1.0 build 34.

Solution:
The vendor advises users of STABLE and RELEASE branches to disable the "Allow cPanel users to reset their password via email" feature in the WebHostManager.

According to the vendor, fixes for the RELEASE tree is still pending and fixed builds may be available within the next 48 hours.

The vulnerability has been fixed in the latest versions of the EDGE and CURRENT branches.

[Fried]

It's always arab/muslim-related countries that find these hacks, isn't it? Some of them do it to help Software improve... Some just do it as evilness.

[ephekt]

Krak, as far as i know this is different. That exploit was not mailing out what Is in the log i started to display. We believe this has to do with a whm/ssh exploit where it took an ssh log of the server and mailed its contents along with other details. We are looking into this, it as caused us great troubles and destroyed one of our servers. We were forced to close 170 accounts from that one machine alone -- we will let everyone know something if we figure out anything more. Sorry for the vague post in the first place, i just thought it was important to let people know that there is something going around and if i were a free host id block smtp for 24 hours without telling anyone and see what kind of things end up in your mail queue going out.

Mike

[krakjoe]

Pretty sure it's the same exploit.

SSH logs will never contain passwords in a human readable format, and linux won't / can't decrypt the format they are stored in, namely DSA / RSA format.

I would make an educated guess that someone has brute forced the server ( which you can avoid 100% by disabling password authentication for ssh logins and using private/public keys instead, WHM can even generate the format needed for putty ) - it's more than likely the server got in as root, or hacked and su'ed thier way there, and possibly compiled a c program, or made a shell script to exploit cpanel.....

99% sure it's exactly the same exploit ......

[ephekt]

No Brute Force was attempted. And we checked the ssh log, it was in human readable text. Good attempt though.

[tumble]

let us know when a offical thread about this has been luanched on the cpanel forums. I for one would like to read about it.

[MyHoZt]

well that is not true at all
Hacking is all through the world
No one hack for no reason ..... !!
I hack you when there are something goes wrong bet. you and me !!!!
thaats the way it is
as we are inteligant ... we are a good hacker
that is not a bad thing as a defence or for taking our rights

I know that some Arsab Hacker Do that hack for no reaseon ... but this happen in all the world !!

[ephekt]

well that is not true at all
Hacking is all through the world
No one hack for no reason ..... !!
I hack you when there are something goes wrong bet. you and me !!!!
thaats the way it is
as we are inteligant ... we are a good hacker
that is not a bad thing as a defence or for taking our rights

I know that some Arsab Hacker Do that hack for no reaseon ... but this happen in all the world !!

Hacking for a reason? You never have a true warrant to violate someones information. From what you are saying, it sounds like you should not be on this forum or in the hosting industry at all. You and your fellow Arabs can not ask for respect or even the slightest bit of respect as a human being if you act in the way you have described. Further, the fact that people need to "claim" a race or ethnicity when they hack is childish. I have seen real hackers and I have met people in the security industry - or what you call hackers - and by no means do they walk around exploiting little scripts and try to repesent a society, that is childish. A hacker -- do you even know what that is? It has become such a gibberish term in the latter years that I would not be surprised if you thought you were a hacker. A hacker is one who has a decent mind set and actually understands how things work, and that is why I have yet to meet a real hacker who brings shame to his country and his people.

I think most hosts and people here would agree that in their experience it is illegal to hack and not many real hackers like to scream and brag. The only thing a script kiddie/exploiter does, which happened to one of my machines, is take away the hosting from 170 other people. Now you think about that, and think about how profitable this industry is and you will surely see that a script kiddie does only harm and hurts innocent people - especially because we don't profit off hosting people.

[James]

People do hack sometimes for no reason. It's a fact.

[ephekt]

James, i stated it was within my own experience. I have yet to meet a "hacker" who hacks for no reason. I see exploiters running around all day but they are not hackers. If you give them that credit, then we could all say we are hackers (reference to the DCOM exploit. heh).

Have a nice day everyone.