so ahh what does this do? the e-mail i mean.
We have found a user exploiting our WHM servers (luckily he/she is not very smart.) ...
Here is the e-mail log we trapped in the mail queue. this user knows some form of exploit that will share the login and password of every account on your whm/cpanel system.
Thats the header, here is part of the message:1GW9wb-00067g-Nq-H
root 0 0
152P Received: from root by tryingto.plantthebomb.com with local (Exim 4.52)
for email@example.com; Sat, 07 Oct 2006 04:02:13 -0700
025T To: firstname.lastname@example.org
020 Subject: sniff@LaUr
058I Message-Id: <E1GW9wb-00067g-Nq@tryingto.plantthebomb.com>
044F From: root <*******@tryingto.plantthebomb.com>
038 Date: Sat, 07 Oct 2006 04:02:13 -0700
The asterisks were not in the e-mail - i put those in for my own security so no one else see's user names and such information. I would check against that email on your servers and especially check to make sure none of these style e-mails have been sent. Good luck! We will see if we can find the ip's that called the command to do this and let you know.1GW9wb-00067g-Nq-D
08:14:06 up 19 days, 20:49, 1 user, load average: 0.00, 0.02, 0.00
09/29/06 16:06:53 tcp S*******du.42307 -> 179.1*****.21 (ftp)
so ahh what does this do? the e-mail i mean.
It will generate an email of every account on your server and e-mail the passwords and account names to that email.
What has cpanel to say about this? Is there a fix or do we have to look at ever-e-mail that passses thru the server?
This seems interesting.
So, this email tricks the server into saying all the username and passwords?
It's best if you report it to the cPanel development team.
Also it's good that you didn't post the full code out - Hackers could of found this usefull.
Arab VieruZ has discovered a vulnerability in cPanel, allowing malicious people to execute certain system commands on a vulnerable system.
The problem is that user input passed to the "user" parameter in the "resetpass" section isn't properly verified before being used. This can be exploited to inject various commands by supplying shell meta characters.
The vulnerability affects builds on all platforms up to and including version 9.1.0 build 34.
The vendor advises users of STABLE and RELEASE branches to disable the "Allow cPanel users to reset their password via email" feature in the WebHostManager.
According to the vendor, fixes for the RELEASE tree is still pending and fixed builds may be available within the next 48 hours.
The vulnerability has been fixed in the latest versions of the EDGE and CURRENT branches.
It's always arab/muslim-related countries that find these hacks, isn't it? Some of them do it to help Software improve... Some just do it as evilness.
Krak, as far as i know this is different. That exploit was not mailing out what Is in the log i started to display. We believe this has to do with a whm/ssh exploit where it took an ssh log of the server and mailed its contents along with other details. We are looking into this, it as caused us great troubles and destroyed one of our servers. We were forced to close 170 accounts from that one machine alone -- we will let everyone know something if we figure out anything more. Sorry for the vague post in the first place, i just thought it was important to let people know that there is something going around and if i were a free host id block smtp for 24 hours without telling anyone and see what kind of things end up in your mail queue going out.
Pretty sure it's the same exploit.
SSH logs will never contain passwords in a human readable format, and linux won't / can't decrypt the format they are stored in, namely DSA / RSA format.
I would make an educated guess that someone has brute forced the server ( which you can avoid 100% by disabling password authentication for ssh logins and using private/public keys instead, WHM can even generate the format needed for putty ) - it's more than likely the server got in as root, or hacked and su'ed thier way there, and possibly compiled a c program, or made a shell script to exploit cpanel.....
99% sure it's exactly the same exploit ......
No Brute Force was attempted. And we checked the ssh log, it was in human readable text. Good attempt though.
let us know when a offical thread about this has been luanched on the cpanel forums. I for one would like to read about it.
well that is not true at all
Hacking is all through the world
No one hack for no reason ..... !!
I hack you when there are something goes wrong bet. you and me !!!!
thaats the way it is
as we are inteligant ... we are a good hacker
that is not a bad thing as a defence or for taking our rights
I know that some Arsab Hacker Do that hack for no reaseon ... but this happen in all the world !!
.:: MyHoZt ::. Providing premium webhosting since 2008
Now offering Reseller
I think most hosts and people here would agree that in their experience it is illegal to hack and not many real hackers like to scream and brag. The only thing a script kiddie/exploiter does, which happened to one of my machines, is take away the hosting from 170 other people. Now you think about that, and think about how profitable this industry is and you will surely see that a script kiddie does only harm and hurts innocent people - especially because we don't profit off hosting people.
People do hack sometimes for no reason. It's a fact.
I am cooking up some projects...
James, i stated it was within my own experience. I have yet to meet a "hacker" who hacks for no reason. I see exploiters running around all day but they are not hackers. If you give them that credit, then we could all say we are hackers (reference to the DCOM exploit. heh).
Have a nice day everyone.