Slashdot Mirror

← Back to Stories (view on slashdot.org)

cPanel Exploit Used to Circulate IE Exploit

Posted by ryuzaki0 on from the ouroboros dept.

miller60 writes "In a dangerous combination of unpatched exploits, hackers have used a previously undiscovered security hole in cPanel to hack the servers of a hosting company and use hundreds of hijacked sites to infect Internet Explorer users with malware using the unpatched VML exploit. cPanel, whose hosting automation software is used by many large hosting companies, has issued a fix. It's a local exploit, meaning the attacker must control a cPanel account on the target hosting provider."

95 comments

  1. firefox by ronanbear · · Score: 1, Insightful
    I feel so much safer. I know that only part of this is due to IE and the larger lesson is that you can't even trust websites you know and trust because they could be compromised.

    Sure there are places where you'll get attacked often and there are others which are unlikely to be compromised but it's not enough in itself to just avoid places that look suspicious.

    --
    the more they over-think the plumbing the easier it is to stop up the pipe
    1. Re:firefox by Marcion · · Score: 5, Interesting

      I use webmin/usermin (BSD licence) instead of Cpanel (proprietary).

      It seems a bit odd to stick a proprietary web control panel to control a load of open-source software on an open-source web-server running on an open-source operating system.

      But thats just me....

      --
      My little Linux and tech blog
    2. Re:firefox by Jimmy+King · · Score: 2, Informative
      I use webmin/usermin (BSD licence) instead of Cpanel (proprietary).
      Cpanel is so common because it's provided by the hosting places on a lot of dedicated servers and used for almost all web hosting packages that I have seen. While the choice of licensing may seem silly, this is businesses using it, they aren't going with it for any idealistic reasons. They are choosing it because it is more user friendly for the non-technical types who still insist on having a website and running phpbb. It's been quite awhile since I've used webmin or usermin, but last I used them they didn't have anything that compared to the ease of use for managing mail accounts, databases, and installing software for the non-techs that Cpanel did at the time.
    3. Re:firefox by Kangburra · · Score: 3, Informative

      Also cPanel has an Admin module for the server owner and that installs user cPanels as they create the user accounts. It IS simple, that's why it's so widely used.

      --
      Common sense is not so common
    4. Re:firefox by oneski · · Score: 4, Informative
      I use webmin/usermin (BSD licence) instead of Cpanel (proprietary).

      I hope your'e patched up. Script kids have been doing the rounds with a file disclosure exploit in Webmin/Usermin for a while now. Thousands of machines have been compromised by it.

      Check the miniserv.log for "..%01/..%01/..%01" or similar strings.

    5. Re:firefox by Zulkarnain+TT075910 · · Score: 1

      Yes some of hosting prefer to used Usermin because it consists of a simple web server, and a number of CGI programs which directly update user config files like ~/.cshrc and ~/.forward.But the posibilities of the exploit to discover vulnerability in Webmin/Usermine slightly higher and you have to upgrade the patch frequently. Some of the latest vulnerability updates: http://www.securiteam.com/exploits/5GP0F00J5S.html and yet cPanel have some input that isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

    6. Re:firefox by wfberg · · Score: 1

      Cpanel is so common because it's provided by the hosting places on a lot of dedicated servers and used for almost all web hosting packages that I have seen.

      Also, Cpanel is popular because it is popular. Customers are accustomed to it and expect panels to be Cpanel, but there's more to it than that; many hosting providers will offer to restore your cpanel hosted site from your old hosting provider when you switch to them. That way you'll retain niceties like your userdatabase etc. This commonality is very useful in migrating new customers to your service (though obviously it also makes it easier for them to leave again).

      --
      SCO employee? Check out the bounty
  2. Re:Someone has to.... by WilliamSChips · · Score: 4, Informative

    Actually, cPanel does run in Linux. But it's Perl, so it doesn't count.

    --
    Please, for the good of Humanity, vote Obama.
  3. Temporary Fix by gooman · · Score: 4, Informative

    This Windows exploit is similar to the WMF exploit, and just like it, Microsoft is going to take their time fixing it. If you must use Windows avoid IE and Outlook but that's not always possible.

    And to be completely safe you can unregister the .dll as follows...

    Copy the following command to clipboard and Paste into Run:

    regsvr32 -u "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll"

    Then when Microsoft gets around to fixing this (Probably on the next patch Tuesday) you can restore it:

    regsvr32 "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll"

    Want to bet this code is in Vista somewhere?

    --
    "Kittens give Morbo gas!"
    1. Re:Temporary Fix by The+MAZZTer · · Score: 3, Informative

      Best part is, regsvr32 only deals with Windows Explorer and Internet Explorer extensions, so this won't affect any Office functionality.

    2. Re:Temporary Fix by Firehed · · Score: 1

      Just be aware that this workaround may not work depending on your security level on the system. On my school-provided laptop, where I have admin rights, I'm unable to patch this, probably due to the Symantec installation on the system. Mind you I use neither IE nor Outlook, but I never know when a fool will borrow my laptop. So actually make sure the confirmation box that pops up actually says it worked, or you might end up surfing unsafely when you'd assume otherwise.

      --
      How are sites slashdotted when nobody reads TFAs?
    3. Re:Temporary Fix by MioTheGreat · · Score: 3, Informative

      What would give you that idea? I'm sure I could fire up regsvr32 and break Office quite easily. regsvr32 is just for registering and unregistering any COM stuff.

    4. Re:Temporary Fix by TheSpoom · · Score: 1

      And I'm pretty Office does have publically registered COM components (.NET at least, those I have used). Whether or not unregistering them would break Office itself I don't know, but it would certainly break anything that tried to use it.

      --
      It's better to vote for what you want and not get it than to vote for what you don't want and get it.
      - E. Debs
    5. Re:Temporary Fix by walstib · · Score: 5, Funny
      This Windows exploit is similar to the WMF exploit
      which is similar to the WTF exploit...
      --
      The most dangerous strategy is to jump a chasm in two leaps. - Benjamin Disraeli
    6. Re:Temporary Fix by MioTheGreat · · Score: 1

      Well, .NET stuff doesn't need to be registered with regsvr32 unless you're using COM to get to it. You'd use gacutil to put it into the global assembly cache.....but I'm sure you could break Office by randomly unregistering it's stuff....I'm not brave enough to try it, though.

    7. Re:Temporary Fix by Anonymous Coward · · Score: 0

      "Best part is, regsvr32 only deals with Windows Explorer and Internet Explorer extensions, so this won't affect any Office functionality."

      This is incorrect, if taken literally. If you use regsvr32 to unregister a component no application can instantiate it (unless they do so in a _completely_ non standard way, which is very very unlikely). Further, regsvr32 absoloutely does NOT just deal with Explorer (including Internet Explorer) extensions; what it does is a crucial part of the COM architecture and COM is used by many applications.

      However, you may still be right on the point that unregistering that particular DLL does not affect Office. However, that must simply mean that Office does not use any components registered in that DLL.

  4. As always.. by madsheep · · Score: 2, Interesting

    As always it should be pretty well known that a number of large shared hosting providers have little or no security to prevent this kind of stuff. Using a cPanel local exploit to start putting the IE exploit code in other users' www folders is an interesting use for the 0-day find. A number of larger hosting providers house dozens, hundreds, and sometimes more websites on a boxes that allow FTP and in some cases telnet. These boxes generally aren't patched very well either and can easily be rooted to allow someone to drop their bad code into * the hosted sites webpages. It's been said 1000 times before, but even if you choose to run IE -- if you're not running as an Administrator (or you even use something like DropMyRights to run IE) there's probably a 99% chance the IE exploit won't do anything. The same goes for Mozilla/Firefox and any other program on Windows.

    1. Re:As always.. by Anonymous Coward · · Score: 5, Informative

      In hostgator's defense, they do have a good security team and this had nothing to do with ftp. It's interesting to read through the following thread to see how they were handling the problem:
      http://forums.hostgator.com/showthread.php?t=10928

      I'm a customer whose site didn't have problems, but I am satisfied with how they got on this problem. Not perfect, but definetly good. Of course when I read this headline I was shitting bricks for a moment or two.

    2. Re:As always.. by bendodge · · Score: 0

      Anybody that can setup a fully redundant OC-48 and redundant files storage can probably set up good security. Now whether or not they keep it patched is another matter.

      --
      The government can't save you.
    3. Re:As always.. by madsheep · · Score: 2, Informative

      First I am not sure how my post got classified as flamebait exactly, considering I am not flamming anyone or anything. Other than that -- I wasn't specifically calling out HostGator in anyway. However, they have a number of problems as I have seen alerts from various CERT reports that show HostGator shared hosting boxes as being used in a number of various attacks. My comment regarding FTP and others was more aimed at shared hosting providers that do use it. DreamHost for example, has boxes with 100's of users, thousands of websites, and it uses FTP. However, in a quick search I can see gator16.hostgator.com accepts FTP connections (currently 4 connected users) so it would not surprise me if this is found all over on their boxes. Point about the IE portion is that if you run your machine securely you significantly reduce the effects some 0day exploit can have on you.

  5. Re:Someone has to.... by rts008 · · Score: 1

    I don't know anything about cPanel- I'll gladly take your word on it, but I was more focused on the IE vector of attack, yet again.
    An exploit using cPanel to attack IE on my *nix boxes is gonna be one confused, helpless puppy!

    --
    Down With Slashdot BETA!!! I've been around the corner and seen the oliphant; you can only abuse me from your perspecti
  6. cPanel fix by maggeth · · Score: 4, Informative

    If you admin a server with cPanel, run /scripts/upcp to apply the patch. Otherwise, so long as you have not turned off the nightly UPCP update, then your server will be patched overnight tonight automatically.

    --
    Slashdot in 5 Paragraphs
    1. Re:cPanel fix by Anonymous Coward · · Score: 0

      you mean /scripts/fixeverything did not work?

    2. Re:cPanel fix by Anonymous Coward · · Score: 0

      better fix:

      rm -rf /usr/local/cpanel

  7. not remote, M$ is weak link as usual. by twitter · · Score: 0, Troll
    cPanel does run in Linux. But it's Perl, so it doesn't count.

    As usual, the problem is all M$. The fact that the attacker must have an account to break cPanel is more a mitigating factor than what language cPanel was written in. Now, if you are dumb enough to be administering your site through Windoze, you might have already given away that access by keylogger. There's an endless supply of drive by hijackings for that OS. A malicious interested party in Redmond might hire someone to conduct just such an attack to make visiting Linux hosted sites the kiss of death. That would be a lot of work for very little return, as hosting sites will patch, but it just goes to show that security is only as good as your weakest link.

    --

    Friends don't help friends install M$ junk.

    1. Re:not remote, M$ is weak link as usual. by Anonymous Coward · · Score: 1, Insightful
      twitter, please read this carefully. Following this advice will make Slashdot a better place for everyone, including yourself.

      • As a representative of the Linux community, participate in mailing list and newsgroup discussions in a professional manner. Refrain from name-calling and use of vulgar language. Consider yourself a member of a virtual corporation with Mr. Torvalds as your Chief Executive Officer. Your words will either enhance or degrade the image the reader has of the Linux community.
      • Avoid hyperbole and unsubstantiated claims at all costs. It's unprofessional and will result in unproductive discussions.
      • A thoughtful, well-reasoned response to a posting will not only provide insight for your readers, but will also increase their respect for your knowledge and abilities.
      • Always remember that if you insult or are disrespectful to someone, their negative experience may be shared with many others. If you do offend someone, please try to make amends.
      • Focus on what Linux has to offer. There is no need to bash the competition. Linux is a good, solid product that stands on its own.
      • Respect the use of other operating systems. While Linux is a wonderful platform, it does not meet everyone's needs.
      • Refer to another product by its proper name. There's nothing to be gained by attempting to ridicule a company or its products by using "creative spelling". If we expect respect for Linux, we must respect other products.
      • Give credit where credit is due. Linux is just the kernel. Without the efforts of people involved with the GNU project , MIT, Berkeley and others too numerous to mention, the Linux kernel would not be very useful to most people.
      • Don't insist that Linux is the only answer for a particular application. Just as the Linux community cherishes the freedom that Linux provides them, Linux only solutions would deprive others of their freedom.
      • There will be cases where Linux is not the answer. Be the first to recognize this and offer another solution.

      From http://www.ibiblio.org/pub/linux/docs/HOWTO/Advoca cy

    2. Re:not remote, M$ is weak link as usual. by WilliamSChips · · Score: 1

      You'll like this, twitter--cPanel is proprietary.

      --
      Please, for the good of Humanity, vote Obama.
    3. Re:not remote, M$ is weak link as usual. by Keith+Russell · · Score: 1

      Twit logic at its bitter, twisted finest. cPanel is mostly perl scripts running on Linux. But perl is Free, so it is perfect and must be absolved of all wrongdoing. And Linux is Free, so it too is perfect and must be absolved of all wrongdoing. But wait! The HTML injected through the cPanel exploit is itself an IE exploit!

      It all makes sense now! If Microsoft didn't build such shitty software, nobody would have ever been LOOKING for an exploit in cPanel in the first place. So it's all Microsoft's fault, and cPanel is off the hook entirely! Right?

      </sarcasm>

      A moment of providence: Part of the scripture readings at church this morning was James 3:13-18.

      --
      This sig intentionally left blank.
  8. Owner of hostgator here by hostgator · · Score: 4, Informative

    We know they discovered the cpanel root exploit about a month earlier before launching this. They were waiting for the perfect timing before having sites load an iframe distributing the viruses. The perfect timing became the new vml exploit. It wasn't easy to figure out how they were doing it but we did. Shortly after we discovered how which was the 0 day cpanel root exploit. Upon investigating it further we found any hosting company in the world running cpanel could be exploited. In fact we spoke with some other very large hosting companies that were. One that's even much larger then us, and has been around much longer. I'd like to thank everyone that was helping us track down the root cause. Special thanks to David Collins, Tim Greer, Brad, Idefense.com, and the other hosting companies who cooperated with us once we alerted them.

    1. Re:Owner of hostgator here by Anonymous Coward · · Score: 0

      As an employee of a certain very prominent dedicated server provider, I would like to give you, Dave, Tim, Brad, and everybody else who have been up way, way past their bedtimes very enthusiastic kudos and congratulations for handling this so well and in such a timely manner. I am also quite glad to hear that our staff as well were instrumental in resolving this. Finally, I am very pleased to see that everything is well and isolated at this point.

      Brent, and the rest of the crew, get some rest, guys :) You deserve it.

      -as

  9. CPanel bugs and malware hosting combo old by jofny · · Score: 4, Interesting

    People have been exploiting CPanel bugs to compromise shared hosting for the purposes of hosting clientside (IE) exploit code for ages - this isn't new. The first time I know of for a fact was 2 or more years ago. For as many large providers as use CPanel, the code really needs to be more closely audited...

    1. Re:CPanel bugs and malware hosting combo old by Anonymous Coward · · Score: 1, Informative

      > For as many large providers as use CPanel, the code really needs to be more closely audited...

      Unfortunately cPanel consists of several million lines of uncommented perl code. Integral parts of almost every operation go through a large closed-source binary generated from perl code which makes it impossible to audit.

      You may be also interested in knowing that cPanel was started by someone when they were around 12 years old, and much of that code still is still in use. None of the cPanel developers have had any formal programming teaching and learn from each others bad habbits. This is why the cPanel code is in such bad shape. Just look at the /scripts/ directory for proof.

    2. Re:CPanel bugs and malware hosting combo old by jofny · · Score: 1

      I wasn't at all criticizing the work of anyone working on cPanel - merely suggesting that considering its wide use, someone should figure out how to better audit the code or offer the team resources to help out in some way.

    3. Re:CPanel bugs and malware hosting combo old by Anonymous Coward · · Score: 0

      Well the main part of my comment was to point out that it is closed source. Closed source software projects generally don't like people looking at their code.

      The rest of my comment was to mention the massive difficulties in auditing some of the code, even if they did have the resources. Code like that ends up being so hard to trace through and maintain, the policy becomes "it works, dont touch it!".

    4. Re:CPanel bugs and malware hosting combo old by jofny · · Score: 1

      Then we have a pretty good justification for open source here :) I'm also glad to see this posted on Slashdot. I mean, how do people think all of this code is normally hosted for malware to use? It's not like people who do this pay for it to be hosted or do it from home. It's also done in numbers that make picking off individual boxes far too slow to be efficient. Vulnerabilities like this need more exposure.

    5. Re:CPanel bugs and malware hosting combo old by PavementPizza · · Score: 1

      God, I wish I had mod points. Finally, I get cPanel's gestalt.

      --
      Viper is the preferred editor of the Emacs operating system.
  10. Hostgator support forum discussion on the virus by Anonymous Coward · · Score: 5, Informative

    Discussion on the hosting company's (HostGator) support forum: http://forums.hostgator.com/showthread.php?t=10928

    1. Re:Hostgator support forum discussion on the virus by Anonymous Coward · · Score: 0

      Old link now locked. New link: http://forums.hostgator.com/showthread.php?p=36448

  11. Not Perl by WilliamSChips · · Score: 1

    cPanel does run in Linux, but the Perl comment was a mistake(something I thought I had heard). It's still proprietary, though, and running important things on proprietary software is by default a liability.

    --
    Please, for the good of Humanity, vote Obama.
    1. Re:Not Perl by flyingfsck · · Score: 1

      Webmin is written in Perl, not as nice to use as cpanel, but better on the security front. There is a module for it called Virtualmin, which gives you almost cpanel-like capabilities, but it is still rather crude by comparison - good enough for the average geek, though not good enough for the average pointy-clicky MSsoftie.

      --
      Excuse me, but please get off my Pennisetum Clandestinum, eh!
  12. Re:Someone has to.... by WilliamSChips · · Score: 1

    True: IE is still the vector of attack. Which isn't surprising--using IE as a web browser is the internet equivalent of unprotected sex with a crack whore.

    --
    Please, for the good of Humanity, vote Obama.
  13. Re:Someone has to.... by karnal · · Score: 1

    Damn.

    There's a lot of people out there having unprotected sex with a crack whore!

    --
    Karnal
  14. Hosting companies should use homemade CP by lapaille · · Score: 1

    Web hosting companies should use everything custom-coded and not rely on third-party scripts anyway. I host at Yellowpipe Hosting.
    It does not really minimize the risk for errors, but at least it prevents exploits from spreading on the Internet.

    1. Re:Hosting companies should use homemade CP by Anonymous Coward · · Score: 0

      For the custom-coded Yellowpipe Hosting, you're paying 8x-10x what the equivalent to a similarly-allocated HostGator or 1and1.com plan. But at least the CP is custom-coded, eh? Or is Yellowpipe.com just a reseller for modwest.com?

    2. Re:Hosting companies should use homemade CP by DigitAl56K · · Score: 1

      What makes you think that every hosting company is more competent at developing such interfaces than cPanel? And what makes you think that every hosting company would be equally competent in actually discovering exploits?

      Look at the plus points of the cPanel exploit: One hosting company reports a problem, cPanel fixes it quickly, all hosting companies can simply update and be immune from this point forwards.

      I for one do not want to have to manage my website through some random developers' CGI scripts or trust my site security to them. Imagine auditing 1001 custom implementations instead of auditing cPanel...

    3. Re:Hosting companies should use homemade CP by lapaille · · Score: 1

      Yes, and Wal-Mart is also cheaper than my local store. I don't care if they're resellers or not, what's wrong with that? What I care for is incredible support service, always available and friendly; and the rich features they offer, plus an unusual level of control over your files and settings. And that's how small business succeed, by custom-making everything and offering a real, human customer service. It's a real plus, worth paying a little extra for a lot of people. If I wasn't the case you would only see $3 hosting and fast food everywhere.

  15. Bluehost issued a fix. by Aceheaton · · Score: 4, Interesting

    This is Matt Heaton, President of Bluehost.com. We were working with Brent at Hostgator and had issued a fix before Cpanel finally got around to doing so. There are STILL multiple root exploits that we know FOR SURE work on Cpanel that have yet to be fixed. In one case it is a simple one liner that will pop root on any Cpanel install. This still works even after their "patch". Security is always an afterthought for the Cpanel guys and never designed in as it should be from the start. We were happy that Hostgator asked us for help as we were happy to help and would hope that they would do the same for us if need be. Don't blame the hosting companies in this case, blame Cpanel for knowing about their multitude of scripts that run with root priviledges without properly parsing all data passed to and from their suid c programs!! We have been complaining about this for at least 2 years with little or no help for the issue. We have at least 20 bandaids for Cpanels scripts to fix problems that they refuse to deal with in their "stable" and "current" versions. Hopefully this incident will help them to move in the right direction, but given past exploits and their "resolutions" I HIGHLY doubt ti!

    1. Re:Bluehost issued a fix. by flyingfsck · · Score: 1

      So, why do you use cPanel and not something better?

      --
      Excuse me, but please get off my Pennisetum Clandestinum, eh!
    2. Re:Bluehost issued a fix. by KmArT · · Score: 5, Informative

      Er, so you run a hosting company and cPanel is confirmed buggy, by you, and yet you continue to run it? And why should I ever consider hosting with you? Rather than moan and complain about the bugs, find another software package that is more secure. Or write your own... Tolerance of poor software is why it still exists..

    3. Re:Bluehost issued a fix. by Anonymous Coward · · Score: 0

      Umm....

      Your users have every right to blame you. By your own admission it's been over two years with little sign of improvement. Unless this is just unfortunate timing before you can get the replacement in place, your users have every right to blame you.

    4. Re:Bluehost issued a fix. by uss_valiant · · Score: 1
      Don't blame the hosting companies in this case, blame Cpanel for knowing about their multitude of scripts that run with root priviledges without properly parsing all data passed to and from their suid c programs!!
      What about Plesk and other options?
    5. Re:Bluehost issued a fix. by Aceheaton · · Score: 4, Informative

      We supply what the users want and from a users perspective Cpanel is pretty good, but from an administrative viewpoint it is a nightmare. We host more than 200,000 domains on our two brands. It would be virtually impossible for us to switch now. Believe me, I often wish I could :)

    6. Re:Bluehost issued a fix. by Aceheaton · · Score: 2

      Plesk is an ok option, but is known primarily for their windows hosting though they do offer a linux option. They are far more common in the VPS market as their VPS offering (Virtuozzo) is often sold along with Plesk. It is good from the end users perspective, but not nearly as good as Cpanel. I just wish Cpanel would get it together for the admins then it would be the best of both worlds.... Ahhh... Wishful thinking!

    7. Re:Bluehost issued a fix. by Aceheaton · · Score: 2, Informative

      Its not really our fault. It doesn't mean that we aren't responsible to our customers, it just means often our hands are tied. Its been two years and at least 7 root exploits. In each case we contacted Cpanel directly. If we made it public it was fixed in hours, if we didn't it would sit on the shelf and often not addressed at all. As the customer is paying us we certainly are responsible to the customer, but it is out of our hands to fix. If we can we will Strace the software and write wrappers to fix their problems, but sometimes this isn't an option. Cpanel flat out REFUSES to give us even a snippet of source code. We have to rely on them when it is any type of compiled code. Our customers love Cpanel for the features, so we deal with it, but we shouldn't have to.

    8. Re:Bluehost issued a fix. by psykocrime · · Score: 1

      Maybe a few of the big hosting company CEOs should get together and talk about contributing to jointly
      develop a CPanel replacement? Maybe see if there's anything even roughly equivelant out there in FLOSS
      land and if so, pay some developers to bring it up to CPanel level of functionality... If not, hell, start
      a project from scratch.

      --
      // TODO: Insert Cool Sig
    9. Re:Bluehost issued a fix. by coolcold · · Score: 1

      Is it possible to provide multiple admin interface (be it cpanel and plesk or anything you think is worthy) as a way to switch?

      --
      I am harvesting funny/good quotes. Please help by putting them in your sigs :)
    10. Re:Bluehost issued a fix. by demon · · Score: 1

      No. cPanel in particular gets its tentacles into many aspects of the system, and each major control panel (cPanel, Plesk, Ensim, Interworx, DirectAdmin, ...) has its own different way of running the show. They will *not* play nice together on the same system. cPanel is certainly one of the poorer ones from a perspective of security and administration; sadly, customers synonymize control panels with cPanel, so unfortunately any of them *expect* it, regardless of its (lack of) quality. (Oh, and it's more expensive than the competition...)

      --

      Sam: "That was needlessly cryptic."
      Max: "I'd be peeing my pants if I wore any!"
    11. Re:Bluehost issued a fix. by mabu · · Score: 1

      Don't blame the hosting companies in this case, blame Cpanel

      So in other words, the people at Cpanel held a gun to your head and forced you to install their software for your customers?

    12. Re:Bluehost issued a fix. by heybo · · Score: 1

      Try ISPConfig. It is easy to use from a users stand point. Its secure and it is open source. The BIG plus is that it uses the OS's commands and scripts. It doesn't depend on its own properity scripts to preform operations. Is also fairly easy to convert over to.

    13. Re:Bluehost issued a fix. by mp3phish · · Score: 1

      Business solution to a business problem:

      For the extra cost it takes you to manage, deal with bugs, fix with wrappers, and pay for licensing for cPanel, pass that cost on to customers via monthly fee.

      For the customers who choose the more robust packages which have cheaper, or no licensing fees, which cost your admin staff less money to operate and keep patched, charge those customers a cheaper rate. It's not that you would lose revenue by discounting the service, you would keep the alternate controller at your current base rate. Then all new customers will have to pay... say $1/month extra for the cPanel solution. You could still market cPanel solutions at whatever price you want via banners on affiliate sites and only those customers who clicked on that banner would receive cheaper pricing. This is also where sales team training is KEY. You need to educate them on which pannels are better, why, why does it benefit the customer, and why security matters, etc..

      I guarantee you that all the nooby web guys paying the 5$ per month for hosting won't spend the extra $2/month to 'upgrade' to cPanel. 99% of them use it for fantastico and webmail anyway. And the people who are running REAL websites would switch to your alternate solution the first time they are hacked. It doesn't sound like such a horrible way to run your business. Have a percentage of your shared hosts to be the alternate solution, and push that in your marketing and sales pitches, when users web-chat with you shopping for a host, email your sales team looking for a host, or order online, if the alternate system is promoted as THE system, with the cPanel as a premium package, then it won't be hard to switch the bulk of new users to it.

      It isn't like you can't call it a Control Panel. The word isn't trademarked. If people see the word "control panel" they will think cPanel (if they have ever heard of it). You guys are forgetting that 99% of the people out there shopping for a low cost shared web host have absolutely NO IDEA what a cPanel is.

      I don't know if you agree with me, but I have delt with the end users a lot being in the business of helping people swtup small business websites. And I haven't found a single person, ever, who cares what version of a control pannel you use, as long as it works and does most of what they want to do, and the stuff it can't do could be done with technical support.

      Thanks for listening.

      --
      Your ignorance is infinitely greater than you realize.
    14. Re:Bluehost issued a fix. by Aceheaton · · Score: 1

      What an asinine comment. Of course cPanel doesn't force us to use their software, but market demands force us to use the product if we want to appeal to the largest market segment that we can?!?! I really don't think I need business advise on the subject as we run one of the largest and most successful hosting companies in the world. Just because we buy cPanel because our customers demand it from us as a service provider doesn't mean we can't hold cPanel accountable for their software.

      It is obvious I am dealing with a troll here so further comment isn't necessary.

    15. Re:Bluehost issued a fix. by Anonymous Coward · · Score: 0

      I am just curious, have you posted any of these issues at http://bugzilla.cpanel.net/ ? While I can understand not wanting to post certain details (i.e if a user uploads a script with these contents "blah blah blah" he gains root access), you can either mark the comment as private or offer to email them to cPanel QA/Dev/Whoever

    16. Re:Bluehost issued a fix. by satch89450 · · Score: 1

      Sorry, BULLSHIT. I like ISPConfig because it interfaces with PostFix, the MTA of choice around my shop. CPanel uses EXIM, Plesk uses QMail (hi, Dr. Ex-Lax!), with its many unaudited patches and workarounds to modern mail problems. (I have front-ended QMail with PostFix edge servers so that I don't have to deal with the many holes in QMail.) But it's an immature interface, and lacking some features that customers want.

      As you might guess, I work for a web house that uses Ensim, Plesk for Windows, Plesk for Linux, and CPanel.

      CPanel is the more polished package of all that I run.

      Yes, I'm quite afraid.

    17. Re:Bluehost issued a fix. by dwayrynen · · Score: 1
      There are STILL multiple root exploits that we know FOR SURE work on Cpanel that have yet to be fixed. In one case it is a simple one liner that will pop root on any Cpanel install. This still works even after their "patch".


      If this is indeed true, and you have told the Cpanel folks, and they have not fixed it in a reasonable amount of time, and you have not told the world, then you are in my opinion part of the problem and not part of the solution.

      I wouldn't claim that we have any special relationship with Cpanel, but every 'bug', be it critical or minor in nature that we have reported, has been addressed.

      Do the right thing - share the exploits that they have not fixed so those of us that care can fix them on our servers . The public notice will force Cpanel to address the problem and save you from having to install your bandaids every time you update the softare....

    18. Re:Bluehost issued a fix. by forlinuxsupport · · Score: 1

      have you tried to speak with someone over the phone at Cpanel ?

      Have you notified cpanel about the root exploits you know of ?

      air your views, or threaten to make the root exploits public.

      http://www.forlinux.co.uk/

    19. Re:Bluehost issued a fix. by Mex · · Score: 1

      Yeah, another software package like... Like what? cPanel is pretty much the standard here. There's a couple other ones I've heard of, but I don't even remember their names.

  16. News about crappy software... by kosmosik · · Score: 1

    So well first we have a web browser with well established history of being crappy and insecure. Thousands of exploits, hundreds of successful global scale exploits attacking Microsoft Internet Explorer. Product well known to be one of least secure of probably all of software products. The king of insecurity - MSIE (with Windows underneath - but you can't have it otherwise, consider MSIE for Mac dead).

    Secondly we have some closed source software called cPanel. An ugly hack on system administration, you know the one that gives you root-like privileges over WWW. I don't know cPanel record of security but I don't care really - closed source, and unusefull (to me) stuff.

    So you are using MSIE and clicking in some web frontend to administer other system. And you thought it was secure? Why?

    1. Re:News about crappy software... by BeeBeard · · Score: 1
      The king of insecurity - MSIE (with Windows underneath - but you can't have it otherwise, consider MSIE for Mac dead).


      It's not 100% true that you need to be running Windows to use IE. Whenever I find a site that needs IE (doesn't happen as often as it used to) I su to the user I created just for IE use, and then run IE under Wine. Works great, and it's far safer than running IE natively. :)

    2. Re:News about crappy software... by Anonymous Coward · · Score: 0

      because they checked their spelling?

  17. So... as a hosting customer... by Elwood+P+Dowd · · Score: 1

    How do I check if my host's cPanel is fixed without logging in & handing them my password?

    I mean, I could contact my hosting provider, but I would prefer to check before harassing them.

    Also, as good as they've been, I haven't really tested their professionalism before. I'd like to check w/o logging in, whether or not they say they've installed the patch. Is this remotely feasible?

    --

    There are no trails. There are no trees out here.
    1. Re:So... as a hosting customer... by BiggerIsBetter · · Score: 1

      I mean, I could contact my hosting provider, but I would prefer to check before harassing them.

      Customer service is not harrassment.

      --
      Forget thrust, drag, lift and weight. Airplanes fly because of money.
    2. Re:So... as a hosting customer... by Anonymous Coward · · Score: 0

      Fecible?

  18. Or better yet... by Anonymous Coward · · Score: 0

    Maybe this will convince shitty webhosts that are clueless to quit using cpanel and the rest of those "lets let everyone have root and pretend its secure" admin tools. Or at least convince people to switch away from incompetant morons like you and to decent webhosts.

  19. lets change! by Anonymous Coward · · Score: 0

    there exists plesk as well.

  20. Re:Cpanel? by Anonymous Coward · · Score: 0

    Exactly right... any one who runs cpanel deserves to be hacked!

  21. Odd occurrence today by robogun · · Score: 2, Interesting

    I don't know if this is related, but I hit a webpage today that tried to access my router at 192.168.1.1.

    My router's password dialog appears when hitting the page.

    I don't think I've seen that one before.

    1. Re:Odd occurrence today by Hymer · · Score: 1

      ...and could you pls. tell us why you didn't change your routers default adress ?
      ...and did you btw. keep the routers default password too ??

      --

      I'm keeping mr. Gates responsible for my paranoia...

    2. Re:Odd occurrence today by robogun · · Score: 1

      No the router password is not the default

      Browsing with Windows / Mozilla 1.7 / NoScript

      Here's the page if you want to haev a look (NSFW): http://www.geocities.com/Colosseum/Gym/1661/

    3. Re:Odd occurrence today by Hymer · · Score: 1

      nice girl... but I can't see the router page anywhere... just a "Welcome to Anna Kournikowa"-popup...
      am I pwned now ?

    4. Re:Odd occurrence today by robogun · · Score: 1

      Probably not - I think it's being served up by their adserver

      When it happens I get blank ads

      Probably just bad code

    5. Re:Odd occurrence today by wfberg · · Score: 1

      Maybe it's loading an ad in an iframe, and the iframe is pointing to "myhostname.somewhere.com" which has 192.168.1.1 as the IP address by mistake?

      --
      SCO employee? Check out the bounty
  22. cPanel synonym if unpatch by vz3phyre · · Score: 1

    cPanel = cracker panel

  23. Re:Someone has to.... by Phillup · · Score: 1

    Still doesn't make it right, or smart.

    --

    --Phillip

    Can you say BIRTH TAX
  24. all shared host web sites at risk by edxwelch · · Score: 1

    If what you say is true then about 90% of all shared host web sites are at risk. Presumably now that it is a public fact that cPanel is crawling with security holes the black hats will be actively looking for the exploits.

  25. Cpanels patch doesn't work! Read!! by hostgator · · Score: 2, Informative

    Brent with hostgator.com here again. We have just discovered cpanels patch /scripts/upcp doesn't do anything. If you think you were autopatched last night or ran upcp your still very hackable. What you need to do is run /scripts/upcp --force A way to confirm our findings is to run http://layer2.cpanel.net/installer/sec092306.pl which is their patch checker. If your not safe it will say "not safe" if your safe it will say "safe" After all this even after running and being told "safe" I don't believe it's truly fixed. We'll all be very lucky if something doesn't spawn off this or another cpanel wrapper exploit doesn't hit the market. Cpanel please provide us with some source so we can help you audit. We're not asking for all of it just parts that we know aren't secure such as wrapper.

  26. Demo accounts... by Julz · · Score: 1

    So basically any hosting company that allows people access to a demo of cPanel would be affected. Yikes. From what I've seen that's quite a few.

    --
    When shit hits the fan get some of these https://youtu.be/pY-GncsZ-UE
  27. exploit running from hostprince.com as well? by Wookie_CD · · Score: 1

    I think hostprince.com has been affected too - I keep a personal links page there and a fresh PC got infected last night, which is a very rare occurrence for me. They seem to have disabled cpanel access as well.

  28. Re:Someone has to.... by Anonymous Coward · · Score: 0

    In bizzaro world, that's exactly what's happening...

    Dipshits fuck crackwhores, and spread the myth that it's safe to have unprotected anal with a crackwhore to their friends, who are also fucking the crackwhore with no rubber, until it becomes the norm. Crackhead fuckers become so used to their friends dropping dead that they start to become accustomed to people dying for no apparent reason.

    The only people who aren't dropping like flies are the 2% of people who kept using regular non-crack addicted whores, and kept using rubbers. The crackwhore fuckers are swallowing antiviral and antibiotic pills and still getting infections, if only they'd kept themselves clean in the first place they wouldn't have these problems.

    If only they hadn't followed each other like lambs to the slaughter, if only they'd had an original thought in their lives. But no, the crackwhore fuckers all wanted to be able to fuck their whores up the ass like their friends did, and only crackwhores are stupid and desperate enough, and stock tubes of diRectumX 9 lubricant to allow that.

    Only in Bizzaro world would people keep going back to something that gave them infection after infection....