Slashdot Mirror

← Back to Stories (view on slashdot.org)

cPanel Exploit Used to Circulate IE Exploit

Posted by ryuzaki0 on from the ouroboros dept.

miller60 writes "In a dangerous combination of unpatched exploits, hackers have used a previously undiscovered security hole in cPanel to hack the servers of a hosting company and use hundreds of hijacked sites to infect Internet Explorer users with malware using the unpatched VML exploit. cPanel, whose hosting automation software is used by many large hosting companies, has issued a fix. It's a local exploit, meaning the attacker must control a cPanel account on the target hosting provider."

16 of 95 comments (clear)

  1. Re:Someone has to.... by WilliamSChips · · Score: 4, Informative

    Actually, cPanel does run in Linux. But it's Perl, so it doesn't count.

    --
    Please, for the good of Humanity, vote Obama.
  2. Temporary Fix by gooman · · Score: 4, Informative

    This Windows exploit is similar to the WMF exploit, and just like it, Microsoft is going to take their time fixing it. If you must use Windows avoid IE and Outlook but that's not always possible.

    And to be completely safe you can unregister the .dll as follows...

    Copy the following command to clipboard and Paste into Run:

    regsvr32 -u "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll"

    Then when Microsoft gets around to fixing this (Probably on the next patch Tuesday) you can restore it:

    regsvr32 "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll"

    Want to bet this code is in Vista somewhere?

    --
    "Kittens give Morbo gas!"
    1. Re:Temporary Fix by The+MAZZTer · · Score: 3, Informative

      Best part is, regsvr32 only deals with Windows Explorer and Internet Explorer extensions, so this won't affect any Office functionality.

    2. Re:Temporary Fix by MioTheGreat · · Score: 3, Informative

      What would give you that idea? I'm sure I could fire up regsvr32 and break Office quite easily. regsvr32 is just for registering and unregistering any COM stuff.

    3. Re:Temporary Fix by walstib · · Score: 5, Funny
      This Windows exploit is similar to the WMF exploit
      which is similar to the WTF exploit...
      --
      The most dangerous strategy is to jump a chasm in two leaps. - Benjamin Disraeli
  3. cPanel fix by maggeth · · Score: 4, Informative

    If you admin a server with cPanel, run /scripts/upcp to apply the patch. Otherwise, so long as you have not turned off the nightly UPCP update, then your server will be patched overnight tonight automatically.

    --
    Slashdot in 5 Paragraphs
  4. Re:As always.. by Anonymous Coward · · Score: 5, Informative

    In hostgator's defense, they do have a good security team and this had nothing to do with ftp. It's interesting to read through the following thread to see how they were handling the problem:
    http://forums.hostgator.com/showthread.php?t=10928

    I'm a customer whose site didn't have problems, but I am satisfied with how they got on this problem. Not perfect, but definetly good. Of course when I read this headline I was shitting bricks for a moment or two.

  5. Owner of hostgator here by hostgator · · Score: 4, Informative

    We know they discovered the cpanel root exploit about a month earlier before launching this. They were waiting for the perfect timing before having sites load an iframe distributing the viruses. The perfect timing became the new vml exploit. It wasn't easy to figure out how they were doing it but we did. Shortly after we discovered how which was the 0 day cpanel root exploit. Upon investigating it further we found any hosting company in the world running cpanel could be exploited. In fact we spoke with some other very large hosting companies that were. One that's even much larger then us, and has been around much longer. I'd like to thank everyone that was helping us track down the root cause. Special thanks to David Collins, Tim Greer, Brad, Idefense.com, and the other hosting companies who cooperated with us once we alerted them.

  6. CPanel bugs and malware hosting combo old by jofny · · Score: 4, Interesting

    People have been exploiting CPanel bugs to compromise shared hosting for the purposes of hosting clientside (IE) exploit code for ages - this isn't new. The first time I know of for a fact was 2 or more years ago. For as many large providers as use CPanel, the code really needs to be more closely audited...

  7. Hostgator support forum discussion on the virus by Anonymous Coward · · Score: 5, Informative

    Discussion on the hosting company's (HostGator) support forum: http://forums.hostgator.com/showthread.php?t=10928

  8. Re:firefox by Marcion · · Score: 5, Interesting

    I use webmin/usermin (BSD licence) instead of Cpanel (proprietary).

    It seems a bit odd to stick a proprietary web control panel to control a load of open-source software on an open-source web-server running on an open-source operating system.

    But thats just me....

    --
    My little Linux and tech blog
  9. Re:firefox by Kangburra · · Score: 3, Informative

    Also cPanel has an Admin module for the server owner and that installs user cPanels as they create the user accounts. It IS simple, that's why it's so widely used.

    --
    Common sense is not so common
  10. Bluehost issued a fix. by Aceheaton · · Score: 4, Interesting

    This is Matt Heaton, President of Bluehost.com. We were working with Brent at Hostgator and had issued a fix before Cpanel finally got around to doing so. There are STILL multiple root exploits that we know FOR SURE work on Cpanel that have yet to be fixed. In one case it is a simple one liner that will pop root on any Cpanel install. This still works even after their "patch". Security is always an afterthought for the Cpanel guys and never designed in as it should be from the start. We were happy that Hostgator asked us for help as we were happy to help and would hope that they would do the same for us if need be. Don't blame the hosting companies in this case, blame Cpanel for knowing about their multitude of scripts that run with root priviledges without properly parsing all data passed to and from their suid c programs!! We have been complaining about this for at least 2 years with little or no help for the issue. We have at least 20 bandaids for Cpanels scripts to fix problems that they refuse to deal with in their "stable" and "current" versions. Hopefully this incident will help them to move in the right direction, but given past exploits and their "resolutions" I HIGHLY doubt ti!

    1. Re:Bluehost issued a fix. by KmArT · · Score: 5, Informative

      Er, so you run a hosting company and cPanel is confirmed buggy, by you, and yet you continue to run it? And why should I ever consider hosting with you? Rather than moan and complain about the bugs, find another software package that is more secure. Or write your own... Tolerance of poor software is why it still exists..

    2. Re:Bluehost issued a fix. by Aceheaton · · Score: 4, Informative

      We supply what the users want and from a users perspective Cpanel is pretty good, but from an administrative viewpoint it is a nightmare. We host more than 200,000 domains on our two brands. It would be virtually impossible for us to switch now. Believe me, I often wish I could :)

  11. Re:firefox by oneski · · Score: 4, Informative
    I use webmin/usermin (BSD licence) instead of Cpanel (proprietary).

    I hope your'e patched up. Script kids have been doing the rounds with a file disclosure exploit in Webmin/Usermin for a while now. Thousands of machines have been compromised by it.

    Check the miniserv.log for "..%01/..%01/..%01" or similar strings.