Brent with hostgator.com here again.
We have just discovered cpanels patch/scripts/upcp doesn't do anything. If you think you were autopatched last night or ran upcp your still very hackable.
What you need to do is run/scripts/upcp --force
A way to confirm our findings is to run http://layer2.cpanel.net/installer/sec092306.pl which is their patch checker. If your not safe it will say "not safe" if your safe it will say "safe"
After all this even after running and being told "safe" I don't believe it's truly fixed. We'll all be very lucky if something doesn't spawn off this or another cpanel wrapper exploit doesn't hit the market.
Cpanel please provide us with some source so we can help you audit. We're not asking for all of it just parts that we know aren't secure such as wrapper.
We know they discovered the cpanel root exploit about a month earlier before launching this. They were waiting for the perfect timing before having sites load an iframe distributing the viruses. The perfect timing became the new vml exploit.
It wasn't easy to figure out how they were doing it but we did. Shortly after we discovered how which was the 0 day cpanel root exploit. Upon investigating it further we found any hosting company in the world running cpanel could be exploited. In fact we spoke with some other very large hosting companies that were. One that's even much larger then us, and has been around much longer.
I'd like to thank everyone that was helping us track down the root cause. Special thanks to David Collins, Tim Greer, Brad, Idefense.com, and the other hosting companies who cooperated with us once we alerted them.
Slashdot Mirror
Brent with hostgator.com here again. We have just discovered cpanels patch /scripts/upcp doesn't do anything. If you think you were autopatched last night or ran upcp your still very hackable.
What you need to do is run /scripts/upcp --force
A way to confirm our findings is to run http://layer2.cpanel.net/installer/sec092306.pl which is their patch checker. If your not safe it will say "not safe" if your safe it will say "safe"
After all this even after running and being told "safe" I don't believe it's truly fixed. We'll all be very lucky if something doesn't spawn off this or another cpanel wrapper exploit doesn't hit the market.
Cpanel please provide us with some source so we can help you audit. We're not asking for all of it just parts that we know aren't secure such as wrapper.
We know they discovered the cpanel root exploit about a month earlier before launching this. They were waiting for the perfect timing before having sites load an iframe distributing the viruses. The perfect timing became the new vml exploit. It wasn't easy to figure out how they were doing it but we did. Shortly after we discovered how which was the 0 day cpanel root exploit. Upon investigating it further we found any hosting company in the world running cpanel could be exploited. In fact we spoke with some other very large hosting companies that were. One that's even much larger then us, and has been around much longer. I'd like to thank everyone that was helping us track down the root cause. Special thanks to David Collins, Tim Greer, Brad, Idefense.com, and the other hosting companies who cooperated with us once we alerted them.