cPanel: 0 Day cPanel Exploit in Wild October 22, 2006
Posted by paragonhost in cPanel.add a comment
Content: WebHostGear.com http://www.webhostgear.com/369.html
Aggregation: ParagonHost.com http://www.paragonhost.com
0 Day cPanel Exploit in Wild
UGRENT THE /scripts/upcp fix that cPanel has claimed to fix your server DOES NOT. Read below!
A new 0 day cPanel exploit for root access is in the wild affecting hosts. News of this is spreading very quickly around the web and cPanel has released a band aid patch fix. You can patch your server by simply running /scripts/upcp from shell. The update will not change your release or build number either.
Notes on the cPanel Exploit:
- This is a 0 day issue, and a patch from cPanel for it was just relased on Sept. 23, 2006
- This exploit gives the attacker root access
- You will not detect this with rkhunter/chkrootkit
- You will not know you have been rooted
- It has been confirmed to be affecting more than just one hosting provider in different datacenters.
This was first seen targeting HostGator.com one of the largest shared and reseller cPanel hosts out there.
NetCraft Reports of cPanel exploit
Slashdot picks up the story
Post 1 on WHT about the alert
Post 2 on WHT about the issue
How to Fix:From Dave of cPanel, Inc.
“Upcp will fix the problem on all builds. It is seperate from cPanel Auto Heal. The cPanel Auto Heal system was used to distribute the patch though.”
Login as root and run /scripts/upcp this will patch your server. cPanel has NOT increased the build # after you’ve been patched, I have no idea why since this is a major hole.UPDATE: This is NOT true. See my testing results of how to REALLY fix your serverNice work cpanel, you tell us we’re patched when your patch isn’t working.
I HOPE this is a bug in your cpanel checker only but somehow I really really doubt it.Guys /scripts/upcp doesn’t fix your server, you HAVE to force it.
See http://forums.cpanel.net/showthread….d=1#post272856
Here’s the post if you don’t have access:
You MUST run /scripts/upcp –force
I just confirmed this on about 3 servers. Here are the findings.
I did a /scripts/upcp on this box last night right after the fix was announced and to DO a /scripts/upcp
So let me test their patcher… I should be safe right, WRONG.
root@ocean [~]# wget http://layer2.cpanel.net/installer/sec092306.pl
–13:57:23– http://layer2.cpanel.net/installer/sec092306.pl
=> `sec092306.pl’
Resolving layer2.cpanel.net… 69.90.250.34, 69.90.250.35, 69.90.250.36, …
Connecting to layer2.cpanel.net[69.90.250.34]:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 5,479 [text/plain]
100%[====================================>] 5,479 –.–K/s
13:57:23 (75.73 MB/s) - `sec092306.pl’ saved [5,479/5,479]
root@ocean [~]# perl sec092306.pl
cPanel Security Patch (sec092306) v2
Patching Mysql (1)
Patching Mysql (2)
Patching Mysql (3)
Patching Mysql (4)
Patching Mysql (1)
Patching Mysql (2)
Patching Mysql (3)
Patching Mysql (4)
Patch Complete
Checking for safety…
not safe
Done
root@ocean [~]# /usr/local/cpanel/cpanel -V
10.8.2-RELEASE_119
/scripts/upcp
All packages are currently up to date
Done
BIND 9.2.4
Succeeded
Fetching http://httpupdate.cpanel.net/cpanels…cpanel/version (0)….@198.66.78.12……connected……receiving …100%……Done
Using mail permissions style: NEW
Patching Mysql (1)
Patching Mysql (2)
Patching Mysql (3)
Patching Mysql (4)
Patching Mysql (1)
Patching Mysql (2)
Patching Mysql (3)
Patching Mysql (4)
Versions Match! (10.8.2-RELEASE_119). You are running the latest RELEASE.
Updating addon type
cripts addonhpBB version:2.0.19-1.0…….Done
Updating addon typecripts addon:AdvancedGuestBook version:latest…….Done
Updating addon type:modules addon:clamavconnector version:0.88.4-1.8…….Done
Updating addon type:modules addonro version:1.0rc36…….Done
Updating addon type:modules addonpamdconf version:0.5…….Done
Rebuilding Process List…Done
Scanning for new mail senders…..Done
Scanning suexec_log.Done
root@ocean [~]# perl sec092306.pl
cPanel Security Patch (sec092306) v2
Patching Mysql (1)
Patching Mysql (2)
Patching Mysql (3)
Patching Mysql (4)
Patching Mysql (1)
Patching Mysql (2)
Patching Mysql (3)
Patching Mysql (4)
Patch Complete
Checking for safety…
not safe
Done
root@ocean [~]#
WTF
/scripts/upcp –force
All packages are currently up to date
Done
BIND 9.2.4
Succeeded
Fetching http://httpupdate.cpanel.net/cpanels…cpanel/version (0)….@ 100%……Done
Using mail permissions style: NEW
Patching Mysql (1)
Patching Mysql (2)
Patching Mysql (3)
Patching Mysql (4)
Patching Mysql (1)
Patching Mysql (2)
Patching Mysql (3)
Patching Mysql (4)
Installed Version: forced install
Newest Version: 10.8.2-RELEASE_119
….lots of lines later….
aiting for cppop to shutdown……Done
Waiting for cppop-ssl to shutdown……Done
==> Starting SSL tunnel…
Waiting for cpsrvd to shutdown……Done
Waiting for cpsrvd-ssl to shutdown……Done
==> Start Melange Chat Services…
==> Post Install Complete
Broadcast message from root (Sun Sep 24 14:08:17 2006):
cPanel Layer 2 Install Complete
Patching Mysql (1)
Patching Mysql (2)
Patching Mysql (3)
Patching Mysql (4)
Patching Mysql (1)
Patching Mysql (2)
Patching Mysql (3)
Patching Mysql (4)
Patching Mysql (1)
Patching Mysql (2)
Patching Mysql (3)
Patching Mysql (4)
Updating addon typecripts addonhpBB version:2.0.19-1.0…….Done
Updating addon typecripts addon:AdvancedGuestBook version:latest……Done
Updating addon type:modules addon:clamavconnector version:0.88.4-1.8…….Done
Updating addon type:modules addonro version:1.0rc36…….Done
Updating addon type:modules addonpamdconf version:0.5…….Done
Rebuilding Process List…Done
Rebuilding Process List…Done
Scanning for new mail senders…..Done
Scanning suexec_log.Done
Lets check now
root@ocean [~]# perl sec092306.pl
cPanel Security Patch (sec092306) v2
Patching Mysql (1)
Patching Mysql (2)
Patching Mysql (3)
Patching Mysql (4)
Patching Mysql (1)
Patching Mysql (2)
Patching Mysql (3)
Patching Mysql (4)
Patch Complete
Checking for safety…
safe
Done
root@ocean [
Nice work guys… lol
How to tell if you’re already infected?
We can review your server and provide a detailed report and see if the exploit has infected your servers.
But I have a Firewall and run things like Mod_security, would I still be infected?
Yes! You were still 100% open to the exploit and may be infected.
Common SSH Commands or Linux Shell Commands October 22, 2006
Posted by paragonhost in Linux.add a comment
Content Aggregation: ParagonHost.com http://www.paragonhost.com
Source: WebHostingGear.com http://www.webhostgear.com/35.html
We’ve put together some of the more frequently used SSH commands or linux shell commands, and organized them by name so you can easily find a command, their description and how to use it. This guide will continue to be updated and should not be considered a complete list of SSH commands or linux shell commands, but commands, we found, often used. If you would like to add to this guide, please email us and let us know.
Common SSH Commands or Linux Shell Commands,
ls : list files/directories in a directory, comparable to dir in windows/dos.
ls -al : shows all files (including ones that start with a period), directories, and details attributes for each file.
cd : change directory · · cd /usr/local/apache : go to /usr/local/apache/ directory
cd ~ : go to your home directory
cd - : go to the last directory you were in
cd .. : go up a directory cat : print file contents to the screen
cat filename.txt : cat the contents of filename.txt to your screen
tail : like cat, but only reads the end of the file
tail /var/log/messages : see the last 20 (by default) lines of /var/log/messages
tail -f /var/log/messages : watch the file continuously, while it’s being updated
tail -200 /var/log/messages : print the last 200 lines of the file to the screen
more : like cat, but opens the file one screen at a time rather than all at once
more /etc/userdomains : browse through the userdomains file. hit Spaceto go to the next page, q to quit
pico : friendly, easy to use file editor
pico /home/burst/public_html/index.html : edit the index page for the user’s website.
vi : another editor, tons of features, harder to use at first than pico
vi /home/burst/public_html/index.html : edit the index page for the user’s website.
grep : looks for patterns in files
grep root /etc/passwd : shows all matches of root in /etc/passwd
grep -v root /etc/passwd : shows all lines that do not match root
touch : create an empty file
touch /home/burst/public_html/404.html : create an empty file called 404.html in the directory /home/burst/public_html/
ln : create’s “links” between files and directories
ln -s /usr/local/apache/conf/httpd.conf /etc/httpd.conf : Now you can edit /etc/httpd.conf rather than the original. changes will affect the orginal, however you can delete the link and it will not delete the original.
rm : delete a file
rm filename.txt : deletes filename.txt, will more than likely ask if you really want to delete it
rm -f filename.txt : deletes filename.txt, will not ask for confirmation before deleting.
rm -rf tmp/ : recursively deletes the directory tmp, and all files in it, including subdirectories. BE VERY CAREFULL WITH THIS COMMAND!!!
last : shows who logged in and when
last -20 : shows only the last 20 logins
last -20 -a : shows last 20 logins, with the hostname in the last field
w : shows who is currently logged in and where they are logged in from.
netstat : shows all current network connections.
netstat -an : shows all connections to the server, the source and destination ips and ports.
netstat -rn : shows routing table for all ips bound to the server.
top : shows live system processes in a nice table, memory information, uptime and other useful info. This is excellent for managing your system processes, resources and ensure everything is working fine and your server isn’t bogged down.
top then type Shift + M to sort by memory usage or Shift + P to sort by CPU usage
ps: ps is short for process status, which is similar to the top command. It’s used to show currently running processes and their PID.
A process ID is a unique number that identifies a process, with that you can kill or terminate a running program on your server (see kill command).
ps U username : shows processes for a certain user
ps aux : shows all system processes
ps aux –forest : shows all system processes like the above but organizes in a hierarchy that’s very useful!
file : attempts to guess what type of file a file is by looking at it’s content.
file * : prints out a list of all files/directories in a directory
du : shows disk usage.
du -sh : shows a summary, in human-readble form, of total disk space used in the current directory, including subdirectories.
du -sh * : same thing, but for each file and directory. helpful when finding large files taking up space.
wc : word count
wc -l filename.txt : tells how many lines are in filename.txt
cp : copy a file
cp filename filename.backup : copies filename to filename.backup
cp -a /home/burst/new_design/* /home/burst/public_html/ : copies all files, retaining permissions form one directory to another.
kill: terminate a system process
kill -9 PID EG: kill -9 431
kill PID EG: kill 10550
Use top or ps ux to get system PIDs (Process IDs)
EG:
| PID | TTY | TIME | COMMAND |
| 10550 | pts/3 | 0:01 | /bin/csh |
| 10574 | pts/4 | 0:02 | /bin/csh |
| 10590 | pts/4 | 0:09 | APP |
Each line represents one process, with a process being loosely defined as a running instance of a program. The column headed PID (process ID) shows the assigned process numbers of the processes. The heading COMMAND shows the location of the executed process.
Putting commands together
Often you will find you need to use different commands on the same line. Here are some examples. Note that the | character is called a pipe, it takes date from one program and pipes it to another.
> means create a new file, overwriting any content already there.
>> means tp append data to a file, creating a newone if it doesn not already exist.
< send input from a file back into a command.
grep User /usr/local/apache/conf/httpd.conf |more
This will dump all lines that match User from the httpd.conf, then print the results to your screen one page at a time.
last -a > /root/lastlogins.tmp
This will print all the current login history to a file called lastlogins.tmp in /root/
tail -10000 /var/log/exim_mainlog |grep domain.com |more
This will grab the last 10,000 lines from /var/log/exim_mainlog, find all occurances of domain.com (the period represents ‘anything’,
– comment it out with a so it will be interpretted literally), then send it to your screen page by page.
netstat -an |grep :80 |wc -l
Show how many active connections there are to apache (httpd runs on port 80)
mysqladmin processlist |wc -l
Show how many current open connections there are to mysql
