North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

shared hosting and attacks [FWD: [funsec] HostGator: cPanel SecurityHole Exploited in Mass Hack]

  • From: Gadi Evron
  • Date: Sat Sep 23 23:03:03 2006

Hi, the following post is a forward of an email by Fergie to funsec. This
story by itself is not relevant to NANOG, but it does illustrate a problem
nearly all of us have been facing. Mass exploitation of servers in our
nets, colos and hosting farms.

Nearly ever (relevant, not say, just a transit one) ISP I spoke to
globally has this problem.

With thousands of sites on every server and virtual machines everywhere,
all it takes is one insecure web application such as xxxBB or PHPxx for
the server to be remote accessed, and for a remote connect-back shell to
be installed. The rest is history.

This is often soon followed with masses of defacements, spam, bots, ddos,

We all (well, never say all, every, never, ever, etc.), many of us face
this. What solutions have you found?

Some solutions I heard used, or utilized:
1. Remote scanning of web servers.
2. Much stronger security enforcement on servers.
3. "Quietly patching" user web applications without permission.
4. JGH - Just getting hacked.

What have you encountered? What have you done, sorry, heard of someone
else do, to combat this very difficult problem on your networks?

The whole business of this hosting is the low cost, and everyone wastes
countless man hours on killing fires.

This is not about BGP, but it is an operational problem that bugs us,



---------- Forwarded message ----------
Date: Sat, 23 Sep 2006 21:47:37 GMT
From: Fergie <[email protected]>
To: [email protected]
Subject: [funsec] HostGator: cPanel Security Hole Exploited in Mass Hack

Via Netcraft.


HostGator says hackers compromised its servers using a previously
unknown security hole in cPanel, the control panel software that is
widely used by hosting providers. "I can tell you with all accuracy
that this is definitely due to a cPanel exploit that provides root
access and all cPanel servers are affected," said HostGator system
administrator Tim Greer. "This issue affects all versions of cPanel,
from what I can tell, from years ago to the current releases, including
Stable, Release, Current and Edge."

cPanel has just released a fix. "Running /scripts/upcp will fix the
vulnerability in all builds," cPanel said in a message on its user
forums. "Please note that this is a local exploit which requires access
to a cPanel account. ... If you believe you have been exploited through
this vulnerability, you are welcome to submit a support request for

Hackers gained access to HostGator's servers late Thursday and began
redirecting customer sites to outside web pages that exploit an
unpatched VML security hole in Internet Explorer to infect web surfers
with trojans. The existence of the new "0-day" exploit of cPanel leaves
a large number of hosting companies vulnerable to similar attacks until
they install the patch. The riusk is mitigated somewhat by the fact
that it is a local exploit, meaning any attack on a host must be
launched from an existing account with cPanel access.

HostGator site owners said iframe code inserted into their web pages
was redirecting users to the malware-laden pages. Company staff made
several efforts to reconfigure servers on Friday, only to have the
exploits recur. By early Saturday morning, HostGator managers were
assuring users that the cause of the redirections had been isolated,
and was due to a new exploit targeting cPanel.



- ferg

"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 ferg's tech blog:

Fun and Misc security discussion for OT posts.
Note: funsec is a public and open mailing list.