cPanel Exploit Used to Circulate IE Exploit

miller60 writes "In a dangerous combination of unpatched exploits, hackers have used a previously undiscovered security hole in cPanel to hack the servers of a hosting company and use hundreds of hijacked sites to infect Internet Explorer users with malware using the unpatched VML exploit. cPanel, whose hosting automation software is used by many large hosting companies, has issued a fix. It's a local exploit, meaning the attacker must control a cPanel account on the target hosting provider."

Re:Someone has to....

[WilliamSChips]

Actually, cPanel does run in Linux. But it's Perl, so it doesn't count.

Temporary Fix

[gooman]

This Windows exploit is similar to the WMF exploit, and just like it, Microsoft is going to take their time fixing it. If you must use Windows avoid IE and Outlook but that's not always possible.

And to be completely safe you can unregister the .dll as follows...

Copy the following command to clipboard and Paste into Run:

regsvr32 -u "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll"

Then when Microsoft gets around to fixing this (Probably on the next patch Tuesday) you can restore it:

regsvr32 "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll"

Want to bet this code is in Vista somewhere?

cPanel fix

[maggeth]

If you admin a server with cPanel, run /scripts/upcp to apply the patch. Otherwise, so long as you have not turned off the nightly UPCP update, then your server will be patched overnight tonight automatically.

Re:As always..

[Anonymous Coward]

In hostgator's defense, they do have a good security team and this had nothing to do with ftp. It's interesting to read through the following thread to see how they were handling the problem:
http://forums.hostgator.com/showthread.php?t=10928 [hostgator.com]

I'm a customer whose site didn't have problems, but I am satisfied with how they got on this problem. Not perfect, but definetly good. Of course when I read this headline I was shitting bricks for a moment or two.

Owner of hostgator here

[hostgator]

We know they discovered the cpanel root exploit about a month earlier before launching this. They were waiting for the perfect timing before having sites load an iframe distributing the viruses. The perfect timing became the new vml exploit. It wasn't easy to figure out how they were doing it but we did. Shortly after we discovered how which was the 0 day cpanel root exploit. Upon investigating it further we found any hosting company in the world running cpanel could be exploited. In fact we spoke with some other very large hosting companies that were. One that's even much larger then us, and has been around much longer. I'd like to thank everyone that was helping us track down the root cause. Special thanks to David Collins, Tim Greer, Brad, Idefense.com, and the other hosting companies who cooperated with us once we alerted them.

Hostgator support forum discussion on the virus

[Anonymous Coward]

Discussion on the hosting company's (HostGator) support forum: http://forums.hostgator.com/showthread.php?t=10928 [hostgator.com]

Re:Temporary Fix

[The MAZZTer]

Best part is, regsvr32 only deals with Windows Explorer and Internet Explorer extensions, so this won't affect any Office functionality.

Re:firefox

[Jimmy King]

I use webmin/usermin (BSD licence) instead of Cpanel (proprietary).

Cpanel is so common because it's provided by the hosting places on a lot of dedicated servers and used for almost all web hosting packages that I have seen. While the choice of licensing may seem silly, this is businesses using it, they aren't going with it for any idealistic reasons. They are choosing it because it is more user friendly for the non-technical types who still insist on having a website and running phpbb. It's been quite awhile since I've used webmin or usermin, but last I used them they didn't have anything that compared to the ease of use for managing mail accounts, databases, and installing software for the non-techs that Cpanel did at the time.

Re:CPanel bugs and malware hosting combo old

[Anonymous Coward]

> For as many large providers as use CPanel, the code really needs to be more closely audited...

Unfortunately cPanel consists of several million lines of uncommented perl code. Integral parts of almost every operation go through a large closed-source binary generated from perl code which makes it impossible to audit.

You may be also interested in knowing that cPanel was started by someone when they were around 12 years old, and much of that code still is still in use. None of the cPanel developers have had any formal programming teaching and learn from each others bad habbits. This is why the cPanel code is in such bad shape. Just look at the /scripts/ directory for proof.

Re:Temporary Fix

[MioTheGreat]

What would give you that idea? I'm sure I could fire up regsvr32 and break Office quite easily. regsvr32 is just for registering and unregistering any COM stuff.

Re:firefox

[Kangburra]

Also cPanel has an Admin module for the server owner and that installs user cPanels as they create the user accounts. It IS simple, that's why it's so widely used.

Re:Bluehost issued a fix.

[KmArT]

Er, so you run a hosting company and cPanel is confirmed buggy, by you, and yet you continue to run it? And why should I ever consider hosting with you? Rather than moan and complain about the bugs, find another software package that is more secure. Or write your own... Tolerance of poor software is why it still exists..

Re:Bluehost issued a fix.

[Aceheaton]

We supply what the users want and from a users perspective Cpanel is pretty good, but from an administrative viewpoint it is a nightmare. We host more than 200,000 domains on our two brands. It would be virtually impossible for us to switch now. Believe me, I often wish I could :)

Re:Bluehost issued a fix.

[Aceheaton]

Its not really our fault. It doesn't mean that we aren't responsible to our customers, it just means often our hands are tied. Its been two years and at least 7 root exploits. In each case we contacted Cpanel directly. If we made it public it was fixed in hours, if we didn't it would sit on the shelf and often not addressed at all. As the customer is paying us we certainly are responsible to the customer, but it is out of our hands to fix. If we can we will Strace the software and write wrappers to fix their problems, but sometimes this isn't an option. Cpanel flat out REFUSES to give us even a snippet of source code. We have to rely on them when it is any type of compiled code. Our customers love Cpanel for the features, so we deal with it, but we shouldn't have to.

Re:firefox

[oneski]

I use webmin/usermin (BSD licence) instead of Cpanel (proprietary).

I hope your'e patched up. Script kids have been doing the rounds with a file disclosure exploit in Webmin/Usermin for a while now. Thousands of machines have been compromised by it.

Check the miniserv.log for "..%01/..%01/..%01" or similar strings.

Re:As always..

[madsheep]

First I am not sure how my post got classified as flamebait exactly, considering I am not flamming anyone or anything. Other than that -- I wasn't specifically calling out HostGator in anyway. However, they have a number of problems as I have seen alerts from various CERT reports that show HostGator shared hosting boxes as being used in a number of various attacks. My comment regarding FTP and others was more aimed at shared hosting providers that do use it. DreamHost for example, has boxes with 100's of users, thousands of websites, and it uses FTP. However, in a quick search I can see gator16.hostgator.com accepts FTP connections (currently 4 connected users) so it would not surprise me if this is found all over on their boxes. Point about the IE portion is that if you run your machine securely you significantly reduce the effects some 0day exploit can have on you.

Cpanels patch doesn't work! Read!!

[hostgator]

Brent with hostgator.com here again. We have just discovered cpanels patch /scripts/upcp doesn't do anything. If you think you were autopatched last night or ran upcp your still very hackable. What you need to do is run /scripts/upcp --force A way to confirm our findings is to run http://layer2.cpanel.net/installer/sec092306.pl [cpanel.net] which is their patch checker. If your not safe it will say "not safe" if your safe it will say "safe" After all this even after running and being told "safe" I don't believe it's truly fixed. We'll all be very lucky if something doesn't spawn off this or another cpanel wrapper exploit doesn't hit the market. Cpanel please provide us with some source so we can help you audit. We're not asking for all of it just parts that we know aren't secure such as wrapper.