cPanel Exploit Used to Circulate IE Exploit

miller60 writes "In a dangerous combination of unpatched exploits, hackers have used a previously undiscovered security hole in cPanel to hack the servers of a hosting company and use hundreds of hijacked sites to infect Internet Explorer users with malware using the unpatched VML exploit. cPanel, whose hosting automation software is used by many large hosting companies, has issued a fix. It's a local exploit, meaning the attacker must control a cPanel account on the target hosting provider."

As always..

[madsheep]

As always it should be pretty well known that a number of large shared hosting providers have little or no security to prevent this kind of stuff. Using a cPanel local exploit to start putting the IE exploit code in other users' www folders is an interesting use for the 0-day find. A number of larger hosting providers house dozens, hundreds, and sometimes more websites on a boxes that allow FTP and in some cases telnet. These boxes generally aren't patched very well either and can easily be rooted to allow someone to drop their bad code into * the hosted sites webpages. It's been said 1000 times before, but even if you choose to run IE -- if you're not running as an Administrator (or you even use something like DropMyRights to run IE) there's probably a 99% chance the IE exploit won't do anything. The same goes for Mozilla/Firefox and any other program on Windows.

CPanel bugs and malware hosting combo old

[jofny]

People have been exploiting CPanel bugs to compromise shared hosting for the purposes of hosting clientside (IE) exploit code for ages - this isn't new. The first time I know of for a fact was 2 or more years ago. For as many large providers as use CPanel, the code really needs to be more closely audited...

Re:firefox

[Marcion]

I use webmin/usermin (BSD licence) instead of Cpanel (proprietary).

It seems a bit odd to stick a proprietary web control panel to control a load of open-source software on an open-source web-server running on an open-source operating system.

But thats just me....

Bluehost issued a fix.

[Aceheaton]

This is Matt Heaton, President of Bluehost.com. We were working with Brent at Hostgator and had issued a fix before Cpanel finally got around to doing so. There are STILL multiple root exploits that we know FOR SURE work on Cpanel that have yet to be fixed. In one case it is a simple one liner that will pop root on any Cpanel install. This still works even after their "patch". Security is always an afterthought for the Cpanel guys and never designed in as it should be from the start. We were happy that Hostgator asked us for help as we were happy to help and would hope that they would do the same for us if need be. Don't blame the hosting companies in this case, blame Cpanel for knowing about their multitude of scripts that run with root priviledges without properly parsing all data passed to and from their suid c programs!! We have been complaining about this for at least 2 years with little or no help for the issue. We have at least 20 bandaids for Cpanels scripts to fix problems that they refuse to deal with in their "stable" and "current" versions. Hopefully this incident will help them to move in the right direction, but given past exploits and their "resolutions" I HIGHLY doubt ti!

Odd occurrence today

[robogun]

I don't know if this is related, but I hit a webpage today that tried to access my router at 192.168.1.1.

My router's password dialog appears when hitting the page.

I don't think I've seen that one before.