Critical Update Notice

[mydomain]

T0rnkit8 on one of my boxes - this isnt the best day of my life. Thanks to Cpanel.

 

[TAWHosting]

5.248.51.206 - [12/Mar/2004:20:00:02 +0000] "GET /resetpass/?user=%7C%60BLA=$'%5C%5Cx20';BLA2=$'%5C%5Cx2F';id%60%7C HTTP/1.$

etc etc

look in your /usr/local/cpanel/logs/access_log

u shuld see lines like the above it uve been compromised, i urge every1 to get the ips of the person that issued the commands and porsecute, dam these bastards causing us grief !!!

 

[xsenses]

Originally posted by LS_Drew
I just want to say to Nick that I really do think you did the right thing today to try and rectify the situation. If you had explained that those of us who already patched would be unaffected by the upgrade, I'd have been with ya from the start.

It's a shame that this had to happen in the first place, but your handling of the problem was, IMHO, first rate and saved MANY folks who didn't know any better and would have been hacked to pieces.

Yeah - I have to agree. Saved alot of damage. Just think how many folks haven't even caught wind of anything yet...

 

[LS_Drew]

Are we gonna have to go through this all over again?

http://www.securityfocus.com/archive/1/357268/2004-03-09/2004-03-15/0

 

[rs-freddo]

Originally posted by LS_Drew
Are we gonna have to go through this all over again?

http://www.securityfocus.com/archive/1/blah/blah

My Port 2082 is firewalled, so i tried it on port 2083 - no go. Must have correct user and password.

... I'm not a hacker so I may have done something wrong. Still you need to post a support ticket in case nick needs to fix this.

 

[cPanelNick]

Originally posted by LS_Drew
Are we gonna have to go through this all over again?

http://www.securityfocus.com/archive/1/357268/2004-03-09/2004-03-15/0

Its all part of the same problem. The patch should take care of it.

 

[mydomain]

Is that should or will take care of it ?

 

[bmcpanel]

Originally posted by bdraco
Its all part of the same problem. The patch should take care of it.

Thanks for fixing this. Stuff happens. You are on top of it. Thanks.

 

[rs-freddo]

Originally posted by bdraco
Its all part of the same problem. The patch should take care of it.

What about those who have "email password" off and haven't upgraded?

mydomain has a point - "should" or "will"????

 

[cPanelNick]

Originally posted by rs-freddo
What about those who have "email password" off and haven't upgraded?

mydomain has a point - "should" or "will"????

The patch from earlier today does fix the problem since its all the same module that is affected.

 

[liquidcherry]

same question here......iam still on 8.8.0 Stable 74 (and i have to knock on wood that i was soooo clever and turned the password reset off soon it appeared weeks ago)

So,my concern is can i upgrade,should i or should i not (I still have the security message on top of WHMnews)because my box will go down after.....is this resolved,i mean ALL probs.....(like i read in different threads here)...??

By the way Nick,i think it was the right decision but maybe my 2 cents to this,whats about a security mailing list with ALL members and purchasers,admins,whoever use or sell,maintain CPANEL,the message could be delivered even to cellphones,hey we are living in the 21st century...

Frank

 

[SarcNBit]

Originally posted by LS_Drew
your handling of the problem was, IMHO, first rate and saved MANY folks who didn't know any better and would have been hacked to pieces.

If you don't know any better, then your servers should be set to allow automatic security updates. If you set your servers to manual then updates should not occur. It really is not that hard a concept to grasp.

I applaud cPanel for responding to this threat so quickly. I know it had to have been a busy day for everyone involved with all of the support requests. The way the updates were pushed out however needs to be re-evaluated.

 

[mydomain]

Originally posted by SarcNBit
If you don't know any better, then your servers should be set to allow automatic security updates. If you set your servers to manual then updates should not occur. It really is not that hard a concept to grasp.

I applaud cPanel for responding to this threat so quickly. I know it had to have been a busy day for everyone involved with all of the support requests. The way the updates were pushed out however needs to be re-evaluated.

What type of Cpanel build do you run on your servers with Automatic Update then?

 

[LS_Drew]

'If' 'should' yada yada, all that is irrelevant. People SHOULD do lots of things. But they don't. It's no different here.

The way the updates were delivered, IMHO, was brilliant. Set a script to exploit the hole, using the exploit to patch the system. That way, if the patching was taken already care or the box just wasn't vulnerable, nothing was done. How can it get any better than that? The people that did what they were supposed to do got no frantic calls today. The rest may have had an update fail. C'est la vie.

 

[rs-freddo]

Originally posted by LS_Drew
'If' 'should' yada yada, all that is irrelevant. People SHOULD do lots of things. But they don't. It's no different here.

The way the updates were delivered, IMHO, was brilliant. Set a script to exploit the hole, using the exploit to patch the system. That way, if the patching was taken already care or the box just wasn't vulnerable, nothing was done. How can it get any better than that? The people that did what they were supposed to do got no frantic calls today. The rest may have had an update fail. C'est la vie.

I think most people didn't know the update exploited the hole and therefore was directly targetted at exploitable servers. I certainly didn't until you pointed it out.

 

[CpanelCliff]

We were definately testing the build before it was released as I was sitting right beside nick testing each build he put out, however with the size of the security exploit we didn't have time to be overly methodical, I made sure all basic functions were operational and caught quite a few errors and corrected them, so yes we missed this particular bug but as soon as we knew about it we started working on it, at 3 something in the morning. The exploit was a bad one and could have caused a lot more damage than it did, we can't expect to keep everyone happy but no software is perfect. We will take your ideas into consideration about further notifications and I'll work with Nick to see if we can't get a better notification system setup, however, even with the notifications I'm not sure if a forced upgrade on systems with the hole would be out of the picture.

 

[HG_]

OK,

It would appear that one of my cPanel boxes has been effected.

I can't be sure at the moment that any particular damage has been done - but I assume it has, or may be.

What are my options for getting out of this pickle?

I have other cPanel boxes which appear to be ok, btw, but it looks like they were upgraded to the 'secure' cPanel version got hold of them.

Any advice would be helpful

 

[thechronic]

I've been infected with tornkit8 too. I found a thread on WHM on how to remove it: http://www.webhostingtalk.com/showthread.php?s=&threadid=247298

Hope that helps!!

 

[TAWHosting]

Originally posted by thechronic
I've been infected with tornkit8 too. I found a thread on WHM on how to remove it: http://www.webhostingtalk.com/showthread.php?s=&threadid=247298

Hope that helps!!

the only safe way to remove t0rn is a full OS restore, dont compromise yours or your clients data by doing a half arsed job.

 

[thechronic]

Originally posted by TAWHosting
the only safe way to remove t0rn is a full OS restore, dont compromise yours or your clients data by doing a half arsed job.

Can I do that remotely? Do you know any links that explain how to do this.