I heard of A Vulnerability in Cpanel... Any idea?

liketobemad · Oct 5, 2009

Hi .. I posted a topic on a redirection problem which many websites are facing on various other hosting services... I hope x10 doesn't have such a problem.. I just want to let u know some details about the redirection issue...

One of my website(hosted on some other hosting service) developed a problem where it randomly rediects to some fake antivirus sites with full of mallicious trojans. I was completely balnk, couldn't understnad what was wrong.. all my .htacess files were intact. I googled out and after a search find some links about the issue....
http://www.wewatchyourwebsite.com/wordpress/?p=202
http://blog.unmaskparasites.com/200...s-about-malicious-server-wide-meta-redirects/
and after some more googling, I found a forum post on hostgator website that they found a cpanel exploit and addressing that arrested the problem, I am pasting the link here .. (no idea wheter it is allowed)
http://forums.hostgator.com/virus-issue-has-been-resolved-here-t10939.html?t=10939
My intention in posting here - it says all hostings with cpanel can have a problem.. no idea how much true is it? Just want to know if any one came across such a problem and if any solution is available ...
Thank U

computerwis · Oct 5, 2009

I haven't had this problem before. This should be real.

liketobemad · Oct 5, 2009

It is real and offlate many sites are getting affected....

leafypiggy · Oct 5, 2009

cPanel probably knows about it and is fixing it.

Short of shutting down the cPanel service, x10 can't do anything.

promurphy · Oct 5, 2009

I wonder if this is how my site got hacked... still is.

Corey · Oct 5, 2009

This is not an issue on our servers and the cPanel link is from 2006

-Corey

Smith6612 · Oct 5, 2009

promurphy said:
I wonder if this is how my site got hacked... still is.

You should run a MalwareBytes and an Avast! boot time scan to make sure you didn't pick up any hijackers. I would also update all of your scripts if any and check over each of your files, and change your password if that is at all possible.

xav0989 · Oct 6, 2009

For protecting your PC, CCleaner has some good options.

rokkwarr · Oct 7, 2009

stop downloading p0rns? Nah J/k, 10-1 its probally a trojan that piggybacked upon a website you viewed (do You use IE? if so, trash it.) Unfortunately theres another type of virus going around (not well known mind you) that can hide itself in a jpg or a gif (heck you can embed php code inside of a png for random images and such, arbitrary code inside a image itself isnt much of a stretch.)

liketobemad · Oct 8, 2009

Actually the virus I am stating sits on shared hosting servers.. and infects all sites.. Actually the hacking script gains Cpanel Access (may be by getting password and username from the infected computer of any webadmin) and start infecting other sites on the server...
My own website hosted on other hosting(India) is facing the problem.. and thing is it doesn't change code or add code to the existing pages.. but it redirects visitors by Meta Refresh.. all files on the website will be intact...
huff......
I am still searching for solutions

computerwis · Oct 8, 2009

As I know, this will not effect x10hosting at all. It will only effect CPanel

masshuu · Oct 8, 2009

i believe the free servers are relativity safe, since not only do they need to cope with automated attacks, they need to withstand someone sitting there poking at everything they can to see if they can find a hole, and i would bet the paid servers are just as safe.

Your also looking at posts from long ago that talk about a few sites? ill bet that its not an issue with cpanel, but with admins with weak passwords or something like that. Cpanel is used on tens of thousands(?) of servers, then why do i only see a handful of those reports for servers owned by a couple companys

Pyker · Oct 13, 2009

A solution was found:

http://www.wewatchyourwebsite.com/wordpress/?p=202 said:
Friday July 24, 2009 update: We worked with a couple different hosting providers who had servers infected with this and it appears the way these malscripts are injected into the the webpages is through a process on the server. The cybercriminals have cleverly named this process “crontab” however this process runs under the user name “nobody” typically the same user name that Apache (or httpd) runs as.

The file that executes this process is remotely deleted by the cybercriminals controlling it so it just runs in memory. Once the server is rebooted, the process disappears and doesn’t appear to return. The hosting providers also mentioned implementing suPHP as an aid to blocking this from happening again.

This is quite clever as how many times does a shared server really get rebooted? Probably not very often unless there’s a reason to shut-down numerous (hundreds?) websites all at once.

liketobemad · Oct 15, 2009

Actually the solution is not simple.. My webhost on which the problem is there, finally shifted my website to another server ...
this generally happens when some ftp credentials of any user are stolen and then they check for any vulnerable scripts...
effecting PHP files on run.....

I heard of A Vulnerability in Cpanel... Any idea?

liketobemad

New Member

computerwis

New Member

liketobemad

New Member

leafypiggy

Manager of Pens and Office Supplies

promurphy

New Member

Corey

I Break Things

Smith6612

I ate all of the x10Pizza

xav0989

Community Public Relation

rokkwarr

New Member

liketobemad

New Member

computerwis

New Member

masshuu

Head of the Geese

Pyker

New Member

liketobemad

New Member

Free Web Hosting

Our Community

Legal