cPanel support compromised.

easyhostmedia

easyhostmedia

Well-known member
received this email today from cpanel, so thought it best to share this with the community

From: no-reply@cpanel.net
Sent: Friday, February 22, 2013 12:48 AM
To: ***********

Subject: Important Security Alert (Action Required)


Salutations,

You are receiving this email because you have opened a ticket with our support staff in the last 6 months. cPanel, Inc. has discovered that one of the servers we utilize in the technical support department has been compromised. While we do not know if your machine is affected, you should change your root level password if you are not already using ssh keys. If you are using an unprivileged account with "sudo" or "su" for root logins, we recommend you change the account password. Even if you are using ssh keys we still recommend rotating keys on a regular basis.

As we do not know the exact nature of this compromise we are asking for customers to take immediate action on their own servers. cPanel's security team is continuing to investigate the nature of this security issue.



--cPanel Security Team
Click to expand...
 
so far no issues with my server, but i like how they just tell you too change your root password, surely if it has compromised your server then all accounts on the server should also be changing their passwords.

also when did this happen was their tech server compromised 6 months ago or 6 days ago. they have like WHMCS decided to keep this part secret.
 
Yes, and also they should at least point out that one should look out for libkeyutils.so.1.9 on the servers. Luckily none of my clients was affected by this hack, but if someone was, I'd recommend to reinstall the whole OS to be on the safe side, and of course, as you already mentioned, change every single password and look for cPanel accounts which are not linked to a client, etc. IMO it's not done by simply changing the root password, lol, that's a really weak security management.

If they want to keep it secret, I think it's rather been more than just a week. Wouldn't be the best PR for them to admit that though. :P
 
Thanks for sharing.

Hopefully they'll provide a follow up with more details on what happened here and soon (unlike WHMCS).

/Subed.
 
What did you ask them?

It seems they are unsure of the details themselves right now and will update us once they have more details on the situation.
 
DJAB-Milo said:
What did you ask them?

It seems they are unsure of the details themselves right now and will update us once they have more details on the situation.
Click to expand...

I basically asked then when was the compromise 6mths ago or 6 days ago or are we being kept in the dark like WHMCS, which seems to have hit a nerve judging by the comment against me on the WHMCS forum.
 
easyhostmedia said:
I basically asked then when was the compromise 6mths ago or 6 days ago or are we being kept in the dark like WHMCS, which seems to have hit a nerve judging by the comment against me on the WHMCS forum.
Click to expand...

I see.

I can't confirm this to be accurate though my view on things: The discovery / attack was fairly recent and they are emailing everyone within a 6 month window as older tickets maybe sent to another server (Archiving server or something to save resources or...?). And so hackers don't have those older details.

Again I am unsure how accurate that is just my view from what I've heard so far.
 
yes mostly likely recent but they could of just said that they were investigating rather than say my comment was "inflammatory"
 
easyhostmedia said:
yes mostly likely recent but they could of just said that they were investigating rather than say my comment was "inflammatory"
Click to expand...

They did say they were investigating. It is even in the reply to you that your quoted in your first post of this thread:

cPanel's security team is continuing to investigate the nature of this security issue.
Click to expand...

They have also replied to you on the forum saying the following:

As soon as there is additional information available, a more formal announcement will be made available to all.
Click to expand...

Which means they are investigating, phrased differently.

How else would you like someone to tell you the issue is under investigation?
 
easyhostmedia said:
yes mostly likely recent but they could of just said that they were investigating rather than say my comment was "inflammatory"
Click to expand...

(Not taking any sides): After reading the WHMCS thread I think he was just taking a defensive measure as they did state they were still investigating (In the initial email & in the confirmation reply) and your comment stating they were keeping secrets, well...

Though its nothing to get worked over about :) - Lets wait and see once they release further details :smash:
 
Artashes said:
They did say they were investigating. It is even in the reply to you that your quoted in your first post of this thread:



They have also replied to you on the forum saying the following:



Which means they are investigating, phrased differently.

How else would you like someone to tell you the issue is under investigation?
Click to expand...

true, but i was still not wrong or being "inflammatory" asking then for more details, if they found this issue then they would have know when it happened as the issue was found otherwise they would not have sent the original email.
 
easyhostmedia said:
true, but i was still not wrong or being "inflammatory" asking then for more details, if they found this issue then they would have know when it happened as the issue was found otherwise they would not have sent the original email.
Click to expand...

What you felt you were (wrong or not) is irrelevant. You keep asking them questions they don't know the answers to yet, ignoring the clear message of it being investigated. Be patient.
 
News from cPanel:

cPanel, Inc. Announces Additional Internal Security Enhancements

This is a follow up on the status of the security compromise that cPanel, Inc. experienced on Thursday, February 21, 2013.

As mentioned in our email sent to cPanel Server Administrators who’ve opened a ticket with us in the past 6 months, on February 21 we discovered that one of the proxy servers we utilize in the technical support department had been compromised. The cPanel Security Team’s investigation into this matter is ongoing.

We’d like to relay additional details about the intrusion that we have gathered with you, and we want to explain what preventative measures we’re putting in place that will introduce additional layers of security to our new and existing systems, already in place. How the server was accessed and compromised is not clear, but we know a few key facts that we’re sharing.

Here’s what we know:

* The proxy machine compromised in this incident was, at the time, utilized to access customer servers by some of our Technical Analysts. It's intent was to provide a layer of security between local & remote workstations and customer servers.

* This proxy machine was compromised by a malicious third-party by compromising a single workstation used by one of our Technical Analysts.

* Only a small group of our Technical Analysts uses this particular machine for logins.

* There is no evidence that any sensitive customer data was exposed and there is no evidence that the actual database was compromised.
Here’s what we’re doing about it:

Documentation is now provided at: http://go.cpanel.net/checkyourserver which we encourage system administrators to use to determine the status of their machine.

We have restructured the process used to access customer servers to significantly reduce the risk of this type of sophisticated attack in the future. We have also been working on implementing multiple changes to our internal support systems and procedures as outlined for your information below.

* Our system will now generate and provide you with a unique SSH key for each new support ticket submitted.

* We are providing tools to authorize and de-authorize SSH keys and instructions on how to use them whenever you submit a ticket.

* Our system will generate a single-use username and password credentials for accessing WebHost Manager that are only valid while our staff is logged into your server.

* Additional enhancements are also planned behind the scene that should be transparent to our customers.

With these new layers of security in place, it is now possible for our Technical Analysts to service your support requests without you providing your server’s password for nearly all requests involving machines running our cPanel & WHM product going forward. However, we will still offer the ability to provide your password for server migrations, or in the event you cannot use SSH keys.

cPanel’s Internal Development Team has been working on an automated solution with the end goal of eliminating the need for our Technical Analysts to view any passwords you provide during the ticket submission process. We are testing this solution right now, and hope to have it fully implemented in the next few days.

cPanel, Inc. understands your concerns expressed over the last few days, and we very much appreciate the cooperation and patience you have provided us during this time as we work through all of this.

Thank you.
Click to expand...
 
You must log in or register to reply here.

Supporters

Back
Top