cPanel Inc. Server Compromised

It’s unclear on the specifics, but it appears the following letter is going out to cPanel users that have submitted a ticket in the last 6 months:

From: no-reply@cpanel.net
Sent: Friday, February 22, 2013 12:48 AM
To: ***********

Subject: Important Security Alert (Action Required)

Salutations,

You are receiving this email because you have opened a ticket with our support staff in the last 6 months. cPanel, Inc. has discovered that one of the servers we utilize in the technical support department has been compromised. While we do not know if your machine is affected, you should change your root level password if you are not already using ssh keys. If you are using an unprivileged account with “sudo” or “su” for root logins, we recommend you change the account password. Even if you are using ssh keys we still recommend rotating keys on a regular basis.

As we do not know the exact nature of this compromise we are asking for customers to take immediate action on their own servers. cPanel’s security team is continuing to investigate the nature of this security issue.

–cPanel Security Team

The cPanel product is very popular and used by hosts like Bluehost, HostGator, InMotion and many others. They in turn service 100’s of thousands of website owners website owners. While the scale of the compromise is unknown, an attacker targeting an environment like this is surely interested in one thing – data.

While the extent of the compromise is still unclear, it looks to have happened some time in the past 6 months. You can see the discussion here: http://forum.whmcs.com/showthread.php?68611-cPanel-support-compromised&p=296646, the user Infopro, product evangelist, is confirming that there was a compromise and action should be taken by all product users.

There is more discussion occurring on this thread as well http://www.hostingdiscussion.com/web-hosting-discussion/32211-cpanel-support-compromised.html

Highly recommend that any hosting company that uses the cPanel product force a reset of all account credentials.

******Update: Feb 22, 2013 – 16:16 PST********************

Interestingly enough, one of our engineers was also notified by their host, WiredTree, of a possible correlation between the cPanel compromise and the recent rumblings about a root-level exploit in RedHat/CentOS servers. On February 18th, they sent out the following notice:

I am writing you tonight to inform you that we have disabled access to port 22 (default SSH port) on your server as temporary precautionary security measure. Our security team has good reason to believe there is a root-level exploit in the wild for RedHat/CentOS servers as compromises have been reported on WebHostingTalk, Reddit, as well as on our own network and at other providers we have talked to. There have been a number of similarities in the attacks and that is why we have decided it is best to block this port temporarily until the attack vector is determined.

The discussion they are referring to can be found here and here.

Today, WiredTree, sent out the following email in response to our analysts inquiry for more information:

We recently emailed you to inform you that we temporarily disabled access to port 22 (default SSH port) on your server as a precautionary security measure. This block has now been lifted.

Our security team had been following some wide spread reports of root level compromises over the course of a couple of weeks. As time went on more and more were being reported, and we saw a handful on our network. One thing all of the servers compromised had in common was that SSHd was enabled with password authentication. We blocked SSHd temporarily as a precautionary measure, however we have since learned that SSHd was not the actual culprit.

We have been informed by cPanel that one of their servers in their Technical Support department was compromised and after further investigation, we have found that servers that were compromised had a cPanel ticket opened at one point where root level SSH access was given to cPanel Support so they could log in from their support offices. This extends back as far back to tickets being opened with cPanel support in October 2012.

Can the two issues be related? Are any other hosts seeing similar issues and care to give more information? If this is in fact true then this is a pretty serious concern, not just for hosts, but website owners alike that depend on these products for their day to day administration and management.

Scan your website for free:
About Tony Perez

Tony is the Co-Founder / CEO at Sucuri. He shares a deep passion for Information Security, Business and Brazilian JiuJitsu. He approaches the business the same as he trains BJJ, one move at a time and gently. You can follow him on twitter: @perezbox.