[CentOS] Server Hacked: Cpanel

Craig White craigwhite at azapple.com
Wed Aug 9 16:19:12 UTC 2006


On Wed, 2006-08-09 at 09:08 -0700, Karl Balsmeier wrote:
> Hi, 
>  
> I have servers of mixed OS, some Centos, some Fedora, and after the
> flame war that erupted last week (where I said basically nothing and
> just watched), my server was hacked by this team of hackers, actually
> their friend:
>  
> http://www.sibersavascilar.com/
>  
> This made Karanbir's statements about mixing Cpanel and Centos (any
> maybe any linux distro) come true very quickly.  If one of the top
> package maintainers says this, it bears weight.
>  
> I'd like to know more about this subject, specifically on the package
> front, for security's sake.
>  
> Karanbir, can you restate the issues with Cpanel please?  They are
> trying to recommend CentOS as the OS to install on, and even that
> Linux Journal article did -and before anyone else wastes their time,
> -let's get everything out in the open so that there's a pipermail
> archive trail for future folks 'googling' for info later on pros/cons
> of using, or avoiding use of, non-complimentary projects/technologies.
>  
> Is the issue that both parties maintain separate packaging/updating
> regimes and have little or no successful communication as far as
> keeping thing secure and up to date?
>  
> That seemed to be what you said, -and if I had the old email, i'd just
> run with it's advice.
>  
> Also, can you list the IRC channels you mentioned last time that
> contain the various hackers bragging about freshly broken
> Cpanel/Centos builds?  Freenode right?  Any others?  I've been on IRC
> back when BITNET was still active and there wasn't even mosaic yet,
> but have always avoided it after 1992 because of hackers 'sniffing for
> future targets'.
>  
> William, Jim, Johnny, -any comments are truly welcome, -anyone really.
> Basically i'd like to help stop or curtail the 'open season' this set
> of circumstances is creating for hackers, -I have already decided to
> avoid Cpanel on Centos as it is, -my server that was hacked with
> Cpanel was not a Centos box, and those that have it, have been shut
> down.
>  
> The server next to it was *also* hacked, and that *was* a centos
> machine, with only a yum update from 3 days prior.  Is it really
> recommeded that I run yum update evry night then?  It was stunning to
> have a box up for 3 days and then get owned so fast.
>  
> Luckily this was for my personal business entity, and not my full-time
> job, which indeed does run 50-70 Centos servers behind layers of
> firewalls and other protections, and *no* commercial products, only
> centos packages by Dag or Karanbir.
>  
> To anyone in the mood for scolding, please hold off OK?  I'm not in
> the mood for overbearing attitudes right now.  I'm trying to run a
> business and seek solid answers.  I see Centos as a reliable
> alternative to commercial offerings *if* you pay careful attention to
> what the senior staff and relevant discussion groups advise.
>  
> As for the team of hackers, if anyone knows who this is, or can point
> out who they might be or how to ban them, -that is also most welcome.
>  
----
The only way to close the door is to figure out which door they used to
get in.

The likely culprits are ssh - things like php (especially if using phpbb
or other content management systems which allow users to write things on
the web site). My money these days is always on SSH, allowing users to
log in via password and users with weak passwords.

It's not really germane to discuss whether it was CentOS, CPanel or
whatever until you actually know how they got in.

Craig





More information about the CentOS mailing list