[CentOS] Server Hacked: Cpanel

Wed Aug 9 16:28:40 UTC 2006
Rodrigo Barbosa <rodrigob at darkover.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Some excerpts:

On Wed, Aug 09, 2006 at 09:08:00AM -0700, Karl Balsmeier wrote:
> This made Karanbir's statements about mixing Cpanel and Centos (any maybe any
> linux distro) come true very quickly.  If one of the top package maintainers
> says this, it bears weight.
>  
> I'd like to know more about this subject, specifically on the package front,
> for security's sake.

First things first.

When you install cPanel, you no longer have a CentOS machine, you have a
cPanel one. As simple as that.

cPanel is way too intrusive. It will stop any efforts from the CentOS
team to keep the machine current and secure. It will change everything
from services to libraries.

> Is the issue that both parties maintain separate packaging/updating regimes and
> have little or no successful communication as far as keeping thing secure and
> up to date?

Actually no. There are many features on cPanel that depend on heavy
patching of packages, including Apache and Exim. There is actually
no way better communication would make any difference, unless cPanel was
made opensource (and correctly documented).

> Also, can you list the IRC channels you mentioned last time that contain the
> various hackers bragging about freshly broken Cpanel/Centos builds?  

Is there any need for that ? Hacking a cPanel server is trivial for any
hacker but a script kid.

Not only it will use unsecure versions of many softwares and some patches
of questionable safety, it will also stop you from using several method
of improving security (/tmp hardening with ACLs is just one example).

There are some people (rack911.com) that can do wonders securing a
cPanel server, but even them can't make it as secure as a pure CentOS
server. If you really need to use cPanel (and other CPs for that matter),
I urge you to contact Steve at rack911.com and ask him to secure your
server. Regarding CP based servers, he is the best I know.

> William, Jim, Johnny, -any comments are truly welcome, -anyone really. 
> Basically i'd like to help stop or curtail the 'open season' this set of
> circumstances is creating for hackers, -I have already decided to avoid Cpanel
> on Centos as it is, -my server that was hacked with Cpanel was not a Centos
> box, and those that have it, have been shut down.

It really will make no big difference if you are using CentOS or some other
base distro for cPanel. cPanel will replaces so many things, and will
give you Fantastico, which is an amazing tool, as long as you don't
mind security.

> The server next to it was *also* hacked, and that *was* a centos machine, with
> only a yum update from 3 days prior.  Is it really recommeded that I run yum
> update evry night then?  It was stunning to have a box up for 3 days and then
> get owned so fast.

Again, wouldn't have made any difference.

> Luckily this was for my personal business entity, and not my full-time job,
> which indeed does run 50-70 Centos servers behind layers of firewalls and other
> protections, and *no* commercial products, only centos packages by Dag or
> Karanbir.

That is the way to go.

> To anyone in the mood for scolding, please hold off OK?  I'm not in the mood
> for overbearing attitudes right now.  I'm trying to run a business and seek
> solid answers.  I see Centos as a reliable alternative to commercial offerings
> *if* you pay careful attention to what the senior staff and relevant discussion
> groups advise.

I hope you don't think I'm scolding you. CPs have a business value. I'm
well aware of that. But you get that at the price of security (along other
things that don't relate to this thread).

My point is very simple: if you are using cPanel, you WILL get hacked.
I suspect the same holds true for all other CPs (DirectAdmin, Cubix etc),
but I can't say for certain, since I never audited a machine with
those CPs, only read their specs.

Your best shot is to get speciallized cPanel securing assistance. As
I said, Rack911 is your best bet as far as I'm concerned.

> As for the team of hackers, if anyone knows who this is, or can point out who
> they might be or how to ban them, -that is also most welcome.

Don't want your time trying to ban them. It won't work. They will simply
hack someone else's cPanel server and use it to access your.

There are some tips and HOWTOs on www.webhostingtalk.com that might
help you secure your machine by yourself, and if nothing else, I
would check there.

Best Regards,

- -- 
Rodrigo Barbosa
"Quid quid Latine dictum sit, altum viditur"
"Be excellent to each other ..." - Bill & Ted (Wyld Stallyns)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFE2g04pdyWzQ5b5ckRApYaAJ9RyqnonfdcNZ5hZ36krIsxCBMy4wCgr3iU
BiskH0c+60kcsv+ZcQnTmSo=
=zK61
-----END PGP SIGNATURE-----