cPanel [Technical Support] ถูกแฮก

เจ้าของ server ที่ใช้ cPanel และส่งรหัสผ่านให้กับ cPanel Tech support ในระยะ 6 เดือนที่ผ่านมา ควรเปลี่ยนรหัสผ่านทันที

ผมไม่ได้อีเมล์เอง แต่มีรายงานใน WHMCS Forum ครับ

http://forum.whmcs.com/showthread.php?68611-cPanel-support-compromised&p=296646

ขณะนี้ก็ยังรออ่านรายละเอียดจาก cPanel อยู่ โชคดีไม่เคยส่ง support ticket ไปสักครั้งเดียว

From: no-reply@cpanel.net Sent: Friday, February 22, 2013 12:48 AM
To: ***********

Subject: Important Security Alert (Action Required)

Salutations,

You are receiving this email because you have opened a ticket with our support staff in the last 6 months. cPanel, Inc. has discovered that one of the servers we utilize in the technical support department has been compromised. While we do not know if your machine is affected, you should change your root level password if you are not already using ssh keys. If you are using an unprivileged account with “sudo” or “su” for root logins, we recommend you change the account password. Even if you are using ssh keys we still recommend rotating keys on a regular basis.

As we do not know the exact nature of this compromise we are asking for customers to take immediate action on their own servers. cPanel’s security team is continuing to investigate the nature of this security issue.

–cPanel Security Team

อัพเดต: 27/2/2013

– ที่โพสต์ล่างครับ

ผู้ให้บริการเมืองไทยคงสามารถรับมือได้ครับ

เอาแล้วไง ๆๆ โดนจนได้ CPANEL :63d4808b:

[COLOR=#333333]CPANEL โดนแล้ว รู้สึก ถ้าตัวเราเองโดนมั่งคงไม่แปลก ใจ 55555555555555 5 [/COLOR]

ข่าวเริ่มออกแล้วค่ะ

  The providers of the [cPanel website management application](https://cpanel.net/company/)  are warning some users to immediately change their systems' root or  administrative passwords after discovering one of its servers has been  hacked.

In an e-mail sent to customers who have filed a cPanel support request in the past six months, members of the company’s security team said they recently discovered the compromise of a server used to process support requests.
“While we do not know if your machine is affected, you should change your root level password if you are not already using SSH keys,” they wrote, according to a copy of the e-mail posted to a community forum. “If you are using an unprivileged account with ‘sudo’ or ‘su’ for root logins, we recommend you change the account password. Even if you are using SSH keys we still recommend rotating keys on a regular basis.”
The e-mail advised customers to take “immediate action on their own servers,” although team members still don’t know the exact nature of the compromise. Company representatives didn’t respond to an e-mail from Ars asking if they could rule out the possibility that customer names, e-mail addresses, or other personal data were exposed. It’s also unclear whether the company followed wide-standing recommendations to cryptographically protect passwords. So-called one-way hashes convert plain-text passwords into long unique strings that can only be reversed using time-consuming cracking techniques. This post will be updated if cPanel representatives respond later.
The cPanel compromise is the latest in a long string of high-profile hacks to be disclosed over the past few weeks. Other companies that have warned users they were hacked include [I]The New York Times[/I], [URL=“http://arstechnica.com/security/2013/01/wsj-says-it-was-breached-by-chinese-hackers-too-in-ongoing-campaign/”][I]The Wall Street Journal[/I], [URL=“http://arstechnica.com/security/2013/02/cooks-steal-security-firms-crypto-key-use-it-to-sign-malware/”]security firm Bit9 [URL=“http://arstechnica.com/security/2013/02/twitter-detects-and-shuts-down-password-data-hack-in-progress/”]Twitter, [URL=“http://arstechnica.com/security/2013/02/facebook-computers-compromised-by-zero-day-java-exploit/”]Facebook, [URL=“http://arstechnica.com/apple/2013/02/apple-hq-also-targeted-by-hackers-will-release-tool-to-protect-customers/”]Apple, and [URL=“http://arstechnica.com/security/2013/02/microsoft-joins-apple-facebook-and-twitter-comes-out-as-hack-victim/”]Microsoft. On Tuesday, a computer firm issued an [URL=“http://arstechnica.com/security/2013/02/unusually-detailed-report-links-chinese-military-to-hacks-against-us/”]unusually detailed report linking China’s military to hacks against US companies, although at least some of the most recent attacks are believed to have originated in Eastern Europe.
It’s unclear how many cPanel users are affected by the most recently disclosed compromise. The hack has the potential to be serious because the passwords at risk could give unfettered control to a large number of customers’ Unix-based computers.

ที่มา : Server hack prompts call for cPanel customers to take “immediate action” | Ars Technica

ผมก็เกือบโดน ตอนแรกว่าจะส่งรหัสให้ cpanel แต่พอดี มันคิดเงินค่า support ตั้งแพง หาวิธีในเน็ตดีกว่า 55555555

โชคดีผมไม่มีตังซื้อใช้ :70bff581:

ชิบหายละ มีอีเมลร่อนถึงผมเหมือนกัน T_T
ตอนนี้เปลี่ยนรหัสเรียบร้อยครับ

:5fc0f220::5fc0f220:

เหมือนกัน Directadmin ก็หรูสำหรับผมแระ 555 :70bff581:

อัพเดตครับ

จากอีเมล์วันนี้ที่ได้รับจาก cPanel ผมยืนยันอีกครั้งว่า ผู้ใดไม่ได้ส่ง support ticket พร้อม login credential ของตัวเองไปให้ cPanel ในช่วง 6 เดือนหลัง ไม่ได้รับผลกระทบใดๆ ครับ

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

cPanel, Inc. Announces Additional Internal Security Enhancements

This is a follow up on the status of the security compromise that cPanel, Inc. experienced on Thursday, February 21, 2013.

As mentioned in our email sent to cPanel Server Administrators who’ve opened a ticket with us in the past 6 months, on February 21 we discovered that one of the proxy servers we utilize in the technical support department had been compromised. The cPanel Security Team’s investigation into this matter is ongoing.

We’d like to relay additional details about the intrusion that we have gathered with you, and we want to explain what preventative measures we’re putting in place that will introduce additional layers of security to our new and existing systems, already in place. How the server was accessed and compromised is not clear, but we know a few key facts that we’re sharing.

Here’s what we know:

* The proxy machine compromised in this incident was, at the time, utilized to access customer servers by some of our Technical Analysts. It’s intent was to provide a layer of security between local & remote workstations and customer servers.

* This proxy machine was compromised by a malicious third-party by compromising a single workstation used by one of our Technical Analysts.

* Only a small group of our Technical Analysts uses this particular machine for logins.

* There is no evidence that any sensitive customer data was exposed and there is no evidence that the actual database was compromised.
Here’s what we’re doing about it:

Documentation is now provided at: http://go.cpanel.net/checkyourserver[FONT=arial] which we encourage system administrators to use to determine the status of their machine.[/FONT]

We have restructured the process used to access customer servers to significantly reduce the risk of this type of sophisticated attack in the future. We have also been working on implementing multiple changes to our internal support systems and procedures as outlined for your information below.

* Our system will now generate and provide you with a unique SSH key for each new support ticket submitted.

* We are providing tools to authorize and de-authorize SSH keys and instructions on how to use them whenever you submit a ticket.

* Our system will generate a single-use username and password credentials for accessing WebHost Manager that are only valid while our staff is logged into your server.

* Additional enhancements are also planned behind the scene that should be transparent to our customers.

With these new layers of security in place, it is now possible for our Technical Analysts to service your support requests without you providing your server’s password for nearly all requests involving machines running our cPanel & WHM product going forward. However, we will still offer the ability to provide your password for server migrations, or in the event you cannot use SSH keys.

cPanel’s Internal Development Team has been working on an automated solution with the end goal of eliminating the need for our Technical Analysts to view any passwords you provide during the ticket submission process. We are testing this solution right now, and hope to have it fully implemented in the next few days.

cPanel, Inc. understands your concerns expressed over the last few days, and we very much appreciate the cooperation and patience you have provided us during this time as we work through all of this.

Thank you.