Archive for the 'Security' Category

We have been getting number of attack reports from clients with Wordpress installs and further investigating we found a global attacks on wordpress.

Right now there is a very severe and global attack on all Wordpress sites on the Internet and almost all hosting providers are affected. The attack is a brute-force attack which is global and  highly distributed, This attack is well organized and again very, very distributed; we have seen high number of spoofed IP addresses involved in this attack. As the IP’s are spoofed, blocking the IP’s does not help much.

If you need any asisstance in blocking this attacks please submit a 1x Hour of Support plan and we will help you right after!

Don’t hesitate to contact us if you have any questions or need further assistance.

A new Parallels Plesk Panel privilege escalation vulnerabilities have been discovered (VU#310500 and CVE-2013-0132, CVE-2013-0133)

  • Plesk’s /usr/sbin/suexec binary (the binary may be present in additional locations, always with suexec in the filename) always allows the binary ‘cgi-wrapper’, bypassing restrictions on the ownership of the file to be called. Since cgi-wrapper’s function is to execute a PHP script based on environment variables (and suexec does not sanitize these environment variables) this allows execution of arbitrary PHP code with a user id above a minimum user ID value that is hardcoded in the suid binary. CVE-2013-0132
  • The program /usr/local/psa/admin/sbin/wrapper allows the user psaadm to execute various administrative scripts with root privileges. Some of these scripts call external programs without specifying the full path. By specifying a malicious PATH environment variable, an attacker can cause the administrative scripts to call his own program instead of the intended system program. CVE-2013-0133

Parallels Plesk Panel versions 9.x-11.x with Apache web server running mod_php, mod_perl, mod_python, etc. is vulnerable to authenticated user privilege escalation. Authenticated users are users that have login to Parallels Plesk Panel (such as f.e. your customers, resellers, or your employees).

Patching the server with the latest MU’s is extremely mandatory.

We highly suggest purchasing our Full Security Audit plan to update/patch and confirm your server hasn’t been compromised.

Should you have further questions please don’t hesitate to contact our Customer Support Team available 24/7 !

There is a new SSHD rookit rolling around since few days ago, it looks it’s affecting mostly RHEL/CentOS servers.

Servers with cPanel, Plesk, VirtualMin and DirectAdmin are affected well.
 
According to a Security Audition in one of the hacked servers we found the Rootkit deposits files in /lib64 and /lib, main file name is libkeyutils.so.1.9.
 
It changes symlinks of /lib64/libkeyutils.so.1 to point to the mentioned lib.
 
We believe this lib is capable of stealing passwords, SSH keys and /etc/shadow files from the server. It’s also used as a backdoor to
gain access to the server through a different port, the rootkit will also modify all the authentication mechanisms of the server preventing any login or command history to be logged through this backdoor.

The intruder has full root access which means there is a exploit among with this rootkit capable of root privilege escalation.

You can see if your server is infected by running the following script:

# wget -qq -O - http://www.serverbuddies.com/files/libkeyutilscheck.sh | sh

We highly encourage our customers to submit a 1x Hour of Support if you see the script is showing your server as compromised.

Don’t hesitate to contact our Support Team for any inquiry you may have!

Summary

A remote code execution vulnerability exists in Exim versions between 4.70 and 4.80, inclusive. Exim is the mail transfer agent used by cPanel & WHM.

Security Rating

This vulnerability has been rated as Critical[1] by the cPanel Security team.

Description

A remote code execution flaw in Exim has been discovered by an internal audit performed by the Exim developers[2]. This vulnerability may lead to arbitrary code execution with the privileges of the user executing the Exim daemon. In some circumstances this may lead to privilege escalation.

The vulnerability is tied to the DKIM support introduced in Exim 4.70. It has been assigned CVE-2012-5671[3].

The following Exim RPMs, as distributed by cPanel, Inc. are known to be vulnerable:

* exim-4.76-1
* exim-4.77-0
* exim-4.77-1
* exim-4.80-0
* exim-4.80-1

These RPMs were shipped as part of cPanel & WHM versions 11.32 and 11.34.

Solution

Contact us at info@serverbuddies.com for patching your Exim server with the latest security patches and run a Full Security Audit on your server.

Password Aging under Red Hat Enterprise Linux

Password aging is another technique used by system administrators to defend against bad passwords within an organization. Password aging means that after a specified period (usually 90 days), the user is prompted to create a new password. The theory behind this is that if a user is forced to change his password periodically, a cracked password is only useful to an intruder for a limited amount of time. The downside to password aging, however, is that users are more likely to write their passwords down.

There are two primary programs used to specify password aging under Red Hat Enterprise Linux: the chage command or the graphical User Manager (system-config-users) application. The -M option of the chage command specifies the maximum number of days the password is valid. For example, to set a user’s password to expire in 90 days, use the following command:

chage -M 90 [username]

In the above command, replace with the name of the user. To disable password expiration, it is traditional to use a value of 99999 after the -M option (this equates to a little over 273 years). You can also use the chage command in interactive mode to modify multiple password aging and account details. Use the following command to enter interactive mode:

chage [username]

The following is a sample interactive session using this command:

[root@buddy ~]# chage buddy

« Prev - Next »