If you have ever hosted your website on a server or virtual private server then chances are pretty high you once did or currently are using cPanel. cPanel is a graphical web-based control panel that helps site owners and administrators to quickly and easily manage their website and hosting account. It's an awesome tool that interfaces with your server to help you perform once difficult tasks such as creating databases, manage website files, as well as setting up email accounts. Unfortunately, hackers broke into a proxy server used by cPanel, Inc's technical support department and now there are concerns that a trojan may have spread onto your server.
Here is what cPanel knows about the security exploit of their systems:
cPanel has provided documentation on how to determine your system's own status and encourages system administrators to check the status of their own servers.
Regretfully, cPanel support department has experienced a security issue. Two types of compromises have been detected. One, which involves compromised RPMs in the OpenSSH binaries. The second type, involves libkeyutils. In both cases, files contained within the directories or binaries were "trojaned." We highly encourage system administrators to read this document to determine the status of their system. If you experience any issues while you perform these commands, please contact Tech Support for assistance.
As the above excerpt implies, cPanel has determined that some systems were compromised with "trojaned" OpenSSH binaries. The OpenSSH binaries appears to contain the Ebury trojan. In regards to CentOS and RedHat systems, they have determined that the sshd, ssh, ssh-keygen, and ssh-askpass binaries all appear to contain trojan code. This code is used to collect authentication credentials for both inbound and outbound connections. cPanel's security team also believes that the SSH keys generated by these binaries were also captured. If following the steps in cPanel's documentation you determine your system has been compromised you are highly encouraged to contact cPanel's technical support.
At this point, you may be asking yourself if you should continue hosting your server with cPanel or switch over to one of cPanel's competitors given the report of this security exploit. While one always wants to be cautious over security risks, I usually calm people's fears by stating that in most cases I'm not worried when a company reports a security vulnerability as much as I worry about the companies that report no security threats to their customers. In other words, as long as cPanel addresses security issues promptly I wouldn't let this episode be the reason to migrate away from cPanel to an alternative control panel. More importantly, cPanel's technical support department appears to be adequately addressing the issue.
cPanel, Inc. has restructured the process used to access customer servers to significantly reduce the risk of this type of sophisticated attack in the future. They have also been working on implementing multiple changes to their internal support systems and procedures as outlined below.
cPanel’s Internal Development Team has also been working on an automated solution with the end goal of eliminating the need for our Technical Analysts to view any passwords a customer provided during the ticket submission process. cPanel, Inc. is testing this solution and hope to have it fully implemented in the next few days.
Bryan Ruby is the owner and editor for CMS Report. He founded CMSReport.com in 2006 on the belief that information technologists, website owners, and web developers desired visiting sites where they could learn about content management systems without the sales pitch. Besides this site, you can follow Bryan at Google+ and Twitter.