Run cPanel On Your CMS Server? Verify Your Server Wasn't Compromised

If you have ever hosted your website on a server or virtual private server then chances are pretty high you once did or currently are using cPanel. cPanel is a graphical web-based control panel that helps site owners and administrators to quickly and easily manage their website and hosting account. It's an awesome tool that interfaces with your server to help you perform once difficult tasks such as creating databases, manage website files, as well as setting up email accounts. Unfortunately, hackers broke into a proxy server used by cPanel, Inc's technical support department and now there are concerns that a trojan may have spread onto your server.

Here is what cPanel knows about the security exploit of their systems:

  • The proxy machine compromised in this incident was, at the time, utilized to access customer servers by some of cPanel's Technical Analysts. It's intent was to provide a layer of security between local & remote workstations and customer servers.
  • This proxy machine was compromised by a malicious third-party by compromising a single workstation used by one of cPanel's Technical Analysts.
  • Only a small group of cPanel's Technical Analysts uses this particular machine for logins.
  • There is no evidence that any sensitive customer data was exposed and there is no evidence that the actual database was compromised.

cPanel has provided documentation on how to determine your system's own status and encourages system administrators to check the status of their own servers.

Regretfully, cPanel support department has experienced a security issue. Two types of compromises have been detected. One, which involves compromised RPMs in the OpenSSH binaries. The second type, involves libkeyutils. In both cases, files contained within the directories or binaries were "trojaned." We highly encourage system administrators to read this document to determine the status of their system. If you experience any issues while you perform these commands, please contact Tech Support for assistance.

As the above excerpt implies, cPanel has determined that some systems were compromised with "trojaned" OpenSSH binaries. The OpenSSH binaries appears to contain the Ebury trojan. In regards to CentOS and RedHat systems, they have determined that the sshd, ssh, ssh-keygen, and ssh-askpass binaries all appear to contain trojan code. This code is used to collect authentication credentials for both inbound and outbound connections. cPanel's security team also believes that the SSH keys generated by these binaries were also captured. If following the steps in cPanel's documentation you determine your system has been compromised you are highly encouraged to contact cPanel's technical support.

cPanel LogoAt this point, you may be asking yourself if you should continue hosting your server with cPanel or switch over to one of cPanel's competitors given the report of this security exploit. While one always wants to be cautious over security risks, I usually calm people's fears by stating that in most cases I'm not worried when a company reports a security vulnerability as much as I worry about the companies that report no security threats to their customers. In other words, as long as cPanel addresses security issues promptly I wouldn't let this episode be the reason to migrate away from cPanel to an alternative control panel. More importantly, cPanel's technical support department appears to be adequately addressing the issue.

cPanel, Inc. has restructured the process used to access customer servers to significantly reduce the risk of this type of sophisticated attack in the future. They have also been working on implementing multiple changes to their internal support systems and procedures as outlined below.

  • cPanel's system will now generate and provide users with a unique SSH key for each new support ticket submitted.
  • They are providing tools to authorize and de-authorize SSH keys and instructions on how to use them whenever users submit a ticket.
  • The system will generate a single-use username and password credentials for accessing WebHost Manager that are only valid while cPanel's staff is logged into a user's server.

cPanel’s Internal Development Team has also been working on an automated solution with the end goal of eliminating the need for our Technical Analysts to view any passwords a customer provided during the ticket submission process. cPanel, Inc. is testing this solution and hope to have it fully implemented in the next few days.