Hackers broke into a server at cPanel.net, creators and vendors of the cPanel web hosting control panel for Linux, BSD and Windows servers, and proceeded to install SSH rootkits and compromised OpenSSH packages on customer systems. Once the attack had been discovered, the company initially emailed its customers last week, calling on them to update their administrator passwords.
A later mailing gave further details of what had happened and how customer systems were affected. A proxy system was compromised in the technical support department; the machine was intended to provide a layer of security between the company’s workstations and customers’ servers when support staff were logging into them. That proxy system was apparently broken into by an attacker who had already hacked a single workstation in the technical support department. cPanel says: “There is no evidence that any sensitive customer data was exposed and there is no evidence that the actual database was compromised”.
The company doesn’t comment on the speculation that it had been a victim of SSH-abusing Linux rootkits. It does say though that administrators should check their systems for one of two SSH-abusing rootkits. One, as reported, involves a trojanised libkeyutils, while another saw compromised OpenSSH binaries with trojan code in sshd, ssh, ssh-keygen and ssh-askpass deployed. The company offers a page http://go.cpanel.net/checkyourserver which includes instructions how to check for the trojan SSHs.
cPanel has also announced it is completely reworking the way it accesses customer services to “reduce the risk of this type of sophisticated attack”. This will involve generating unique SSH keys for each new support ticket and the ability to authorise and de-authorise those keys when a ticket is submitted. Also, when a technical support member of staff connects to the system, they will do so with a single-use name and password generated by the cPanel WebHost Manager. The company also plans further “behind the scenes” changes and hopes soon to implement a system where technical support personnel do not need to view any customer passwords when handling an issue.