General

New cxs v2.87

Changes:
– Improvements to the main decoder regex
– Reverted to using temporary files during PHP file decoding due to a major bug in PHP v5.4.* which produces “Ran out of opcode space!” in interactive mode
– Exploit regex definitions database additions
– Exploit fingerprint definitions database additions

WHM/cPanel v11.36 in RELEASE

cPanel v11.36 has now entered the RELEASE tree and you will notice that most of your addon perl scripts failing. You can resolve this easily with our addons by reinstalling them. We have provided a simple script that can do this for you that we posted previously. This has to be done regardless as to whether you are running the latest versions:
This script will update: cmm, cmc, cmq, cse, csf, cxs, msinstall, msfe
Only those scripts that are already installed will be updated. Those that are updated are done so regardless as to whether they are the same or an older version of those available.
To use this method you must be logged into root via SSH to the server and then run:
curl -s configserver.com/free/csupdate | perl
You should take care to read through the output to ensure that all the upgrades have worked as expected.

New csf v6.01

Changes:
– Ensure all binaries are called with their full paths for the scheduled Server Security Check reports
– Allow csf -u/-uf/–update and -c/–check when csf is disabled
– Make RT_* checks IPv6 compatible
– Added dns query caching for ip lookups during lfd process lifetime
– Modify TOR rule loading to use FASTSTART in lfd if enabled
– Added iptables locking to FASTSTART code
– LF_INTERVAL now defaults to 3600 on new installations to better cope with slow brute force login attempts
– Removed references to .cpanel.net being ignored from the changelog as they no longer apply and could cause confusion
– Fix csf.rignore loader regex causing unnecessary DNS lookups if file has no entries
– Added “DEFERRED” login failure checking to CPANEL_LOG regex

New csf v6.00

Changes:
– Major new option – FASTSTART:
This option uses IPTABLES_SAVE, IPTABLES_RESTORE and IP6TABLES_SAVE, IP6TABLES_RESTORE in two ways:
1. On a clean server reboot the entire csf iptables configuration is saved and then restored, where possible, to provide a near instant firewall startup[*] during the boot sequence
2. On csf restart or lfd reloading tables, CC_* as well as SPAMHAUS, DSHIELD, BOGON, TOR are loaded using this method in a fraction of the time than if this setting is disabled
[*] Not supported on all OS platforms
FASTSTART allows for very quick startup at reboot and during uptime. If the Country Code blocking options (CC_*) are used, their tables are loaded by csf and lfd almost instantly, compared to many minutes for large countries previously
FASTSTART is enabled on new installations (or those in TESTING mode). Existing installations will need to enable it manually
Other Changes:
– Improvements to csf and lfd init routines
– LF_QUICKSTART renamed to LFDSTART, setting value preserved
– Fixed a problem with scheduled Server Security Check reports
– Crypt::CBC upgraded to v2.32

SSHD rootkit, cPanel affected

As a follow-up to the previous post, it has now been confirmed that there is an SSHD rootkit in the wild that spreads itself if you ssh from an infected server to another. The details are explained in this article as a summary of the webhostingtalk thread:
http://isc.sans.edu/diary/SSHD+rootkit+in+the+wild/15229
Unfortunately, cPanel is a victim of this malware and their workstation(s) have been infected leading to possible infection of client servers:

Salutations,
You are receiving this email because you have opened a ticket with our support staff in the last 6 months. cPanel, Inc. has discovered that one of the servers we utilize in the technical support department has been compromised. While we do not know if your machine is affected, you should change your root level password if you are not already using ssh keys. If you are using an unprivileged account with “sudo” or “su” for root logins, we recommend you change the account password. Even if you are using ssh keys we still recommend rotating keys on a regular basis.
As we do not know the exact nature of this compromise we are asking for customers to take immediate action on their own servers. cPanel's security team is continuing to investigate the nature of this security issue.
–cPanel Security Team

We would recommend (as we do on our helpdesk) that you change your root passwords immediately after any third-party has accessed your server. Additionally, to those affected, please remember that you cannot “clean” this infection, you must reinstall your OS and restore user accounts from backups.

New csf v5.79

Changes:
– Modified csf error routine to store failing error in csf.error and display an instructional message
– Check for libkeyutils-1.2.so.2 in LF_EXPLOIT option SSHDSPAM
– Modified the Server Report proxysubdomains check on cPanel servers
– Added new options CC_DENY_PORTS, CC_DENY_PORTS_TCP, CC_DENY_PORTS_UDP. This feature denies access from the countries listed in CC_DENY_PORTS to listed TCP/UDP ports. For example, using this FTP access port 21 could be blocked to only the specified countries

New csf v5.78

Changes:
– Due to issues that some are experiencing with the switch from the state to the conntrack module a new settings has been added USE_CONNTRACK which is disabled by default except on servers running kernel 3.7+ where on new installations it will be enabled

New csf v5.77

Changes:
– Add an exception for the useless Virtuozzo kernels iptables implementation so that csf uses the deprecated state module instead of conntrack

New csf v5.76

Changes:
– Only add the /128 IPv6 bound address per NIC instead of the whole /64 to the local IPv6 addresses
– Modify SSHD and SU regexes to allow for empty hostname field in log file
– Added new option UNBLOCK_REPORT. This option will run an external script when a temporary block is unblocked
– Additional entries in csf.logignore on new installations
– Switched from using the iptables state module to using the conntrack module in preparation of the formers obsolescence
– Removed LF_EXPLOIT_CHECK and replaced it with LF_EXPLOIT_IGNORE so that new tests can be easily added and then ignored desired
– Added new LF_EXPLOIT check SSHDSPAM to check for the existence of /lib64/libkeyutils.so.1.9 or /lib/libkeyutils.so.1.9, See: