cPanel

New ClamAV v0.97.7

15th March 2013

http://blog.clamav.net/2013/03/clamav-0977-has-been-released.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Clamav+%28ClamAV%C2%AE%29

cPanel v11.36 has now entered the RELEASE tree and you will notice that most of your addon perl scripts failing. You can resolve this easily with our addons by reinstalling them. We have provided a simple script that can do this for you that we posted previously. This has to be done regardless as to whether you are running the latest versions:
This script will update: cmm, cmc, cmq, cse, csf, cxs, msinstall, msfe
Only those scripts that are already installed will be updated. Those that are updated are done so regardless as to whether they are the same or an older version of those available.
To use this method you must be logged into root via SSH to the server and then run:
curl -s configserver.com/free/csupdate | perl
You should take care to read through the output to ensure that all the upgrades have worked as expected.

New csf v6.01

12th March 2013

Changes:
– Ensure all binaries are called with their full paths for the scheduled Server Security Check reports
– Allow csf -u/-uf/–update and -c/–check when csf is disabled
– Make RT_* checks IPv6 compatible
– Added dns query caching for ip lookups during lfd process lifetime
– Modify TOR rule loading to use FASTSTART in lfd if enabled
– Added iptables locking to FASTSTART code
– LF_INTERVAL now defaults to 3600 on new installations to better cope with slow brute force login attempts
– Removed references to .cpanel.net being ignored from the changelog as they no longer apply and could cause confusion
– Fix csf.rignore loader regex causing unnecessary DNS lookups if file has no entries
– Added “DEFERRED” login failure checking to CPANEL_LOG regex

SSHD rootkit, cPanel affected

22nd February 2013

As a follow-up to the previous post, it has now been confirmed that there is an SSHD rootkit in the wild that spreads itself if you ssh from an infected server to another. The details are explained in this article as a summary of the webhostingtalk thread:
http://isc.sans.edu/diary/SSHD+rootkit+in+the+wild/15229
Unfortunately, cPanel is a victim of this malware and their workstation(s) have been infected leading to possible infection of client servers:

Salutations,
You are receiving this email because you have opened a ticket with our support staff in the last 6 months. cPanel, Inc. has discovered that one of the servers we utilize in the technical support department has been compromised. While we do not know if your machine is affected, you should change your root level password if you are not already using ssh keys. If you are using an unprivileged account with “sudo” or “su” for root logins, we recommend you change the account password. Even if you are using ssh keys we still recommend rotating keys on a regular basis.
As we do not know the exact nature of this compromise we are asking for customers to take immediate action on their own servers. cPanel's security team is continuing to investigate the nature of this security issue.
–cPanel Security Team

We would recommend (as we do on our helpdesk) that you change your root passwords immediately after any third-party has accessed your server. Additionally, to those affected, please remember that you cannot “clean” this infection, you must reinstall your OS and restore user accounts from backups.

New csf v5.79

21st February 2013

Changes:
– Modified csf error routine to store failing error in csf.error and display an instructional message
– Check for libkeyutils-1.2.so.2 in LF_EXPLOIT option SSHDSPAM
– Modified the Server Report proxysubdomains check on cPanel servers
– Added new options CC_DENY_PORTS, CC_DENY_PORTS_TCP, CC_DENY_PORTS_UDP. This feature denies access from the countries listed in CC_DENY_PORTS to listed TCP/UDP ports. For example, using this FTP access port 21 could be blocked to only the specified countries

New MailScanner Front-End v4.39

19th February 2013

Changes:
– Modified mailwatch to cater for new binary locations in cPanel v11.36+
– Reinstall Razor2::Client::Agent if running cPanel v11.36+ and not installed in the new perl /opt location
– Removed long defunct “Update SpamAssasin Rule Descriptions” link from mailwatch

Time to check if you have suffered a root compromise

17th February 2013

There's a quickly spreading root compromise that everyone should check for that latches onto the sshd daemon. See the following threads for details on detecting the compromise:
http://forums.cpanel.net/f185/sshd-rootkit-323962.html
http://www.webhostingtalk.com/showthread.php?t=1235797
At the very least check for the existense of libkeyutils.so.1.9
As with all root compromises, simply deleting it and carrying on is not an option. If your server has been compromised you most likely cannot trust it and will need to perform an OS reinstall and restore from backups. However, unless you fix the original method of compromise, the server may simply be exploited again.
On a maybe related note, though not proven, it appears that there's a scary kernel exploit about which RedHat should have fixed soon (CentOS and CloudLinux are likely to follow quickly afterwards). So, make sure that your kernel is kept up to date at all times and look out for a new one soon:
https://access.redhat.com/security/cve/CVE-2013-0871

New cmm v1.20

16th February 2013

Changes:
– Modified mailbox actions to use dropped process priveleges to user instead of using “su” to avoid issues on systems using CageFS

Problems with current ASL delayed rules on cPanel

10th February 2013

New csf v5.74

8th February 2013

Changes:
– Additional entries in csf.pignore for the cPanel installation to cater for v11.36 processes on new installations
– Added workaround for cPanel /etc/cpupdate.conf check in Server Report for changes in v11.36
– Additional entries in csf.logignore on new installations
– Try harder to get a CPU temperature if lm_sensors is installed for System Statistics
– Enforce PORTFLOOD setting restrictions and issue warning if entry discarded
– Correct location of CC_ALLOWF in LOCALINPUT after update from lfd
– Make CC_[chain] actions more verbose in lfd.log
– Added new options CC_ALLOW_PORTS, CC_ALLOW_PORTS_TCP, CC_ALLOW_PORTS_UDP. This feature allows access from the countries listed in CC_ALLOW_PORTS to listed TCP/UDP ports. For example, using this FTP access port 21 could be restricted to only the specified countries
– Moved temporary and csf.allow/csf.deny rules from LOCALINPUT/LOCALOUTPUT chains to ALLOWIN/ALLOWOUT to allow for the new CC_ALLOW_PORTS feature
– Modified SMTP_PORTS to include ports 465 and 587 on new installations
– Added new option PT_FORKBOMB. Fork Bomb Protection. This option checks the number of processes with the same session id and if greater than the value set, the whole session tree is terminated and an alert sent