ConfigServer Services Blog

Time to check if you have suffered a root compromise

There's a quickly spreading root compromise that everyone should check for that latches onto the sshd daemon. See the following threads for details on detecting the compromise:
http://forums.cpanel.net/f185/sshd-rootkit-323962.html
http://www.webhostingtalk.com/showthread.php?t=1235797
At the very least check for the existense of libkeyutils.so.1.9
As with all root compromises, simply deleting it and carrying on is not an option. If your server has been compromised you most likely cannot trust it and will need to perform an OS reinstall and restore from backups. However, unless you fix the original method of compromise, the server may simply be exploited again.
On a maybe related note, though not proven, it appears that there's a scary kernel exploit about which RedHat should have fixed soon (CentOS and CloudLinux are likely to follow quickly afterwards). So, make sure that your kernel is kept up to date at all times and look out for a new one soon:
https://access.redhat.com/security/cve/CVE-2013-0871

New cmm v1.20

Changes:
– Modified mailbox actions to use dropped process priveleges to user instead of using “su” to avoid issues on systems using CageFS

New csf v5.75

Changes:
– Fixed issue with single quotes appearing in CC lookup names leading to lfd IP blocks to fail

New csf v5.74

Changes:
– Additional entries in csf.pignore for the cPanel installation to cater for v11.36 processes on new installations
– Added workaround for cPanel /etc/cpupdate.conf check in Server Report for changes in v11.36
– Additional entries in csf.logignore on new installations
– Try harder to get a CPU temperature if lm_sensors is installed for System Statistics
– Enforce PORTFLOOD setting restrictions and issue warning if entry discarded
– Correct location of CC_ALLOWF in LOCALINPUT after update from lfd
– Make CC_[chain] actions more verbose in lfd.log
– Added new options CC_ALLOW_PORTS, CC_ALLOW_PORTS_TCP, CC_ALLOW_PORTS_UDP. This feature allows access from the countries listed in CC_ALLOW_PORTS to listed TCP/UDP ports. For example, using this FTP access port 21 could be restricted to only the specified countries
– Moved temporary and csf.allow/csf.deny rules from LOCALINPUT/LOCALOUTPUT chains to ALLOWIN/ALLOWOUT to allow for the new CC_ALLOW_PORTS feature
– Modified SMTP_PORTS to include ports 465 and 587 on new installations
– Added new option PT_FORKBOMB. Fork Bomb Protection. This option checks the number of processes with the same session id and if greater than the value set, the whole session tree is terminated and an alert sent

New cmc v1.04

Changes:
– Ensure that modsec2.whitelist.conf is always included at the bottom of modsec2.user.conf rather than at the top. This is done whenever the UI is accessed via WHM

New cxs v2.86

Changes:
– Improvements to installer on initial fresh cPanel v11.36 installations
– Added a 20 second timeout for running –Wsymlink [script] and switched from using system call to open3
– Added a 20 second timeout for running –script [script] and improve output printing from [script]
– Modified –options [u] to include more suspicious locations
– Exploit fingerprint definitions database additions

WHM/cPanel v11.36

cPanel v11.36 has now entered the CURRENT tree and you will notice that most of your addon perl scripts failing. You can resolve this easily with our addons by reinstalling them. We have provided a simple script that can do this for you that we posted previously. This has to be done regardless as to whether you are running the latest versions:
This script will update: cmm, cmc, cmq, cse, csf, cxs, msinstall, msfe
Only those scripts that are already installed will be updated. Those that are updated are done so regardless as to whether they are the same or an older version of those available.
To use this method you must be logged into root via SSH to the server and then run:

curl -s configserver.com/free/csupdate | perl

You should take care to read through the output to ensure that all the upgrades have worked as expected.

New cxs v2.85

Changes:
– Moved suspicious script location detection to its own option within: –options [u], –doptions [u], –voptions [u] and –qoptions [u] The option is included in the default setting for –options [options]. If you specify a list in any of these options and want to include this in them, then you need to add [u] to the list of options
– Separate dangerous quarantine options in the UI

New cxs v2.84

Changes:
– New feature: cxs watch daemon Symlink attack detection. This option will try and detect a symlink attack against the server. If –Wsymlinkmax [num] symlinks are created with one directory within –Wsymlinksec [secs] seconds then –Wsymlink [script] will be run. An example is provided for this script in /etc/cxs/symlinkdisable.example.pl
– Enable –Wsymlink /etc/cxs/symlinkdisable.example.pl on new installs in /etc/cxs/cxswatch.sh for email notifications
– Detect as suspicious, scripts found within /images/ and /upload(s)/ directories
– Fixed –Wadd [file] not working correctly in cxs watch
– Fixed –www not being adhered to for new users while cxs watch running
– Modified –www location on DA servers to the domains/ subdirectory of users account for cxs watch daemon and single user scans
– Improvements to file ownership detection in cxs watch. If a file is owned by “nobody” cxs will compare user home directories in /etc/passwd to the file location to try and determine a unique owner
– Fixed UI saving default “smtp” setting incorrectly (again)