New cPanel builds have been published tonight to improve installation, speed, memory usage and upgrade experiences. Recently, installs and updates have been taking excessively long due to CPAN module tests during the Perl module updates. New EDGE, CURRENT and RELEASE builds 11.23.3 build 25946 (or later) have been released tonight to address this issue and to improve installer speed and add checks unrelated to Perl. If you have been experiencing update or install issues, we recommend re-downloading http://layer1.cpanel.net/latest for installs or re-running /scripts/upcp for updates.

Currently, RedHat is shipping an older version of coreutils which contains a known bug in /bin/pwd. If a parent directory to the directory /bin/pwd is executed in does not have read permissions, /bin/pwd will fail with the following error:

/bin/pwd: cannot open directory `..’: Permission denied

cPanel has built a script to modify the permissions on your /home directories to 0755 in order to maintain full functionality of the system until this issue is corrected by RedHat. If you experience the above error, you can run the following command to resolve the issue:

/scripts/enablefileprotect

The issue has been reported to RedHat and they have promised a fix in the next coreutils update. More information on the report can be found here:

https://bugzilla.redhat.com/show_bug.cgi?id=448446

References:

http://lists.gnu.org/archive/html/bug-coreutils/2007-02/msg00053.html

FreeBSD 4.x End of Support

cPanel support for FreeBSD 4.x will end August 1, 2008. cPanel will
not maintain binary compatibility for FreeBSD versions less than 5.x.
cPanel recommends that all affected users update to the latest
production release of FreeBSD to ensure future compatibility. If you
are unable to update to a more recent version of FreeBSD, then the
system’s update preferences (WHM >> Server Configuration >> Update
Config) must be set to “Never Update” prior to the deadline. Failure
to do so will result in complete loss of cPanel and WHM functionality.

After August 1 2008 and the end of our support for FreeBSD 4.x, you
will not receive any security updates or bug fixes. Binaries and other
files for FreeBSD 4.x will no longer be available from cPanel’s update
servers. We therefore urge everyone currently using FreeBSD 4.x begin
transitioning to updated versions in the FreeBSD 5+ tree.

__________________________________
Mbox & UW IMAP End of Support
In accordance with earlier deprecation announcements of the mbox mail
storage format, cPanel will no longer support mbox as of August 1,
2008. UW IMAP server and cPanel’s cppop server will no longer be
available in future builds. cPanel server owners are strongly urged to
convert any remaining mbox systems to maildir prior to August 1, 2008.
Failure to do so will result in loss of email client functionality.

At this time it is recommended that you upgrade your kernel to the latest version available for your distribution or you compile a 2.6.24.2 or above version.

Don’t ignore this as it can be a major security issue.

More info on this:
http://it.slashdot.org/article.pl?sid=08/02/10/2011257

If you need help with your kernel upgrade you can contact us as we can do it for you (for a fee of course).

An arbitrary file inclusion vulnerability has been discovered in the Horde webmail application. At present, we can confirm that this security vulnerability in question affects Horde 3.1.6 and earlier. Based on incomplete information at this time, we also believe this affects Horde Groupware 1.0.4 and earlier as well (cPanel does not use Horde Groupware at this time).

cPanel customers should update their cPanel and WHM servers immediately to prevent any chance of compromise. The patch will be available in builds 11.18.2 and greater (or 11.19.2 and greater for EDGE systems). The updated builds will be available immediately to all fast update servers. The builds will be available to all other update servers within one hour of this posting.

To check which version of cPanel and WHM is on your server, simply log into WebHost Manager (WHM) and look in the top right corner, or execute the following command from the command line as root:

/usr/local/cpanel/cpanel -V

You can upgrade your server by navigating to ‘cPanel’ -> ‘Upgrade to Latest Version’ in WebHost Manager or by executing the following from the command line as root:

/scripts/upcp

It is recommended that all use of Horde 3.1.6 and earlier be stopped (on cPanel and non-cPanel systems alike) until Horde updates can be applied. You can disable Horde on your cPanel system by unchecking the box next to ‘Server Configuration’ -> ‘Tweak Settings’ -> ‘Mail’ -> ‘Horde Webmail’ within WHM, and saving the page with the new settings.

A server compromise trend has been recently reported targeting multiple hosting platforms. RedHat Enterprise Linux & Centos 4/5 and Fedora Core 5/6 are the most common targets. This compromise is not believed to be specific to cPanel software. This issue has been seen on systems running a variety of control panels.

The vast majority of affected systems are initially accessed using SSH with no indications of brute force or exploitation of the underlying service. Despite non-trivial passwords, intermediary users and nonstandard ports, the attacker is able to gain access to the affected servers with no password failures. The majority of the affect servers come from a single undisclosed data-center. All affected systems have password-based authentication enabled. Based upon these findings, it’s believed that the attacker has gained access to a database of root login credentials for a large group of Linux servers.

Once access is gained, the attacker downloads and compiles Stealth Zapper 1.0, which is used to clean all traces of the attackers access and movements through the system. The attacker then downloads a script used to gather information from Apache and compiles a list of statistics for each site hosted on the server. This information is then sent to an undisclosed location for the attacker to view. Once the information is sent successfully, the attacker downloads an agent binary built from the Boxer 0.99 BETA 3 root-kit. This binary is secured with encrypted keys to only allow access from the attackers Boxer installation. This agent binary is built with several additional scripts developed by the attacker to load a web server into memory and inject the random JavaScript into the HTML code after Apache has served the file, but before it has traveled through the TCP transport back to the web site visitor. The attacker will first run the agent binary to load it into memory. This activates the root-kit, which will then go on to copy itself to the seven binary locations below which will keep the agent running at all times, including after a reboot.

/sbin/ifconfig
/sbin/fsck
/sbin/route
/bin/basename
/bin/cat
/bin/mount
/bin/touch

The rootkit renames these system binaries by adding a random set of characters to the end of the file name. Additionally, a 0 byte file with a different set of random characters is created based upon the target binary’s name similar to the following:

/sbin/routewWmVTnBL6szkobbNZ9Iz
/sbin/routeGnAxnt168fMJAxHiru22

These files are hidden on the live filesystem of an affected system. In order to view these files, the system must be rebooted into a safe environment such as a system rescue CD.

The JavaScript being loaded by this web server is directing users to another server that scans the web site user for a number of known vulnerabilities. These vulnerabilities are then used to add the web site user to a bot net. More information about the JavaScript hacks can be found at: http://www.finjan.com/Pressrelease.aspx?id=1820&PressLan=1819&lan=3.

If you feel your server is compromised, you can run the tests below to confirm.

The easiest test is to attempt to create a directory with a numerical name:

mkdir 1

If your server is compromised, this will result in the error below:

[root\@cpanel ~]# mkdir 1
mkdir: cannot create directory `1′: No such file or directory

This isn’t always the case in older variants of the rootkit. To be certain your server isn’t compromised, it’s best to sniff packets for a brief 3-5 minute period. You can do this using the command below:

tcpdump -nAs 2048 src port 80 | grep “[a-zA-Z]\{5\}\.js’”

If this reports packets being sent that match the regex above, then the server is most likely compromised. Additional detection methods require an in-depth knowledge of kernel debugging.

Cleaning the Random JavaScript Toolkit requires the server to be booted into a safe environment and the removal of all infected binaries. Since it is believed that the attacker has access to the database of login credentials, the only way to prevent being hacked again is changing the password and not releasing it to anyone. The preferred method however is to move to SSH Keys and remove password authentication altogether. It is recommended that you contact your data-center, NOC, or a qualified administrator to have the server properly cleaned and secured.

More information on this issue as well as discussions can be found at the following URLs:

http://forums.cpanel.net
http://www.webhostingtalk.com/showthread.php?t=651748
http://www.finjan.com/Pressrelease.aspx?id=1820&PressLan=1819&lan=3