Folks,

I just wanted to clear up any communication issues regarding these issues from the past couple of weeks, and make sure our customers understand what is going on.

1. We've mistakenly been communicating to customers that only Fedora Core 2 customers have been getting hit with these iFrame "hacks". This is NOT true. We've seen more FC2 VPS' compromised mainly because we have a large number of FC2 OS VPS running.

2. We've seen the same sort of issues on Centos OS as well as with Plesk and DirectAdmin control panels. It isn't only cPanel and FC2.

3. We think there is more then one issue at this point and not just a FC2/cPanel iFrame hack. Multiples issues meaning your everyday typical script level exploits that we've also blamed on FC2 as well.

Talking with other providers (some not even VPS providers) have had the same issue happen across their servers - and they aren't running FC2. Early research and searching shows that it may be due to trojans running on host machines (customers) grabbing passwords then allowing access to your files for defacing.

We have a number of people looking into this matter, but at this point it isn't a localized PowerVPS issue nor is it just a VPS issue. Many shared hosting providers are also dealing with the same issue across shared and reseller accounts - again running on Centos/RHEL/non-FC2 OS platforms.

We advise all customers to run trojan and anti-virus software on their home machines ASAP and change *all* your passwords. This includes your user accounts, FTP and root level ssh and WHM/admin passwords, etc.

I am going to sticky this thread for now and we'll update it as we find out more information.

I apologize for the the early miscommunications on our part where we blamed FC2 and cPanel, this is just not true after further research and input from other security folks.

We are still looking into the IFRAME exploits. Currently we know of 3 ways that hackers are injecting these into sites:

1. Vulnerable PHP scripts (most common): The hackers exploit a vulnerable php script, and add the inserts in a number of ways. One of the most common is to drop a script owned by nobody.nobody into /tmp, recursively check permissions on your files through your filesystem looking for nobody.nobody ownership and world-writeable files. As it finds vulnerable files in your system, the script injects the IFRAME into those files. This attack can be launched manually, or via a worm/scanner utility.

To clean up from this method, you need to remove the injected code, and update all PHP/3rd party applications to the latest, fully-patched versions. If you are running the latest versions of all 3rd party software on affected domains, please contact the developers to see if they will be releasing a patch, or if this is a known vulnerability within their software (some developers may not have checked their software to ensure that it is safe from this type of attack, and some may know that their software is not vulnerable/has an existing patch).


2. Windows MPack Trojan/Brute Force (second most common): The hackers collect FTP passwords and any login stored on your computer that they can gain access to (i.e. any program you can choose to save a login with), and/or brute-force insecure passwords on your system. They then log into all FTP accounts they have access to, upload a script as above to each user's home directory, and begin the injection process. This attack can be launched manually, or via a worm/scanner utility.

To clean up from attacks launched with this vulnerability, remove the iframe injections from infected sites, scan your PC at http://housecall.trendmicro.com/ or with a virus scanner which announces that it can detect the various MPack exploits (you can check on your vendor's site), and have all of your users do the same. Once your home system and your users systems have been cleaned, continue scans and make sure your browsers are patched against this vulnerability (check your browser's site to find out what needs to be done). Failure to properly immunize systems that have access to your server will result in a repeat of this hack.

Once all systems have been immunized, change all FTP passwords on the server, and remove any injections that have occurred in the interim.

3. Root-level access to your system (least common): This occurs in conjunction with the second type of attack. In this case the hackers have gained your root password, and inject the code into all files on the system (you can watch for this by checking root:root owned files that are not world-writeable, or by placing a test file on your sites such as test.php or test.html, owned by root:root with 744 permissions). Most cases of this attack are executed manually, your log files are cleaned, and 123.pl usually appears in /root/.bash_history. We do not believe that this attack can be executed automatically, but are not 100% sure (the actions taken in these cases indicate a person with a shell executing certain commands by hand).

To clean up from this type of attack, clean the injection from your scripts or have support restore your entire VPS from backups immediately. Back up all site data from your VPS to a location outside of the VPS, and have support build a new VPS with a root password different from your previous password. Immunize your system, and any systems able to access your server at root level or with an account that can su or sudo to root from this vulnerability, restore the data to your system, and change all account passwords AS EACH ACCOUNT IS RESTORED.

If you catch the hack in progress, or find logs that have not been cleaned, please immediately back those logs up, and make them available to our support staff. We will forward them to our engineers upon receiving them, and fix any vulnerabilities that the logs show.

If your VPS is compromised in a way that is not listed here, please let our support staff know immediately so we can devise a recovery plan for that method, and disclose it to our customers.

Further information about these attacks:

http://www.pandasecurity.com/homeusers/media/press-releases/viewnews?noticia=8797
http://www.symantec.com/enterprise/security_response/weblog/2007/06/mpack_the_strange_case_of_the.html
http://blog.washingtonpost.com/securityfix/2007/06/the_mother_of_all_exploits_1.html
http://community.postnuke.com/module-Forum-viewtopic-theme-Printer-topic-52903.htm
http://www.symantec.com/enterprise/security_response/weblog/2007/08/yo_there_is_a_complaint_agains.html
http://www.symantec.com/enterprise/security_response/weblog/2007/05/mpack_packed_full_of_badness.html
http://www.cisco.com/web/about/security/intelligence/PSAR_jul9-15.html
http://www.webware.com/8301-1_109-9731570-2.html


I am responsible for two websites on different hosts that have
apparently been affected by the MPACK attack. The websites are hosted
by Yahoo and by GoDaddy.

http://groups.google.com/group/stopbadware/browse_thread/thread/a96d34b917e6671b




Again, this issue is NOT isolated to PowerVPS.