Current time: 11-29-2024, 09:31 AM Hello There, Guest! (LoginRegister)


Post Reply 
 
Thread Rating:
  • 0 Votes - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Security hole in ISPCP 1.0.5
Author Message
Alex Joe Offline
Junior Member
*

Posts: 72
Joined: Oct 2007
Reputation: 0
Post: #1
Exclamation Security hole in ISPCP 1.0.5
Hello,

Unfortunately, it is possible to compromise the password to the panel and carrying out attack on the server.

IP attacker: 188.249.164 and 62.120.196.147

ISPCP Admin log in attachment. Server logs are destroyed by attacker.


Attached File(s)
.pdf  log_attack.pdf (Size: 76.72 KB / Downloads: 36)
07-14-2010 07:38 AM
Visit this user's website Find all posts by this user Quote this message in a reply
Nuxwin
Unregistered

 
Post: #2
RE: Security hole in ISPCP 1.0.5
Hello

Ok for logs but you know the procedure for reproduce this attack ? The logs are not relevant. Who is admin, who is reseller, who is customer in the logs ?
(07-14-2010 07:38 AM)Alex Joe Wrote:  Hello,

Unfortunately, it is possible to compromise the password to the panel and carrying out attack on the server.

IP attacker: 188.249.164 and 62.120.196.147

ISPCP Admin log in attachment. Server logs are destroyed by attacker.

Edit: What was broken on your server ? Just for the record:

Code:
User IP: 188.249.164.80 11.07.2010 14:54 Warning! user |1tech.pl| requested |/reseller/domain delete
php?domain_id=157| with REQUEST_METHOD |GET|

is not a security hole since a login checking is made by all called scripts. It's just warning.

The warn occurs when an user like admin or customer call the reseller/domain_delete.php?domain_id=123 directly for example.

Now, just for security reasons, I'll inspect better but please, provides us more information.

Best regards ;
07-14-2010 07:42 AM
Quote this message in a reply
RatS Offline
Project Leader
******

Posts: 1,854
Joined: Oct 2006
Reputation: 17
Post: #3
RE: Security hole in ISPCP 1.0.5
It looks like the user has granted access at least as reseller. If not, he was leeching the password somehow (network-sniff, key-logger, social-attack).

The problem is non of the panel directly. You can save the panel from network-sniffing by using SSL.
07-14-2010 05:38 PM
Visit this user's website Find all posts by this user Quote this message in a reply
Alex Joe Offline
Junior Member
*

Posts: 72
Joined: Oct 2007
Reputation: 0
Post: #4
RE: Security hole in ISPCP 1.0.5
Unfortunately, as I wrote, server logs have not been preserved. In the attachment, what was left after the attack.


Attached File(s)
.zip  haker 12072010.zip (Size: 647.55 KB / Downloads: 21)
07-15-2010 04:43 AM
Visit this user's website Find all posts by this user Quote this message in a reply
ZooL Offline
Moderator
*****
Moderators

Posts: 3,429
Joined: Jan 2007
Reputation: 79
Post: #5
RE: Security hole in ISPCP 1.0.5
this .zip is trojan verseucht Big Grin infiziert
07-15-2010 06:31 AM
Visit this user's website Find all posts by this user Quote this message in a reply
gOOvER Offline
Banned

Posts: 3,561
Joined: Jul 2007
Post: #6
RE: Security hole in ISPCP 1.0.5
I open it with NOD32 and get no Warning Smile
07-15-2010 06:56 AM
Visit this user's website Find all posts by this user Quote this message in a reply
tomdooley Offline
Development Team
*****
Dev Team

Posts: 332
Joined: Sep 2007
Reputation: 7
Post: #7
RE: Security hole in ISPCP 1.0.5
While opening the ZIP file I see "PHP/C99Shell.FF"...
07-15-2010 02:32 PM
Visit this user's website Find all posts by this user Quote this message in a reply
nuke3d Offline
Junior Member
*

Posts: 107
Joined: Sep 2007
Reputation: 1
Post: #8
RE: Security hole in ISPCP 1.0.5
it's the php file the hacker uploaded, obviously.
07-16-2010 06:36 PM
Find all posts by this user Quote this message in a reply
kilburn Offline
Development Team
*****
Dev Team

Posts: 2,182
Joined: Feb 2007
Reputation: 34
Post: #9
RE: Security hole in ISPCP 1.0.5
As nuxwin and RatS have already said, there is no evidence of hacking in the provided logfiles. Someone was able to use a reseller/admin account to hijack the websites, but this is password stealing, not a security hole.

Now, if "logfiles haven't been preserved", this means that the attacker was somehow able to obtain root access to the machine (after hijacking the websites). This can happen because (1) there *is* a security hole in ispcp (but we're getting absolutely no clue about where it might be) or (2) he had some outdated software (a service daemon or the kernel itself) that the hacker exploited to escalate privileges.

The point is that we absolutely need more info to discern which was the case.
07-16-2010 07:39 PM
Visit this user's website Find all posts by this user Quote this message in a reply
joximu Offline
helper
*****
Moderators

Posts: 7,024
Joined: Jan 2007
Reputation: 92
Post: #10
RE: Security hole in ISPCP 1.0.5
is it still possible to use cgi programs to change the php.ini?
then this might be the door....

use a security whole in a php- (or cgi)-app of one customer, upload a custom cgi, change the php.ini (if you want to continue with php)... etc

(if the password stealing is not the reason for the issue above)

/J
07-16-2010 08:12 PM
Visit this user's website Find all posts by this user Quote this message in a reply
Post Reply 


Forum Jump:


User(s) browsing this thread: 2 Guest(s)