Welcome to WebmasterWorld Guest from 126.96.36.199
There is a known exploit that occured in the last few weeks and Cpanel has issued a fix - and not all servers/datacenters have gotten around to applying it.
The funny thing about it - it only shows itself when using IE - and Google Ads definitely make it worse. On pages that do not have Google ADs or that type of code - the problem is stil there, but almost un-noticable.
When using Firefox - the problem goes away...
READ FROM HOSTING RELEASE:
This was a 0 day cpanel exploit. Anyone in the world running cpanel could have been exploited.
They actually did the cpanel exploit about a month ago which explains what we thought at the time to be "bad cpanel updates." We thought this because sites weren't loading in IE and the fix was just changing a line in cpanel. At this point in time viruses weren't loading as far as we knew or heard so there was nothing to suggest anything different then a bad cpanel update.
We believe whoever did this was perfecting what they were about to launch and waiting for the right moment. They chose a few days ago to launch it in full force to exploit Microsoft's newly announced vml exploit. They used the exploit in cpanel to distribute trojans / viruses to target the vml exploit.
Here's what cpanel said once we showed them the exploit....
Originally Posted by Cpanel
"This has been confirmed and patched. Running /scripts/upcp will fix the vulnerability in all builds."
We had our own patch we ran before the release of cpanel's, and as soon cpanel provided an update we ran their patch as well.
We had a few problems to figure out......
1. How was it happening and where was it coming from?
We could easily fix the problem but every time we did in minutes to an hour later it would come back. After hours of looking how this was happening we made little / no progress. We reached out to the web hosting community for help and soon had everyone helping us.
To name a few....
ThePlanet's security team, Layeredtech's security team, idefense.com, verisign, our best inhouse administrators and gurus, some server admin companies, and a customer of our's named Brad who helped build the architecture of paypal and ebay.com.
Brad had some contacts in symantec, trend, and Mcafee that he was able to contact on our behalf. We had everybody working on this. Our CTO DaveC finally figured out what was causing it and cleaned it up at which point it has not happened since.
2. What was exploited and how?
We might have cleaned it up to fix the problem, but without knowing how they were exploiting our boxes they could easily do it again and again. One of our best admins Tim Greer solved this mystery today when he came across a cpanel root exploit that nobody knew about. He tested it and it was soon proven this cpanel root exploit is how the hackers had the power to do the redirects. As soon as we knew the function of cpanel that was being exploited we had help with the creation of a bandaid patch that was applied immediately.
At the same time this was going on I got on the phone calling everybody in the industry to get cpanel involved. I was able to reach cpanel's operations manager Dave who quickly came up with a patch that has now been released to the public. At this point we ran upcp which will prevent our boxes from being exploited this way again.
It seems to be very sporadic and dependant on location as 2 of our other offices nearby on differnet networks are seeing everything normally.. When I was able to log in to adsense, impressions and CTR's seemed fairly normal for this time of day.
[edited by: Shadoze at 3:08 pm (utc) on Sep. 26, 2006]
Google Analytics has not updated for me for twelve hours, which is not unprecedented, but is unusual.
I suspect that G has turned off all non-essential processing until it can get on top of the current problem.
I noticed yesterday that pack.google.com was just taking my browsers round and round in a loop: I wonder if that is in any way connected? If not, I'm guessing a DDoS attack.