Server hacked through holes in Confixx management software
Attackers have penetrated several of the customers' root servers at hosting company 1&1 through a security hole in the server management software, Confixx Pro. Andreas Maurer, press spokesman for 1&1, says that approximately 30 root servers have been abused for DDoS attacks. Up to 1700 customers at 1&1 are still relying on the management software from SWSoft. The intruders may also have tampered with the customers' webpages in order to inject malicious code into the computers of visitors through holes in Internet Explorer. The customers who are affected should therefore examine their pages. But not only customers of 1&1 are affected, every server with a flawed version of confixx is vulnerable.
The cause of the problem is not an SQL-injection hole as was previously supposed but a remote file inclusion which can be misused to transfer commands to the shell. A description of the bug by the discoverer has been available in the public domain since 24 July. Although SWSoft has released a hotfix, it has not announced the hole publicly until now. The information as to which versions are vulnerable is somewhat contradictory. SWSoft says in its Release Notes that Versions 2.0.12 up to and including 3.3.1 are affected but the bug can only be exploited by Versions 2.0.12 to 2.0.14. However, the discoverer's bug report says that the exploit should work with all versions up to 3.3.1.
Users should check their configuration immediately and install the hotfix from SWSoft. The precise instructions are available in the release notes.
- Confixx <= PRO 3.3.1 Remote File Inclusion Vulnerability, bug report from H4 / XPK
- Confixx Pro security hotfix, Release notes from SWSoft