Last weekend, hackers exploited a flaw in cPanel (cpanel.net), among the most popular Web hosting control panels, gain access to the networks of seven Web hosts. The attackers took control of hundreds, possibly thousands, of Windows-based machines using Internet Explorer. 

Hackers injected iframe exploits into PHP pages located on the Web hosts' servers, redirecting some visitors to sites off the hosts' networks. The IE bug is related to the way the browser processes Web-based graphics code written in the Vector Markup Language, enabling hackers to install spyware and malware onto the computers of Internet Explorer users.

Bocan Raton, Florida-based HostGator (hostgator.com) was the first Web host to discover the attack, which lasted from late Thursday to Saturday afternoon. However, HostGator founder and president Brent Oxley says the hackers used the cPanel vulnerability to access HostGator servers more than a month ago, keeping a low profile before striking late last week.

According to Eric Sites, vice president of Sunbelt Software (sunbelt-software.com), there are some 20,000 sites that are currently attempting to exploit the vulnerability. The security software developer initially discovered hackers were using the VML flaw on pornographic Web sites.

Dave Koston, an operations manager at cPanel, says the company patched the hole within an hour of it being brought to its attention. An update was then passed along to the majority of servers that use the control panel software.

HostGator says it worked with other parties to develop an additional version of the patch and ensure that the problem was fully resolved. 

"Provided your server is secure via all other common methods and properly administrated," says Oxley, "with this patch applied on a cPanel server, the issue should not present itself at this time."

Oxley says no matter how stringent a Web hosting company's security practices, it is extremely difficult to defend against attacks that target a flaw in third-party software.

"There's really not much you can do since its cPanel and it's out of our control," says Oxley. "They have the source, which means they're the only one that can secure it. There are exploits everyday; I'm sure there are going to be many other exploits to be discovered."

After HostGator discovered the cPanel exploit, it contacted a few of its major competitors to see if they were also affected by the flaw. After discovering other cPanel hosting companies had similar experiences, HostGator advised them on how to remedy the problem.

On September 24, Network Redux sent a formal request on behalf of HostGator and five other Web hosts including BlueHost, Rails Playground, Clear-Data Internet Services, Myriad Network and HostingZoom, asking cPanel engage security consultants for a full security audit of the cPanel and WHM codebase.

The Web hosts urged cPanel to provide "assurance from a third party entity [that its] codebase provides a secure operating environment" for its users. The request also called for cPanel to provide "fixes to all discovered security issues, and full disclosure be provided to cPanel partners and distributors," all within an appropriate time period for updates.

Oxley says HostGator alerted the FBI and other law enforcement agencies to the situation, but "have not seen any interest from them."

And while HostGator has stemmed the spread of what could have become a very serious problem, similar attacks are likely to occur in the future. Oxley says that dealing with such security issues is an inevitable downside of the industry.

"Is this going to be the last exploit that we're ever going to see? Probably not, but we've done everything we can on our side to have a secure setup," says Oxley. "In the end, no one's 100 percent secure when it comes to Web servers, and anyone who says they are is lying and has no idea what they're doing."