CPANEL CGI Center CGIs are safe?

[highclass]

Hi!

A few days ago we have received a couple of e-mails that was sended by cgi-sys/FormMail.cgi, or tried to send usend it...

Anyone knows if the CGIs that CPANELs have installed are safe?

I see that many of them are too old... ´98....

Can be turned OFF using the WHM, or some other way?

Thats all...

TIA, and sorry for the bad english...

Luciano A. Ferrer

[Spearow]

yes, they are safe... formmail can be disabled under "tweak settings" in whm...

[WCW Fan]

I tend to disagree that they are safe and have disabled all of them along with chmoding them to 0 and chattr -i them

[highclass]

Originally posted by highclass
A few days ago we have received a couple of e-mails that was sended by cgi-sys/FormMail.cgi, or tried to send usend it...

Strange mails are like the following, any idea?:

Code:

From: <2fVS6oNz94@ventas.highclassdental.com>
To: <2fVS6oNz94@ventas.highclassdental.com>
Subject: =?iso-8859-1?Q?http://www.ventas.highclassdental.co...formmail.pl_?=
	=?iso-8859-1?Q?=2865.205.249.37:80=29_bcc:_angelm1c@aol.comQIrxkz4Qyo8tpY?=
	=?iso-8859-1?Q?_E4_4hQXu_LFJtj062r72AT_KKRaK50_voMU3Ye0by9tkt_W_Eo5h_4_Wq?=
	=?iso-8859-1?Q?sev4dXMW9ia_yqxqu84s_C=FFFFFFCCabcdefghijklmnopqrstuvqxyzA?=
	=?iso-8859-1?Q?BCDEFGHI.?=
Date: Thu, 8 Apr 2004 21:52:53 -0400
Message-ID: <E1BBlCP-0001rx-8X@server1.highclassdental.com>
MIME-Version: 1.0
Content-Type: multipart/mixed;
	boundary="----=_NextPart_000_14D7_01C41DC3.CDF043C0"
X-Mailer: Microsoft Outlook, Build 10.0.2627
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165

This is a multi-part message in MIME format.

------=_NextPart_000_14D7_01C41DC3.CDF043C0
Content-Type: multipart/alternative;
	boundary="----=_NextPart_001_14D8_01C41DC3.CDF043C0"


------=_NextPart_001_14D8_01C41DC3.CDF043C0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

body: QIrxkz4Qyo8t
pY E4 4hQXu LFJtj062r72AT
 KKRaK50 voMU3Ye0by9t

kt W Eo5h 4 Wqsev4dXMW9ia yqxqu
84s C=FFFFFFCCabcdefghijklmnopqrstuvqxyzABCDEFGHI

Luciano

[WCW Fan]

Originally posted by thaphantom
do you have a reason for that or is because you just dont know any better so you assume?

Had one too many problems with it on one of my servers, I had countless security teams, and server management teams go in and try to figure out how sites were being defaced. They all came to the conclusion that it was cpanel cgi's I then disabled them and haven't had a problem since.

[highclass]

Originally posted by thaphantom
lol thats a joke, your secureity tams as you call them are just looking for a quick buck then

Ok, that maybe was right... but how can you explain that WCW Fan has no more problems after disable his cgis?

Luciano

[WCW Fan]

Originally posted by thaphantom
lol thats a joke, your secureity tams as you call them are just looking for a quick buck then

No joke. Maybe it was just me, but since then I haven't had one issue with my 25+ servers all running cpanel, all with cpanel cgi's disabled. Go figure

Edit: I'm not going to argue, I'm just going on what has proven to work for us, and that is to disable them.

[Juanra]

Luciano, amigo ¿cómo va todo?

The strange mails you're getting can be filtered out by checking an option in WHM's tweak settings section (discard messages with bcc headers in subject or something like that). They are trying to exploit an old bug in cpanel's FormMail.cgi script.

some people are not confident using Cpanel's scripts because of past problems (I'm aware of that one only, though), but (FWIW) most of us use them.

Personally, I prefer my users to use cpanel's formmail rather than lots of different dispersed formmail scripts which might be as vulnerable or more that cpanel's. If some new exploit is found the word's spread *really* fast (you know, dozens of similar threads in the forums, complaints, whinings and whatnot ).

But to each his or her own

[highclass]

Originally posted by Juanra
Luciano, amigo ¿cómo va todo?

Todo bien Juanra, sorpresa encontrarte por estos lados... el mundo es un pañuelo

Txs for your explanation, I have checked that option...

Luciano

[internetfab]

Originally posted by Juanra
Luciano, amigo ¿cómo va todo?

The strange mails you're getting can be filtered out by checking an option in WHM's tweak settings section (discard messages with bcc headers in subject or something like that). They are trying to exploit an old bug in cpanel's FormMail.cgi script.

Where is the bcc headers setting? Can't find it anywhere in the tweak settings :/
Using WHM 9.3.0 R104

[highclass]

Originally posted by internetfab
Where is the bcc headers setting? Can't find it anywhere in the tweak settings :/
Using WHM 9.3.0 R104

"Silently Discard all FormMail-clone requests with a bcc: header in the subject line"

Tweak Settings, the second upper link

luciano

[internetfab]

Yeah, saw it on one of the servers that was running an older version 9.2.0 i think - however, it's gone from the 9.3.0 version :/

[highclass]

Originally posted by internetfab
Yeah, saw it on one of the servers that was running an older version 9.2.0 i think - however, it's gone from the 9.3.0 version :/

well, it´s strange... we are running on WHM 9.4.0 cPanel 9.4.1-R55

[internetfab]

Funny thing, updated to 9.4.1 and it's there again Guess they missed it in the 9.3.0 release

Thanx!