vulnerability of cPanel?

[Mark5]

Hello,

Problem:
there are 2 customer accounts in a reseller account:
- the one (aaa.com) has no content except an empty index.htm, also, the account is suspended by exeed bw limit
- the other (bbb.com) has content, but is suspended, too, also because exeed bw limit

Both accounts get massive hits counting big BW, in "last visitor" it looks like this

--start copy---
Host: 41.207.18.182
/
Http Code: 500 Date: Feb 05 16:26:47 Http Version: HTTP/1.1 Size in Bytes: 7309
Referer: -
Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt; DTS Agent
--end copy--

For me this is
1) a vulnerability of cPanel, because a http 500 must not happen if the account (aaa.com) is empty or (both) is suspended.
If there happens a http 500, it is a server thing, caused by a bad script on server or whatever and need to get fixed from root. So, how to find what on server gives that http 500 (logs in customer account give no hint), or hot to protect the server before such, as the http 500 is always an answer to a hit from abroad, as shown in "last visitor" ? Block of IP is no result, as then the hits come from other IPs

2) a security issue, as so much hits (here more than 3,4000,000), all causing a http 500, must be able to block either by cPanel, server settings, or firewall. (I'm not so familar with these things to find an answer)

3) of general importance, as such may happen against any domainname at any time, and by this block the server in total, as it takes mass server load affecting all acocunts/domains on server.

4) it is a cPanel vulnerability thing also in so far, as this happens with accounts/domains being suspended, and suspended account never must cause any server load or use BW. What means, the "suspend" feature of cPanel does not work proper.

5) in additon: how to block in general hits to "/" and from user agent: "-" (empty). As the http 500 always is related to a hit to "/" for me this seems to be the weakness of the server.

6) does anyone know a way to block automatically an IP of that come hits causing errors? Maybe if from same IP come more than 100 hits within - maybe - 5 min, causing an error, get blocked automatically for a tiome of maybe 1 day.
This would not be a fix at the problem's source itself, but may be a workaround and helpful also in other cases)

Thanks in advance
Mark

[cpdan]

Hello,

Rest assured that this isn't a security issue or any sort of vulnerability.

Apache giving 500 errors just means there is a problem with the request ( http://en.wikipedia.org/wiki/List_of...x_Server_Error ) and can be caused by many many things, including a broken .htaccess file. I'd recommend looking at your apache logs to find the cause.

Since they are suspended accounts I'd bet that the syntax or permissions of a .htaccess file somewhere are wrong.

http://httpd.apache.org/docs/1.3/howto/htaccess.html
http://httpd.apache.org/docs/2.0/howto/htaccess.html
http://httpd.apache.org/docs/2.2/howto/htaccess.html

[daveformerlyof]

Mark,
If I understand correctly, you are concerned that when a site gets a ton of traffic and becomes suspended that further traffic to that site is not dropped automatically. If that's correct, you'll need to either block the traffic to the site with your firewall or use one of our hooks to do so. cPanel does not provide a firewall with our product.

If you're seeing a lot of traffic to a site, it can be a couple of things:

1) a dos or ddos attack

2) your site got slashdotted

3) or another unusual spike in traffic.

As there are different causes for high volumes of traffic, there should be different responses as well.

For example, say a blog gets slashdotted. If you start blocking the IPs of everyone going to that site, once the traffic returns to a normal level, people who are blocked will not be able to visit the site again. If you instead, drop all traffic to the site and then restore it later, your visitors will be able to return.

In the case of a dos/ddos, it is important to block attackers. You'll want to either use a hardware or software firewall. Many data centers have layers of ddos protection or have it available and may wish to speak with your data center about protection.

cPanel does not provide a facility to monitor and react to network traffic but such tools are available and should not interfere with the functionality of cPanel.