The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

anyway to block phpmyadmin from accessing the db server if its installed manually on an account?

Discussion in 'Security' started by ethical, Mar 22, 2013.

  1. ethical

    ethical Well-Known Member

    Joined:
    Apr 7, 2009
    Messages:
    79
    Likes Received:
    2
    Trophy Points:
    8
    I was wondering if there is anyway to prevent phpmyadmin from either being installed on a users account, or if not prevent it from being able to access the db server if it is installed?

    perhaps using modsecurity to block something or the configserver exploit scanner to delete a crucial file automatically?

    any thoughts?

    Thanks
    John
     
  2. PenguinInternet

    PenguinInternet Well-Known Member
    PartnerNOC

    Joined:
    Jun 20, 2007
    Messages:
    149
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Cardiff, UK
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    Any script that is installed onto a users account will be able to access the database server, providing it has a username & password to do so, therefore just trying to limit this to phpMyAdmin will not have much effect anyway. Do you have a specific reason for wanting to do this? Putting your requirements in context may help with a solution.
     
  3. ethical

    ethical Well-Known Member

    Joined:
    Apr 7, 2009
    Messages:
    79
    Likes Received:
    2
    Trophy Points:
    8
    thanks penguin, yea right i see, well just trying to lock down the server more and I noticed that phpmyadmin was installed by a hacker onto a website and its not clear if they knew a DB passord or not, but if they did they could have accessed it so i was thinking (since phpmyadmin) is pretty common, i wondered if there was a way to lock that down so it could only be used from the cpanel?
     
  4. PenguinInternet

    PenguinInternet Well-Known Member
    PartnerNOC

    Joined:
    Jun 20, 2007
    Messages:
    149
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Cardiff, UK
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    As mentioned, as that would not prevent access to the database anyway, I wouldn't really look to pursue that as you'll probably end up causing more issues that you fix if it interferes with the central installation as well. Ideally you want to concentrate on looking at how the site was hacked in the first place to allow them to upload a copy of phpMyAdmin.

    If they had that level of access to the site, phpMyAdmin is not then actually providing any additional security issues - they already have the facility to dump a database if they read an existing site config file giving them the MySQL login details and can access the database. Depending on the configuration of your server, this may be the least of your issues if you've not locked it down as there are plenty of other things that they can do once they have access to a site...
     
  5. ethical

    ethical Well-Known Member

    Joined:
    Apr 7, 2009
    Messages:
    79
    Likes Received:
    2
    Trophy Points:
    8
    yea good point! thanks!
     
Loading...

Share This Page