[Case 158453] Remove obsolete bl.cgi and wl.cgi scripts missed in cphulkd re-factor

Dear All,

Wondering if anyone else face the same problem, I usually receive an email from cPanel regarding large number of failed cPHulk login and from the email I can click on he link and block the IP address, now doesn't seems to be working.

Code:

Email usually like this:
IP reached maximum auth failures
Number of authentication failures: 5
Maximum allowed authentication failures: 5

Last authentication request
===========================
Service: cpaneld
Local IP Address: xxx.xxx.xxx.xxx
Local Port: 2083
Remote IP Address: 94.102.63.135
Remote Port: 60564
Authentication Database: system
Username: xxxxx
Origin Country: Netherlands (NL)

Please use the following links to add to the black list:

Single IP: https://xxx.xxx.xxx:2087/cgi/bl.cgi?ip=94.102.63.135
       /24: https://xxx.xxx.xxx:2087/cgi/bl.cgi?ip=94.102.63.0/24
       /16: https://xxx.xxx.xxx:2087/cgi/bl.cgi?ip=94.102.0.0/16


Please use the following links to add to the white list:

Single IP: https://xxx.xxx.xxx:2087/cgi/wl.cgi?ip=94.102.63.135
       /24: https://xxx.xxx.xxx:2087/cgi/wl.cgi?ip=94.102.63.0/24
       /16: https://xxx.xxx.xxx:2087/cgi/wl.cgi?ip=94.102.0.0/16

And then from the link "Single IP: https://xxx.xxx.xxx:2087/cgi/bl.cgi?ip=94.102.63.135"
I can block the IP address into cPHulk, but now it show error as follow with "500 Internet Server Error"

Code:

Internal Server Error

500

No response from subprocess (/usr/local/cpanel/whostmgr/docroot/cgi/bl.cgi): The subprocess exited with status 0.
cpsrvd/11.48.0.5 Server at server2.pwsmalaysia.com

When I check the cPanel error log, its show something as follow... which I don't understand...

Code:

Duplicate logaccess:  at /usr/local/cpanel/Cpanel/Server.pm line 420.
        Cpanel::Server::logaccess(Cpanel::Server=HASH(0x39559a8)) called at /usr/local/cpanel/Cpanel/Server.pm line 364
        Cpanel::Server::body_internal_error(Cpanel::Server=HASH(0x39559a8), 500, "No response from subprocess (/usr/local/cpanel/whostmgr/docro"...) called at /usr/local/cpanel/Cpanel/Server.pm line 312
        Cpanel::Server::internal_error(Cpanel::Server=HASH(0x39559a8), "No response from subprocess (/usr/local/cpanel/whostmgr/docro"...) called at cpsrvd.pl line 6165
        cpanel::cpsrvd::internal_error("No response from subprocess (/usr/local/cpanel/whostmgr/docro"...) called at cpsrvd.pl line 9122
        cpanel::cpsrvd::handle_subprocess_failure(3, undef, 0, "No response from subprocess (/usr/local/cpanel/whostmgr/docro"...) called at cpsrvd.pl line 7382
        cpanel::cpsrvd::subprocess_handler(__CPANEL_HIDDEN__, IO::Handle=GLOB(0x3943270), GLOB(0x3945798), 0) called at cpsrvd.pl line 7235
        cpanel::cpsrvd::cgiHandler(__CPANEL_HIDDEN__, __CPANEL_HIDDEN__) called at cpsrvd.pl line 6620
        cpanel::cpsrvd::dodoc_whostmgrd() called at cpsrvd.pl line 1876
        cpanel::cpsrvd::dodoc(HASH(0x1f16278)) called at cpsrvd.pl line 1487
        cpanel::cpsrvd::handle_one_connection() called at cpsrvd.pl line 1074
        cpanel::cpsrvd::script() called at cpsrvd.pl line 432
Internal Server Error: "POST /cpsess4297238331/cgi/bl.cgi?post_login=53008028058999 HTTP/1.1" 500 No response from subprocess (/usr/local/cpanel/whostmgr/docroot/cgi/bl.cgi): The subprocess exited with status 0.

So for now, I'm manually adding the IP address via WHM interface @ CPHulk.
Many thanks in advance for helping.

 

Already informed cPanel support, they had open a case for it and will wait for the bug fix

case number 158677
and 158453

Thank you anyway...

 

Dear Ian,

Sorry for the late reply, was away for meeting, just came back.
Many thanks for the information and I believe we have same "Robin" on response (Robin Holec ?) ^^
But he never say something about restoring the file instead only open case number and ask to wait ^^
Does Robin' solution also fixed the block range or /16?

I checked in my server the file you mentioned are not in the directory~
And again, Ian, thank you for your help and sorry for late reply, btw, not that "dodgy" as I read ^^ I would PM you if I had read this message ^^.

Have a good night (my time). or Good day onward.~

 

Dear Ian,

Mine server are always in attack, since the last attach on one of my customer website with layer 2 DDos, I have take it very serious on server security ^^ I was too much trust on my ISP provider for my dedicated server. Recently mine are also mostly from European region as well as far east, but I learned that the true attacker aren't from the IP address with DDos experience.
Currently attacks are mostly on my cpanel webmail and FTP. Whereas I'm still happy with cPhulk is that its still email me if the attack reach a critical level. So I still can block it manully via WHM, it may now as convenience as directly click on the link in email but still not too bad. Since the fix (restore) of the files doesn't actually solve the range if IP issue, then its doesn't help much. ^^
Will just keep on upcp to check the latest update ^^

don't keep it in mine, of cause this kind of problem usually I'll use my dummy email address or contact level from public mail provider like gmail / yahoo, no harm and free of charge so... is ok, some time we just have to trust in caution level, ofcause if you ask my root level access then I may consider "dodgy" ^^.

AT this moment, lets pray for the best, I'm still working on upgrade 400+ databases and 260+ users migration from pre-4.1 password since MySQL 3.2x to MariaDB, lots of work ^^.

All the Best,
Charlie

- - - Updated - - -

Dear Kamal L,

I think the "Robin" solution are just temporary and not a complete fix, I think we shall just wait for it, usually if its bug cPanel are rather fast to release fix, compare to "Windows" hehehehe.

Are you still able to access cPhulk via WHM? Else you should still able to black list it manually via WHM »Security Center »cPHulk Brute Force Protection and then "Black List Management" to have it block.

Have a good day to you too.
Charlie.