The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

[Case 158453] Remove obsolete bl.cgi and wl.cgi scripts missed in cphulkd re-factor

Discussion in 'Security' started by ganfye83, Jan 28, 2015.

  1. ganfye83

    ganfye83 Member

    Joined:
    Jan 28, 2015
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Seri Kembangan, Malaysia
    cPanel Access Level:
    Root Administrator
    Dear All,

    Wondering if anyone else face the same problem, I usually receive an email from cPanel regarding large number of failed cPHulk login and from the email I can click on he link and block the IP address, now doesn't seems to be working.

    Code:
    Email usually like this:
    IP reached maximum auth failures
    Number of authentication failures: 5
    Maximum allowed authentication failures: 5
    
    Last authentication request
    ===========================
    Service: cpaneld
    Local IP Address: xxx.xxx.xxx.xxx
    Local Port: 2083
    Remote IP Address: 94.102.63.135
    Remote Port: 60564
    Authentication Database: system
    Username: xxxxx
    Origin Country: Netherlands (NL)
    
    Please use the following links to add to the black list:
    
    Single IP: https://xxx.xxx.xxx:2087/cgi/bl.cgi?ip=94.102.63.135
           /24: https://xxx.xxx.xxx:2087/cgi/bl.cgi?ip=94.102.63.0/24
           /16: https://xxx.xxx.xxx:2087/cgi/bl.cgi?ip=94.102.0.0/16
    
    
    Please use the following links to add to the white list:
    
    Single IP: https://xxx.xxx.xxx:2087/cgi/wl.cgi?ip=94.102.63.135
           /24: https://xxx.xxx.xxx:2087/cgi/wl.cgi?ip=94.102.63.0/24
           /16: https://xxx.xxx.xxx:2087/cgi/wl.cgi?ip=94.102.0.0/16
    
    And then from the link "Single IP: https://xxx.xxx.xxx:2087/cgi/bl.cgi?ip=94.102.63.135"
    I can block the IP address into cPHulk, but now it show error as follow with "500 Internet Server Error"

    Code:
    Internal Server Error
    
    500
    
    No response from subprocess (/usr/local/cpanel/whostmgr/docroot/cgi/bl.cgi): The subprocess exited with status 0.
    cpsrvd/11.48.0.5 Server at server2.pwsmalaysia.com
    
    When I check the cPanel error log, its show something as follow... which I don't understand...

    Code:
    Duplicate logaccess:  at /usr/local/cpanel/Cpanel/Server.pm line 420.
            Cpanel::Server::logaccess(Cpanel::Server=HASH(0x39559a8)) called at /usr/local/cpanel/Cpanel/Server.pm line 364
            Cpanel::Server::body_internal_error(Cpanel::Server=HASH(0x39559a8), 500, "No response from subprocess (/usr/local/cpanel/whostmgr/docro"...) called at /usr/local/cpanel/Cpanel/Server.pm line 312
            Cpanel::Server::internal_error(Cpanel::Server=HASH(0x39559a8), "No response from subprocess (/usr/local/cpanel/whostmgr/docro"...) called at cpsrvd.pl line 6165
            cpanel::cpsrvd::internal_error("No response from subprocess (/usr/local/cpanel/whostmgr/docro"...) called at cpsrvd.pl line 9122
            cpanel::cpsrvd::handle_subprocess_failure(3, undef, 0, "No response from subprocess (/usr/local/cpanel/whostmgr/docro"...) called at cpsrvd.pl line 7382
            cpanel::cpsrvd::subprocess_handler(__CPANEL_HIDDEN__, IO::Handle=GLOB(0x3943270), GLOB(0x3945798), 0) called at cpsrvd.pl line 7235
            cpanel::cpsrvd::cgiHandler(__CPANEL_HIDDEN__, __CPANEL_HIDDEN__) called at cpsrvd.pl line 6620
            cpanel::cpsrvd::dodoc_whostmgrd() called at cpsrvd.pl line 1876
            cpanel::cpsrvd::dodoc(HASH(0x1f16278)) called at cpsrvd.pl line 1487
            cpanel::cpsrvd::handle_one_connection() called at cpsrvd.pl line 1074
            cpanel::cpsrvd::script() called at cpsrvd.pl line 432
    Internal Server Error: "POST /cpsess4297238331/cgi/bl.cgi?post_login=53008028058999 HTTP/1.1" 500 No response from subprocess (/usr/local/cpanel/whostmgr/docroot/cgi/bl.cgi): The subprocess exited with status 0.
    
    So for now, I'm manually adding the IP address via WHM interface @ CPHulk.
    Many thanks in advance for helping.:confused:
     
  2. ganfye83

    ganfye83 Member

    Joined:
    Jan 28, 2015
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Seri Kembangan, Malaysia
    cPanel Access Level:
    Root Administrator
    Already informed cPanel support, they had open a case for it and will wait for the bug fix

    case number 158677
    and 158453

    Thank you anyway...
     
  3. Ian.H

    Ian.H Registered

    Joined:
    Jan 29, 2015
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Reported this also yesterday and my server's now fixed (a couple of missing files from the update(!)).

    The other issue with the cphulk update is that none of the IP ranges blacklisted are currently being blacklisted.. only works for single addresses (which screws me right over with multiple /16s etc blocked). I'm awaiting a fix on this after reporting this yesterday too. Not sure how this got past UAT!

    - Removed -



    Cheers..

    Ian

    - - - Updated - - -

    Just to add (seeing as my first post was asking for details and I could understand if that sounds "dodgy" despite offering help).. here's the important part of the response I had from Robin on the issue yesterday to backup my statement above:



    Cheers..

    Ian
     
    #3 Ian.H, Jan 29, 2015
    Last edited by a moderator: Jan 29, 2015
  4. kamall

    kamall Active Member

    Joined:
    Mar 17, 2012
    Messages:
    40
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Bethune France
    cPanel Access Level:
    Root Administrator
    Twitter:
    I got same problem here...

    Please update ASAP
     
  5. ganfye83

    ganfye83 Member

    Joined:
    Jan 28, 2015
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Seri Kembangan, Malaysia
    cPanel Access Level:
    Root Administrator
    Dear Ian,

    Sorry for the late reply, was away for meeting, just came back.
    Many thanks for the information and I believe we have same "Robin" on response (Robin Holec ?) ^^
    But he never say something about restoring the file instead only open case number and ask to wait ^^
    Does Robin' solution also fixed the block range or /16?

    I checked in my server the file you mentioned are not in the directory~
    And again, Ian, thank you for your help and sorry for late reply, btw, not that "dodgy" as I read ^^ I would PM you if I had read this message ^^.

    Have a good night (my time). or Good day onward.~:)
     
  6. Ian.H

    Ian.H Registered

    Joined:
    Jan 29, 2015
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator


    No problem at all.. never a timeline on response :)

    Indeed.. it's the same Robin on the case. He created the archived files for me and told me just in case it broke again I could restore them from there. If he hasn't for you, if he's restored them as part of your ticket, you should be able to create your own backup archive from the 2 locations he listed posted in my post above so you'll have a copy for the future (assuming these don't get changed in the future.. I'd probably only rely on them "short term").

    Unfortunately this doesn't fix the address range issue.. my server's currently being hit a lot more frequently with failed attempts from addresses in the likes of Asia and Latin America for which have been blocked for ages and apparently there's no idea when the fix may be released to us.. apparently the devs were aware of the issue as my ticket about this was being pushed through as a bug according to Aaron who handled this ticket for me... so unfortunately, it's just a waiting game for this as there's no way to "downgrade" cPanel either.

    I guess being in the game we're in admining servers and IT in general, I know that first posts asking for info even if just an email, address might be construed as dodgy by some (and rightly so if that was the case) so just wanted to clarify :)

    Hopefully both of the cphulk issues can be resolved quickly for the "general public" rather than per ticket too as these I'm sure are considerable problems to many of us.

    Have a good one too sir!



    Cheers..

    Ian
     
  7. kamall

    kamall Active Member

    Joined:
    Mar 17, 2012
    Messages:
    40
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Bethune France
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello IAN

    Any updates on this issu?cause i am having same problem.

    Regards
    Kamal L.
     
  8. ganfye83

    ganfye83 Member

    Joined:
    Jan 28, 2015
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Seri Kembangan, Malaysia
    cPanel Access Level:
    Root Administrator
    Dear Ian,

    Mine server are always in attack, since the last attach on one of my customer website with layer 2 DDos, I have take it very serious on server security ^^ I was too much trust on my ISP provider for my dedicated server. Recently mine are also mostly from European region as well as far east, but I learned that the true attacker aren't from the IP address with DDos experience.
    Currently attacks are mostly on my cpanel webmail and FTP. Whereas I'm still happy with cPhulk is that its still email me if the attack reach a critical level. So I still can block it manully via WHM, it may now as convenience as directly click on the link in email but still not too bad. Since the fix (restore) of the files doesn't actually solve the range if IP issue, then its doesn't help much. ^^
    Will just keep on upcp to check the latest update ^^

    :) don't keep it in mine, of cause this kind of problem usually I'll use my dummy email address or contact level from public mail provider like gmail / yahoo, no harm and free of charge so... is ok, some time we just have to trust in caution level, ofcause if you ask my root level access then I may consider "dodgy" ^^.

    AT this moment, lets pray for the best, I'm still working on upgrade 400+ databases and 260+ users migration from pre-4.1 password since MySQL 3.2x to MariaDB, lots of work ^^.

    All the Best,
    Charlie

    - - - Updated - - -

    Dear Kamal L,

    I think the "Robin" solution are just temporary and not a complete fix, I think we shall just wait for it, usually if its bug cPanel are rather fast to release fix, compare to "Windows" hehehehe.

    Are you still able to access cPhulk via WHM? Else you should still able to black list it manually via WHM »Security Center »cPHulk Brute Force Protection and then "Black List Management" to have it block.

    Have a good day to you too.
    Charlie.
     
  9. kamall

    kamall Active Member

    Joined:
    Mar 17, 2012
    Messages:
    40
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Bethune France
    cPanel Access Level:
    Root Administrator
    Twitter:
    Dear Charlie,
    DDos should handel by data center.Well our server are handel by some experts company and for DDos i dont see the problem but login failed large number are happening.Anyway you are right we can do it manually sure but easier is ip block blacklist and sure you may know these are proxy ips.

    Have a good day

    Kamal L.
     
  10. FusionOpz

    FusionOpz Registered

    Joined:
    Jan 30, 2015
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Georgetown, Ontario, Canada
    cPanel Access Level:
    Root Administrator
    It'd be nice for this to be resolved as soon as possible, I'm getting attacked on my server and can't really blacklist the ip's right now...
     
  11. kamall

    kamall Active Member

    Joined:
    Mar 17, 2012
    Messages:
    40
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Bethune France
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello
    FusionOpz

    Please do it manually via WHM »Security Center »cPHulk Brute Force Protection and then "Black List Management".

    Regards
    Kamal L.
     
  12. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Internal case number 158453 is open to address this issue. Please monitor the 11.48 change log for the inclusion of this case number. In the meantime, if you want to blacklist IP addresses on 11.48, please use one of the following options:

    1. "WHM Home » Security Center » cPHulk Brute Force Protection » Blacklist Management"
    2. "/scripts/cphulkdblacklist" via SSH.
    3. Utilize the "create_cphulk_record" API call.

    Thank you.
     
  13. kamall

    kamall Active Member

    Joined:
    Mar 17, 2012
    Messages:
    40
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Bethune France
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello
    cPanelMicheal

    So we have to do manually for the moment.

    Regards

    Kamal L.
     
  14. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Right, for the time being, you have to use one of the three methods listed in my previous response instead of clicking on the URL in the email.

    Thank you.
     
  15. rekabis

    rekabis Member

    Joined:
    Sep 19, 2014
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Okay, from what I gather, this issue comes about because bl.cgi and wl.cgi are actually missing, correct?

    Well, I am on the current version (11.48.0.7), am experiencing the same issue, but when I ssh to
    /usr/local/cpanel/whostmgr/docroot/cgi/
    I actually see both bl.cgi and wl.cgi sitting there.

    Now what are missing are these two files:
    -rwxr-xr-x. 1 root root 2807 Jan 21 23:36 /usr/local/cpanel/whostmgr/docroot/cgi/cphulkdblk.cgi*
    -rw-r--r--. 1 root root 418 Jan 21 23:36 /usr/local/cpanel/whostmgr/docroot/templates/cphulkdblk.tmpl

    If this is an issue with the updater, is there any other location I can pull copies from, to get things fully back up and running?

    Please note, I *am* on 11.48.0.7, which claims that case 158453 is fixed, and yet I am still experiencing this issue even with new eMail/SMS alerts that come in.
     
  16. rekabis

    rekabis Member

    Joined:
    Sep 19, 2014
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    …Aaaand even doing a “forced reinstall” of WHM 11.48.0.7 does nothing to correct the issue.
     
  17. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    I am unable to reproduce this issue after updating to 11.48.0.7. Since you already forced a cPanel update and verified it completed successfully, could you open a support ticket using the link in my signature so we can take a closer look at your system? You can post the ticket number here so we can update this thread with the outcome.

    Thank you.
     
Loading...

Share This Page