[Case 158453] Remove obsolete bl.cgi and wl.cgi scripts missed in cphulkd re-factor

[ganfye83]

Dear All,

Wondering if anyone else face the same problem, I usually receive an email from cPanel regarding large number of failed cPHulk login and from the email I can click on he link and block the IP address, now doesn't seems to be working.

Email usually like this:
IP reached maximum auth failures
Number of authentication failures: 5
Maximum allowed authentication failures: 5

Last authentication request
===========================
Service: cpaneld
Local IP Address: xxx.xxx.xxx.xxx
Local Port: 2083
Remote IP Address: 94.102.63.135
Remote Port: 60564
Authentication Database: system
Username: xxxxx
Origin Country: Netherlands (NL)

Please use the following links to add to the black list:

Single IP: https://xxx.xxx.xxx:2087/cgi/bl.cgi?ip=94.102.63.135
       /24: https://xxx.xxx.xxx:2087/cgi/bl.cgi?ip=94.102.63.0/24
       /16: https://xxx.xxx.xxx:2087/cgi/bl.cgi?ip=94.102.0.0/16


Please use the following links to add to the white list:

Single IP: https://xxx.xxx.xxx:2087/cgi/wl.cgi?ip=94.102.63.135
       /24: https://xxx.xxx.xxx:2087/cgi/wl.cgi?ip=94.102.63.0/24
       /16: https://xxx.xxx.xxx:2087/cgi/wl.cgi?ip=94.102.0.0/16

And then from the link "Single IP: https://xxx.xxx.xxx:2087/cgi/bl.cgi?ip=94.102.63.135"
I can block the IP address into cPHulk, but now it show error as follow with "500 Internet Server Error"

Internal Server Error

500

No response from subprocess (/usr/local/cpanel/whostmgr/docroot/cgi/bl.cgi): The subprocess exited with status 0.
cpsrvd/11.48.0.5 Server at server2.pwsmalaysia.com

When I check the cPanel error log, its show something as follow... which I don't understand...

Duplicate logaccess:  at /usr/local/cpanel/Cpanel/Server.pm line 420.
        Cpanel::Server::logaccess(Cpanel::Server=HASH(0x39559a8)) called at /usr/local/cpanel/Cpanel/Server.pm line 364
        Cpanel::Server::body_internal_error(Cpanel::Server=HASH(0x39559a8), 500, "No response from subprocess (/usr/local/cpanel/whostmgr/docro"...) called at /usr/local/cpanel/Cpanel/Server.pm line 312
        Cpanel::Server::internal_error(Cpanel::Server=HASH(0x39559a8), "No response from subprocess (/usr/local/cpanel/whostmgr/docro"...) called at cpsrvd.pl line 6165
        cpanel::cpsrvd::internal_error("No response from subprocess (/usr/local/cpanel/whostmgr/docro"...) called at cpsrvd.pl line 9122
        cpanel::cpsrvd::handle_subprocess_failure(3, undef, 0, "No response from subprocess (/usr/local/cpanel/whostmgr/docro"...) called at cpsrvd.pl line 7382
        cpanel::cpsrvd::subprocess_handler(__CPANEL_HIDDEN__, IO::Handle=GLOB(0x3943270), GLOB(0x3945798), 0) called at cpsrvd.pl line 7235
        cpanel::cpsrvd::cgiHandler(__CPANEL_HIDDEN__, __CPANEL_HIDDEN__) called at cpsrvd.pl line 6620
        cpanel::cpsrvd::dodoc_whostmgrd() called at cpsrvd.pl line 1876
        cpanel::cpsrvd::dodoc(HASH(0x1f16278)) called at cpsrvd.pl line 1487
        cpanel::cpsrvd::handle_one_connection() called at cpsrvd.pl line 1074
        cpanel::cpsrvd::script() called at cpsrvd.pl line 432
Internal Server Error: "POST /cpsess4297238331/cgi/bl.cgi?post_login=53008028058999 HTTP/1.1" 500 No response from subprocess (/usr/local/cpanel/whostmgr/docroot/cgi/bl.cgi): The subprocess exited with status 0.

So for now, I'm manually adding the IP address via WHM interface @ CPHulk.
Many thanks in advance for helping.

 

[ganfye83]

Already informed cPanel support, they had open a case for it and will wait for the bug fix

case number 158677
and 158453

Thank you anyway...

 

[Ian.H]

Already informed cPanel support, they had open a case for it and will wait for the bug fix

case number 158677
and 158453

Thank you anyway...

Reported this also yesterday and my server's now fixed (a couple of missing files from the update(!)).

The other issue with the cphulk update is that none of the IP ranges blacklisted are currently being blacklisted.. only works for single addresses (which screws me right over with multiple /16s etc blocked). I'm awaiting a fix on this after reporting this yesterday too. Not sure how this got past UAT!

- Removed -



Cheers..

Ian

- - - Updated - - -

Just to add (seeing as my first post was asking for details and I could understand if that sounds "dodgy" despite offering help).. here's the important part of the response I had from Robin on the issue yesterday to backup my statement above:

During my initial investigation of this issue, I restored the following missing files from 11.46. The bl.cgi links appear to be functional once more.

-rwxr-xr-x. 1 root root 2807 Jan 21 23:36 /usr/local/cpanel/whostmgr/docroot/cgi/cphulkdblk.cgi*
-rw-r--r--. 1 root root 418 Jan 21 23:36 /usr/local/cpanel/whostmgr/docroot/templates/cphulkdblk.tmpl

A case has been filed with our development team with the following ID: #158453. You can verify that a correction has been made via the following link http://documentation.cpanel.net/display/ALD/11.48+Change+Log

Should the issue occur again after a subsequent update, you can restore the missing files via
cd /
tar xvfz /root/missing_bl.tgz

Cheers..

Ian

 

[kamall]

I got same problem here...

Please update ASAP

 

[ganfye83]

Dear Ian,

Sorry for the late reply, was away for meeting, just came back.
Many thanks for the information and I believe we have same "Robin" on response (Robin Holec ?) ^^
But he never say something about restoring the file instead only open case number and ask to wait ^^
Does Robin' solution also fixed the block range or /16?

I checked in my server the file you mentioned are not in the directory~
And again, Ian, thank you for your help and sorry for late reply, btw, not that "dodgy" as I read ^^ I would PM you if I had read this message ^^.

Have a good night (my time). or Good day onward.~

 

[Ian.H]

Dear Ian,

Sorry for the late reply, was away for meeting, just came back.
Many thanks for the information and I believe we have same "Robin" on response (Robin Holec ?) ^^
But he never say something about restoring the file instead only open case number and ask to wait ^^
Does Robin' solution also fixed the block range or /16?

I checked in my server the file you mentioned are not in the directory~
And again, Ian, thank you for your help and sorry for late reply, btw, not that "dodgy" as I read ^^ I would PM you if I had read this message ^^.

Have a good night (my time). or Good day onward.~

No problem at all.. never a timeline on response

Indeed.. it's the same Robin on the case. He created the archived files for me and told me just in case it broke again I could restore them from there. If he hasn't for you, if he's restored them as part of your ticket, you should be able to create your own backup archive from the 2 locations he listed posted in my post above so you'll have a copy for the future (assuming these don't get changed in the future.. I'd probably only rely on them "short term").

Unfortunately this doesn't fix the address range issue.. my server's currently being hit a lot more frequently with failed attempts from addresses in the likes of Asia and Latin America for which have been blocked for ages and apparently there's no idea when the fix may be released to us.. apparently the devs were aware of the issue as my ticket about this was being pushed through as a bug according to Aaron who handled this ticket for me... so unfortunately, it's just a waiting game for this as there's no way to "downgrade" cPanel either.

I guess being in the game we're in admining servers and IT in general, I know that first posts asking for info even if just an email, address might be construed as dodgy by some (and rightly so if that was the case) so just wanted to clarify

Hopefully both of the cphulk issues can be resolved quickly for the "general public" rather than per ticket too as these I'm sure are considerable problems to many of us.

Have a good one too sir!



Cheers..

Ian

 

[kamall]

Hello IAN

Any updates on this issu?cause i am having same problem.

Regards
Kamal L.

 

[ganfye83]

Dear Ian,

Mine server are always in attack, since the last attach on one of my customer website with layer 2 DDos, I have take it very serious on server security ^^ I was too much trust on my ISP provider for my dedicated server. Recently mine are also mostly from European region as well as far east, but I learned that the true attacker aren't from the IP address with DDos experience.
Currently attacks are mostly on my cpanel webmail and FTP. Whereas I'm still happy with cPhulk is that its still email me if the attack reach a critical level. So I still can block it manully via WHM, it may now as convenience as directly click on the link in email but still not too bad. Since the fix (restore) of the files doesn't actually solve the range if IP issue, then its doesn't help much. ^^
Will just keep on upcp to check the latest update ^^

don't keep it in mine, of cause this kind of problem usually I'll use my dummy email address or contact level from public mail provider like gmail / yahoo, no harm and free of charge so... is ok, some time we just have to trust in caution level, ofcause if you ask my root level access then I may consider "dodgy" ^^.

AT this moment, lets pray for the best, I'm still working on upgrade 400+ databases and 260+ users migration from pre-4.1 password since MySQL 3.2x to MariaDB, lots of work ^^.

All the Best,
Charlie

- - - Updated - - -

Dear Kamal L,

I think the "Robin" solution are just temporary and not a complete fix, I think we shall just wait for it, usually if its bug cPanel are rather fast to release fix, compare to "Windows" hehehehe.

Are you still able to access cPhulk via WHM? Else you should still able to black list it manually via WHM »Security Center »cPHulk Brute Force Protection and then "Black List Management" to have it block.

Have a good day to you too.
Charlie.

 

[kamall]

Dear Charlie,
DDos should handel by data center.Well our server are handel by some experts company and for DDos i dont see the problem but login failed large number are happening.Anyway you are right we can do it manually sure but easier is ip block blacklist and sure you may know these are proxy ips.

Have a good day

Kamal L.

 

[FusionOpz]

It'd be nice for this to be resolved as soon as possible, I'm getting attacked on my server and can't really blacklist the ip's right now...

 

[kamall]

Hello
FusionOpz

Please do it manually via WHM »Security Center »cPHulk Brute Force Protection and then "Black List Management".

Regards
Kamal L.

 

[cPanelMichael]

Hello

Internal case number 158453 is open to address this issue. Please monitor the 11.48 change log for the inclusion of this case number. In the meantime, if you want to blacklist IP addresses on 11.48, please use one of the following options:

1. "WHM Home » Security Center » cPHulk Brute Force Protection » Blacklist Management"
2. "/scripts/cphulkdblacklist" via SSH.
3. Utilize the "create_cphulk_record" API call.

Thank you.

 

[kamall]

Hello

Internal case number 158453 is open to address this issue. Please monitor the 11.48 change log for the inclusion of this case number. In the meantime, if you want to blacklist IP addresses on 11.48, please use one of the following options:

1. "WHM Home » Security Center » cPHulk Brute Force Protection » Blacklist Management"
2. "/scripts/cphulkdblacklist" via SSH.
3. Utilize the "create_cphulk_record" API call.

Thank you.

Hello
cPanelMicheal

So we have to do manually for the moment.

Regards

Kamal L.

 

[cPanelMichael]

So we have to do manually for the moment.

Right, for the time being, you have to use one of the three methods listed in my previous response instead of clicking on the URL in the email.

Thank you.

 

[rekabis]

Okay, from what I gather, this issue comes about because bl.cgi and wl.cgi are actually missing, correct?

Well, I am on the current version (11.48.0.7), am experiencing the same issue, but when I ssh to
/usr/local/cpanel/whostmgr/docroot/cgi/
I actually see both bl.cgi and wl.cgi sitting there.

Now what are missing are these two files:
-rwxr-xr-x. 1 root root 2807 Jan 21 23:36 /usr/local/cpanel/whostmgr/docroot/cgi/cphulkdblk.cgi*
-rw-r--r--. 1 root root 418 Jan 21 23:36 /usr/local/cpanel/whostmgr/docroot/templates/cphulkdblk.tmpl
If this is an issue with the updater, is there any other location I can pull copies from, to get things fully back up and running?

Please note, I *am* on 11.48.0.7, which claims that case 158453 is fixed, and yet I am still experiencing this issue even with new eMail/SMS alerts that come in.

 

[rekabis]

…Aaaand even doing a “forced reinstall” of WHM 11.48.0.7 does nothing to correct the issue.

 

[cPanelMichael]

Well, I am on the current version (11.48.0.7), am experiencing the same issue, but when I ssh to
/usr/local/cpanel/whostmgr/docroot/cgi/
I actually see both bl.cgi and wl.cgi sitting there.

Hello

I am unable to reproduce this issue after updating to 11.48.0.7. Since you already forced a cPanel update and verified it completed successfully, could you open a support ticket using the link in my signature so we can take a closer look at your system? You can post the ticket number here so we can update this thread with the outcome.

Thank you.