The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

CPANEL CGI Center CGIs are safe?

Discussion in 'General Discussion' started by highclass, Apr 6, 2004.

  1. highclass

    highclass Member

    Joined:
    Feb 9, 2004
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    Hi!

    A few days ago we have received a couple of e-mails that was sended by cgi-sys/FormMail.cgi, or tried to send usend it...

    Anyone knows if the CGIs that CPANELs have installed are safe?

    I see that many of them are too old... ´98....

    Can be turned OFF using the WHM, or some other way?

    Thats all...

    TIA, and sorry for the bad english...

    Luciano A. Ferrer
     
  2. Spearow

    Spearow Staff Member

    Joined:
    Mar 25, 2004
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Sunnyvale, CA
    yes, they are safe... formmail can be disabled under "tweak settings" in whm...
     
  3. WCW Fan

    WCW Fan Well-Known Member

    Joined:
    Sep 22, 2003
    Messages:
    68
    Likes Received:
    0
    Trophy Points:
    6
    I tend to disagree that they are safe and have disabled all of them along with chmoding them to 0 and chattr -i them :)
     
  4. highclass

    highclass Member

    Joined:
    Feb 9, 2004
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    Strange mails are like the following, any idea?:

    Code:
    From: <2fVS6oNz94@ventas.highclassdental.com>
    To: <2fVS6oNz94@ventas.highclassdental.com>
    Subject: =?iso-8859-1?Q?[url]http://www.ventas.highclassdental.com/cgi-sys/formmail.pl_?=[/url]
    	=?iso-8859-1?Q?=2865.205.249.37:80=29_bcc:_angelm1c@aol.comQIrxkz4Qyo8tpY?=
    	=?iso-8859-1?Q?_E4_4hQXu_LFJtj062r72AT_KKRaK50_voMU3Ye0by9tkt_W_Eo5h_4_Wq?=
    	=?iso-8859-1?Q?sev4dXMW9ia_yqxqu84s_C=FFFFFFCCabcdefghijklmnopqrstuvqxyzA?=
    	=?iso-8859-1?Q?BCDEFGHI.?=
    Date: Thu, 8 Apr 2004 21:52:53 -0400
    Message-ID: <E1BBlCP-0001rx-8X@server1.highclassdental.com>
    MIME-Version: 1.0
    Content-Type: multipart/mixed;
    	boundary="----=_NextPart_000_14D7_01C41DC3.CDF043C0"
    X-Mailer: Microsoft Outlook, Build 10.0.2627
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
    
    This is a multi-part message in MIME format.
    
    ------=_NextPart_000_14D7_01C41DC3.CDF043C0
    Content-Type: multipart/alternative;
    	boundary="----=_NextPart_001_14D8_01C41DC3.CDF043C0"
    
    
    ------=_NextPart_001_14D8_01C41DC3.CDF043C0
    Content-Type: text/plain;
    	charset="iso-8859-1"
    Content-Transfer-Encoding: quoted-printable
    
    body: QIrxkz4Qyo8t
    pY E4 4hQXu LFJtj062r72AT
     KKRaK50 voMU3Ye0by9t
    
    kt W Eo5h 4 Wqsev4dXMW9ia yqxqu
    84s C=FFFFFFCCabcdefghijklmnopqrstuvqxyzABCDEFGHI
    
    Luciano
     
  5. WCW Fan

    WCW Fan Well-Known Member

    Joined:
    Sep 22, 2003
    Messages:
    68
    Likes Received:
    0
    Trophy Points:
    6
    Had one too many problems with it on one of my servers, I had countless security teams, and server management teams go in and try to figure out how sites were being defaced. They all came to the conclusion that it was cpanel cgi's I then disabled them and haven't had a problem since.
     
  6. highclass

    highclass Member

    Joined:
    Feb 9, 2004
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    Ok, that maybe was right... but how can you explain that WCW Fan has no more problems after disable his cgis?

    Luciano
     
  7. WCW Fan

    WCW Fan Well-Known Member

    Joined:
    Sep 22, 2003
    Messages:
    68
    Likes Received:
    0
    Trophy Points:
    6
    No joke. Maybe it was just me, but since then I haven't had one issue with my 25+ servers all running cpanel, all with cpanel cgi's disabled. Go figure :p

    Edit: I'm not going to argue, I'm just going on what has proven to work for us, and that is to disable them.
     
    #7 WCW Fan, Apr 12, 2004
    Last edited: Apr 12, 2004
  8. Juanra

    Juanra Well-Known Member

    Joined:
    Sep 22, 2001
    Messages:
    777
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Spain
    Luciano, amigo ¿cómo va todo? :) :)

    The strange mails you're getting can be filtered out by checking an option in WHM's tweak settings section (discard messages with bcc headers in subject or something like that). They are trying to exploit an old bug in cpanel's FormMail.cgi script.

    some people are not confident using Cpanel's scripts because of past problems (I'm aware of that one only, though), but (FWIW) most of us use them.

    Personally, I prefer my users to use cpanel's formmail rather than lots of different dispersed formmail scripts which might be as vulnerable or more that cpanel's. If some new exploit is found the word's spread *really* fast (you know, dozens of similar threads in the forums, complaints, whinings and whatnot :D).

    But to each his or her own :)
     
  9. highclass

    highclass Member

    Joined:
    Feb 9, 2004
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    Todo bien Juanra, sorpresa encontrarte por estos lados... el mundo es un pañuelo :) :)

    Txs for your explanation, I have checked that option...

    Luciano
     
  10. internetfab

    internetfab Well-Known Member
    PartnerNOC

    Joined:
    Feb 20, 2003
    Messages:
    336
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Gothenburg, Sweden
    cPanel Access Level:
    DataCenter Provider
    Where is the bcc headers setting? Can't find it anywhere in the tweak settings :/
    Using WHM 9.3.0 R104
     
  11. highclass

    highclass Member

    Joined:
    Feb 9, 2004
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    "Silently Discard all FormMail-clone requests with a bcc: header in the subject line"

    Tweak Settings, the second upper link

    luciano
     
  12. internetfab

    internetfab Well-Known Member
    PartnerNOC

    Joined:
    Feb 20, 2003
    Messages:
    336
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Gothenburg, Sweden
    cPanel Access Level:
    DataCenter Provider
    Yeah, saw it on one of the servers that was running an older version 9.2.0 i think - however, it's gone from the 9.3.0 version :/
     
  13. highclass

    highclass Member

    Joined:
    Feb 9, 2004
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    well, it´s strange... we are running on WHM 9.4.0 cPanel 9.4.1-R55
     
  14. internetfab

    internetfab Well-Known Member
    PartnerNOC

    Joined:
    Feb 20, 2003
    Messages:
    336
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Gothenburg, Sweden
    cPanel Access Level:
    DataCenter Provider
    Funny thing, updated to 9.4.1 and it's there again ;) Guess they missed it in the 9.3.0 release :)

    Thanx!
     
Loading...

Share This Page