Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Cpanel just updated on its own ???

Discussion in 'General Discussion' started by nyjimbo, Mar 12, 2004.

  1. dhabets

    dhabets Well-Known Member

    Joined:
    Dec 31, 2001
    Messages:
    68
    Likes Received:
    0
    Trophy Points:
    306
    cPanel Access Level:
    DataCenter Provider
    Matt, did you notice how they delivered the "security update".... PM me if you haven't noticed yet... you'll be surprised.

    Ah, f it... anyone who still has upgrades, do a

    ps -ef|grep cp

    or

    ps -ef|grep MANUAL

    Then you can see how the manual setting was overridden.
     
  2. Big Gorilla

    Big Gorilla Active Member

    Joined:
    Jan 30, 2004
    Messages:
    34
    Likes Received:
    0
    Trophy Points:
    156
    Although I disagree with the way cPanel stealth updated, I think this was apparantly to fix a newer security hole that was the same as the reset password hole, but more core to cpanel functionality (exploit info was released today). At least I know after that update, the hole went away.
     
  3. AlaskanWolf

    AlaskanWolf Well-Known Member

    Joined:
    Aug 11, 2001
    Messages:
    537
    Likes Received:
    0
    Trophy Points:
    316
    Location:
    Fremont CA
    1. The least you can do is know how to spell, or at least use copy and paste, shows how intelligent you are

    2. You didn't need to ask me, this is a forum, not your personal email box
     
  4. mainarea

    mainarea Active Member

    Joined:
    Nov 18, 2002
    Messages:
    41
    Likes Received:
    0
    Trophy Points:
    156
    My box was already patched, and this upgrade broke CPanel/WHM for about 90 minutes... this should NOT be happening, there has to be some other way to do things without breaking stuff. I have updates set to manual exactly for that reason - now I learn that "manual" means "it's manual sometimes".

    - Matt
     
  5. thedavid

    thedavid Well-Known Member

    Joined:
    Nov 22, 2002
    Messages:
    124
    Likes Received:
    0
    Trophy Points:
    166
    So much anger over a control panel... It's not like they're insulting your mother or something.. I reccomend both sides just chill. Been a bad day for everyone with exploits released.
     
  6. MattF

    MattF Active Member

    Joined:
    May 5, 2002
    Messages:
    35
    Likes Received:
    0
    Trophy Points:
    306
    Hmm... okay, please elaborate. My complaint if it wasnt clear from the being is the lack of code review and code security auditing. I'd be interested to see you justify which one #1 or #2 I fit in it. Some people complain in hope of improvement!

    Why would Windows be right up my street?
     
  7. Ozru

    Ozru Registered

    Joined:
    Mar 12, 2004
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    151
    Ah, yes, the "sure, you paid for it, but I recommend you throw that investment away wholesale" argument. Not exactly practical.

    Not everyone was as blessed as you.

    They should have upgraded boxes that were set to auto update, but not boxes that were configured for manual updates. Then the hypothetical plaintiffs with the bad spelling and lack of lower-case letters would have no grounds for suit, if they had set their servers to manual update. This assumes, of course, that cPanel would still notify them of the security hole when not performing the (specifically proscribed) auto update.

    That is uncalled for and has no basis in logic.

    Real sysadmins pay attention and stay on top of things themselves. They don't just expect things to magically update and be correct.

    AOL, on the other hand, updates itself all the time without asking you whether you want it.

    Windows can be set to either do the updates itself, tell you about them and let you get them yourself, or not tell you at all. So it's really irrelevant, because it suits you just as much as it suits the victims of your ad hominem attack.
     
  8. vortech

    vortech Well-Known Member

    Joined:
    Aug 12, 2001
    Messages:
    71
    Likes Received:
    0
    Trophy Points:
    306
    Crap happens. Sometimes a lot to CPanel, but hey we will all live.. At least it only took down WHM for the most part and not the sites.. Look at it that way.. :)
     
  9. LS_Drew

    LS_Drew Well-Known Member

    Joined:
    Feb 20, 2003
    Messages:
    187
    Likes Received:
    0
    Trophy Points:
    166
    thephantom, are you a real sysadmin?

    If you are, surely you know how Cpanel did it's update today. And if you know that, then you also know that if any of your machines were upgraded today by Cpanel, it was because YOU are not a real sysadmin, waiting around until Cpanel patches your boxes for you because you're too incompetent or lazy to do it yourself. Or maybe it's because you don't know how...

    But anyway, I really don't think hanging around here attacking anyone who's the least bit 'against cpanel' qualifies you to judge anyone's administration abilities.

    None of my boxes were upgraded by Cpanel today, because they were patched yesterday. Yet 50+ of thephantom's boxes would have been rooted or used to attack the machines run by legitimate sysadmins if Cpanel hadn't stepped in.

    Thank you, Nick, and Co., for saving us from the likes of thephantom and his incompetent brethren.

    I want to say that I applaud Cpanel for the way they handled this today and if Nick had explained what he was doing a bit better from the get go, would have done so from the beginning.
     
  10. goodmove

    goodmove Well-Known Member

    Joined:
    May 12, 2003
    Messages:
    628
    Likes Received:
    1
    Trophy Points:
    168
    Is Mattf in this forum the former owner of Webhostingtalk.com?
     
  11. fishfreek

    fishfreek Well-Known Member

    Joined:
    Jan 2, 2004
    Messages:
    238
    Likes Received:
    0
    Trophy Points:
    166
    So if the your car was found to have a major safty flaw you would not have a problem with a service agent comming by and towing your car to be repaired in the middle of the day with out directly notifying you?

    Or would you prase MS if they forced a security update to every computer in your orginization with out your direct knowlege or authorization?

    The issue is that when we have updates set to manual we have them set that way for a reason. Personally I have them set to manual because from reading these forums in the past it seemed to me that updates more often than not caused problems rather than fixed them so why do I want stuff updating when Im not aware of it?

    I want to know exactly when stuff is getting updated and I would run the updates when I had time to be around to make sure things went properly and the end result was satisfactory.

    Thankfully the 4 boxes I was resposnible for appeared to have upgraded with no issue last night. I at first disabled the upcp script from running just because I didnt want the box's updating A) with out my knowlege and B) when I was not in a position to be able to assess and begin attempted corretive measures upon a failed update.
     
  12. SarcNBit

    SarcNBit Well-Known Member

    Joined:
    Oct 14, 2003
    Messages:
    1,010
    Likes Received:
    3
    Trophy Points:
    168
    Exactly!

    After having disabled upcp yesterday, I updated late last night (early this morning? :) ) without issue (at least no issues that my quick tests made me aware of). I had other things to take care of yesterday and could not get caught up with non-working cpanel boxes and mounting customer complaints. I made a conscious decision to hold off on updating until I was in a bettter position to deal with any potential update issues. That is the reason why I set all of my servers updates to manual and cpanel should respect that.

    I should not had to of taken "extra" steps to prevent unwanted updates beyond setting my update preferences to manual. I am just glad that I took time out to check the changelogs (and then the forums once I saw 4 stable updates listed in one morning) to see what updates were prompted by the security alert from the day before.
     
  13. LS_Drew

    LS_Drew Well-Known Member

    Joined:
    Feb 20, 2003
    Messages:
    187
    Likes Received:
    0
    Trophy Points:
    166
    If you had patched for the problem the day before, then Cpanel's update would not have affected you. There wasn't any reason to disable anything. (though Nick should have made that more clear)

    They ONLY updated machines that were vulnerable to this flaw. Others were not touched.
     
  14. Steve-PWH

    Steve-PWH Well-Known Member

    Joined:
    Jun 30, 2002
    Messages:
    116
    Likes Received:
    0
    Trophy Points:
    166
    If the box was vulnerable then it got updated

    If it was not vulnerable it did not get touched

    Cpanel used the flaw to seal the flaw

    So some of you got broken cpanels, its a problem yes but aint a rootkit getting installed or the whole server getting taken down far far worse

    If this aint been done there would have been so many boxes hacked by end of the day as word spread
     
  15. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    168
    I can't understand how some people bitch about problems with their server after the forced upgrade.

    The people complaining about this obviously didn't upgrade their still vulnerable servers BEFORE the forced upgrade. I wonder when they were planning to do their updates then? Maybe next week ? :confused:

    A large number of cpanel servers were already hacked before the forced upgrade. If you were to be still running a vulnerable cpanel server today it would probably be rooted already.
     
  16. PWSowner

    PWSowner Well-Known Member

    Joined:
    Nov 10, 2001
    Messages:
    2,948
    Likes Received:
    4
    Trophy Points:
    343
    Location:
    ON, Canada
    The complaints are getting out of control. I understand the problem with an auto update when you intentionally set your server to manual, but as has been stated a few times, this auto update was only applied if the server was still in a vulnerable state.

    Anyone who at least watches their WHM daily had plenty of time to stop the vulnerability and would not have had an auto update happen. Anyone who does not watch their server regularly should be happy the flaw was removed.

    We had at least 2 days warning to disable the password reset and since I disabled mine, I had no auto update. I did manually update the the newest release the next day and had no problems with it.

    It's true, if someone sets it to manual, they expect it to be manual, but using manual also requires that person do their job daily.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  17. fishfreek

    fishfreek Well-Known Member

    Joined:
    Jan 2, 2004
    Messages:
    238
    Likes Received:
    0
    Trophy Points:
    166
    I personally try to visit WHM on our servers a few times a day. When I saw the first notice I disabled the feature to reset password via e-mail.

    The following day i saw the notice to update the software. The second day it said nothing about how to correct the issue with out upgrading.

    This made me belive that either the fix that was mentioned the day prior was found to be faulty or that there was a greater issue.

    If simply unchecking the password reset box would have kept us from being autoupgraded then we where ok from being auto upgraded. I made it so upcp could nto run so it did not update when i was not able to be around and babysit the update.

    If what you describe squirrel was the case in that those who unchecked that feature would not have been updated then I would say it was more a problem with how it was communicated in WHM news as I was lead to belive anything prior to release 9.1.0 S49 or something like that was vunerable reguarless of the password setting being checked or not.
     
  18. PWSowner

    PWSowner Well-Known Member

    Joined:
    Nov 10, 2001
    Messages:
    2,948
    Likes Received:
    4
    Trophy Points:
    343
    Location:
    ON, Canada
    It probably could have been explained a bit better in the WHM news.

    When I see something like that in WHM, I always come here to read up more on it so I knew that by disabling the reset feature, I'd be safe.

    I believe someone else mentioned a mailing list. That would be a great idea to have a mailing list any cpanel user could subscribe to and then it would be easy for them to keep everyone up to date.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  19. fishfreek

    fishfreek Well-Known Member

    Joined:
    Jan 2, 2004
    Messages:
    238
    Likes Received:
    0
    Trophy Points:
    166
    I try to come here every few days at least and scan the forums for new posts.

    Yesterday I read many posts about the subject and I still didnt end up with the understanding that what I had done the day before was the solution.

    Well the side effect is alot of the servers are up to 9.1.0_S73 or RXX or EXX.
     
  20. LS_Drew

    LS_Drew Well-Known Member

    Joined:
    Feb 20, 2003
    Messages:
    187
    Likes Received:
    0
    Trophy Points:
    166
    And you should thank your lucky stars that they were upgraded, because unchecking the checkbox was not enough. You also needed to chmod 000 the file in question, or you were still vulnerable.

    Cpanel upgrade or root kit...hmm...which would we be complaining about more? :)
     
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice