Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Cpanel just updated on its own ???

Discussion in 'General Discussion' started by nyjimbo, Mar 12, 2004.

  1. fishfreek

    fishfreek Well-Known Member

    Joined:
    Jan 2, 2004
    Messages:
    238
    Likes Received:
    0
    Trophy Points:
    166
    No...

    I would have prefered to have been informed of the exploit. (The bit posted on bugtrack was ok but I dont recall a link to the bugtrack page in the WHM news nor do I recall bugtrack saying anything other than unchecking the feature as a solution)

    Been told of what it could do.

    Also been told how the affected files could be patched with OUT having to do a full blown upgrade.

    I am acutally counting my lucky stars that so far we have not experenced any ILL effects from the forced upgrade.
     
  2. SarcNBit

    SarcNBit Well-Known Member

    Joined:
    Oct 14, 2003
    Messages:
    1,010
    Likes Received:
    3
    Trophy Points:
    168
    Yes I am thanking my lucky stars. Now all of my security worries are over. This admin job thing is so much easier than I ever would have imagined. Thank you cPanel and thank you LS_Drew for showing me the light.

    I guess in the future we should all expect cPanel to take care of patching any and every security related hole on our cPanel only servers without admins having to even bother logging in.

    No one is faulting cPanel for burning the midnight oil and patching their software for customers as quickly as possible (although some may be faulting them for the number of issues the early releases caused). They are being faulted (by those who are faulting them) for the way they implemented the patch or at the very least the details they gave about the patch.

    If bdraco had mentioned in his original post (the one where he warned that you would have to chmod 0 /scripts/upcp to avoid the update) that the patch was going to be distributed via the vulnerability and only vulnerable servers would be updated I think there would have been a lot less backlash. I do not think there would have been no backlash because there are some people that do not appreciate hacks of any type against their systems (even friendly ones).

    Regardless of how excited you may be about being protected from yourself, I do not appreciate it. If I remember correctly, updates are set to automatic by default and setting cpanel updates to manual still leaves security updates set to automatic. If you want to avoid getting security updates automatically you have to intentfully change the default setting. If yesterdays updates were not security updates then I do not know what they were.

    You may be the kind of person that would appreciate it if auto manufacturers disabled your ignition until your car could confirm that you were wearing your seatbelt properly. I am not that kind of person. I appreciate that auto manufacturers provide me a seatbelt. I can decide for myself if I actual want to use it (I almost always do BTW ;) ).
     
  3. LS_Drew

    LS_Drew Well-Known Member

    Joined:
    Feb 20, 2003
    Messages:
    187
    Likes Received:
    0
    Trophy Points:
    166
    God, what an idiotic argument. Hate to take a page from my buddy thephantom's book, but really, if you hate what they did so much, you should mosey on to some other CP software.

    If you want to run them over the coals for this ever happening in the first place (the script was a STUPID idea and implementing it in this manner was ridiculous), FINE. But when Cpanel goes to great lengths to actually save your data and your boxes from falling into the wrong hands, I don't see anything there to complain about. Especially when you could have acted on your own and eliminated the issue yourself.

    Bottom line:

    You didn't investigate. You said 'oh, root vulnerability, okay, I'll just do the minimum amount necessary and I'm sure everything will be fine'. You didn't check into the problem, test or investigate as a normal admin would have to. It's part of the JOB of doing this to be on the ball about such things. Because you didn't do your due diligence, Cpanel upgraded your machines. Live, learn, move on...what's the big deal?
     
  4. SarcNBit

    SarcNBit Well-Known Member

    Joined:
    Oct 14, 2003
    Messages:
    1,010
    Likes Received:
    3
    Trophy Points:
    168
    No, but it was deceptive. There was a post that explained that the upgrade would happen at 3pm EST and that you would have to chmod a file to prevent it. Now I am hearing (by no offcial source BTW) that only servers that had not disabled the email password change feature were updated automatically.

    What planet are you living on? Reading through yesterday mornings posts on this very forum is what prompted me to take steps (or at least the steps I thought I had to take thanks to cPanel being so vague about the upgrade process) not to upgrade. If it went smoothly for you (as it did for me later that evening) then congratulations. It did not go that well for everyone. Read around a bit.

    LS_Drew if you don't see the logic in my analogy then that is your loss. Don't be (and I guess this goes for thephantom as well according to your post) such a fatalist. People are actually entitled to criticize things (products, processes, etc) without throwing their arms up and walking away. If I thought that cPanel was bad enough to walk away from, then I probably would not have bothered posting.

    Please don't tell me what I did and did not do or what defines a "normal" admin.

    The bottom line is that I expect manual to mean manual.
     
  5. LS_Drew

    LS_Drew Well-Known Member

    Joined:
    Feb 20, 2003
    Messages:
    187
    Likes Received:
    0
    Trophy Points:
    166
    And the internet community expects you to step up your administration and patch the goddamn boxes, so nobody has to override your 'manual' setting for the greater good.

    DO YOUR JOB. And none of this will be an issue again, and it wouldn't have even been an issue the first time.

    I will tell you what you didn't do and what constitutes normal admin work, because obviously you had not familiarized yourself with the concept prior to this incident.
     
  6. Ley

    Ley Well-Known Member

    Joined:
    Jan 4, 2004
    Messages:
    114
    Likes Received:
    0
    Trophy Points:
    166

    idiot. No one gives a flying f*ck about your boxes updating without problems. You are 1 of the 10 people that has no problems. The rest has , so please..shut the f*ck up.
     
  7. DudeBro

    DudeBro Well-Known Member

    Joined:
    Jan 30, 2004
    Messages:
    51
    Likes Received:
    0
    Trophy Points:
    156
    You guys are so wierd. Do you NOT understand the point of being able to change whether an update happens manually or automatically? Do you NOT understand the fact that hundreds of $ are being lost right now because servers (like mine) aren't working as they had been before this update. I don't care whether it was important or not. An URGENT/HIGH PRIORITY email could've been sent out to ALL cPanel customers that a VERY VERY VERY important update had to be done. I agree with Lay, not everyone was as blessed as you [Bailey] to having their shit working. If an update happens automatically, then what's the point of having a whole configuration for whether an update should be done manually or automatically? I suggest the cPanel staff review this.... This is ridiculous....
     
  8. Steve-PWH

    Steve-PWH Well-Known Member

    Joined:
    Jun 30, 2002
    Messages:
    116
    Likes Received:
    0
    Trophy Points:
    166
    If u got updated it means that a hacker could gain access to root on ur machine

    By end of that day there would have been scanners going arount to find cpanel machines that are hackable

    How many $ would u have lost if u was hacked (which would have been highly likely) and all ur sites killed / defaced and some nice rootkits installed??????????????????

    At least for those servers that did not go 100% right the sites stayed up and u dont have to format and re-install your opertaing system

    It was not ideal no..... But the exploit was public and the hole need closing quick, Think how many cpanel servers there are. Say 20% had been sorted (like mine) before the forced update and cpanel did not do what they did, Dam the hackers be having a hell of a laugth right now.
     
  9. SarcNBit

    SarcNBit Well-Known Member

    Joined:
    Oct 14, 2003
    Messages:
    1,010
    Likes Received:
    3
    Trophy Points:
    168
    You have some major reading comprehension problems fanboy.

    Perhaps deafened by the sound of your own voice you failed to hear that I had disabled the email password updates more than a week ago and supposedly (again because I have not heard anything official from cPanel) would not have been subject to the forced update even if I had not chmod'd upcp. Hmm maybe the fact that the install went without issue on all of my boxes (later that evening when I had more time to devote to the issue) went over your head also? Why do you need to personalize things to understand them?

    The point is that I set updates to manual so that I can maintain complete control over what goes on the box. I am not going to tell you how to admin your boxes because I could care less what you do. It is not my style however to just let programs hijack my boxes and I feel that is why the manual choice even exists.

    Why did cPanel put it there if they did not want to give admins a choice? If the choice wasn't there, I WOULD be looking at other panels (or inhouse solutions).

    Bailey, if I took your comments out of context I apologize. The fact is that there are plenty of people that ran into problems with the update. You did not seem to acknowledge those people or even the possibility of that happening, in your post.

    You are right that this is a dead horse thread for me. Hopefully cPanel will see that there is a strong desire for a more direct communication channel to avoid some of the confusion and misunderstanding that surrounded the recent security issue.

    My vote would be for an opt-in mailing list (send only) used only for urgent communication. There would be no need to restrict the list to cPanel subscribers only and trying to do so would only complicate the matter.

    Good luck to all of the people who are still recovering from problems related to the update. Hopefully cPanel will get you straightened out sooner rather than later.
     
  10. Steve-PWH

    Steve-PWH Well-Known Member

    Joined:
    Jun 30, 2002
    Messages:
    116
    Likes Received:
    0
    Trophy Points:
    166
    I will make this clear

    Cpanel used the flaw to patch the flaw

    If you was updated u WAS OPEN TO ATTACK

    The reset password was found first then ANOTHER one was so turning of the reset password did not secure your box
     
  11. mr.wonderful

    mr.wonderful BANNED

    Joined:
    Feb 1, 2004
    Messages:
    345
    Likes Received:
    1
    Trophy Points:
    166
    Hehe! Well said!
     
  12. rockstar

    rockstar Member

    Joined:
    Jan 24, 2004
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    151
    Location:
    Planet Earth
    Ok,

    I have to say, I was rather amused at this whole thread. It's rather amazing what people say when they obviously aren't thinking first.

    I, for one am very happy with CPanel, have had a few bumps along the way (but who hasn't with every piece of software), however, I do have a suggestion the next time something like this comes up.

    I realize you can't e-mail everyone that uses CPanel as you have no way of knowing who has what, however, this forum's software does have the ability to mass-mail it's members and I'm positive that CPanel does have the e-mail addresses of each of the NOC's that have purchased licenses. Combining the two with 1 or 2 days notice would probably have shortened this thread by a lot.

    I'm not bitching about what was done, because it needed to be done, but the delivery could stand to be changed a little bit.

    Just a suggestion that would go a long ways to keep people from jumping off the deepend. That way if things go this way again, CPanel can say...talk to your NOC, they had the notice and they chose not to notify you. End of story.

    Just my 2 cents worth.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice