The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Demo account used for Spamming

Discussion in 'General Discussion' started by ljweb, Jul 26, 2004.

  1. ljweb

    ljweb Member

    Joined:
    Nov 26, 2003
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    I discovered today that some smart chap used my demo cpanel account to send spam... i have no idea how since its only demo and nothing works. They sent out thousands until i realised. Anyway i disabled the demo and cleared the mail queue and it seems ok now.

    Has anyone heard of this before?
     
  2. mr.wonderful

    mr.wonderful BANNED

    Joined:
    Feb 1, 2004
    Messages:
    345
    Likes Received:
    0
    Trophy Points:
    0
    Dont use DEMO. If you search the forums you will see why. It has been mentioned time and time again. Lucky you werent hacked or maybe you were but you dont know it. If i was you it look over the server with a fine tooth comb.
     
  3. ljweb

    ljweb Member

    Joined:
    Nov 26, 2003
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    If the Demo feature is such a risk, why does cPanel include this feature???
     
  4. cPDan

    cPDan cPanel Staff
    Staff Member

    Joined:
    Mar 9, 2004
    Messages:
    711
    Likes Received:
    3
    Trophy Points:
    18
    I'd say its there because some people want it :)

    Perhaps you want to enable it temporarily for training or a demonstration.
    Perhaps you want to have people request access to it so you can change the password and give them a time limit before it gets changed again.
    you may want to create a demo account for each prospective client that only they have access to.
    Or perhaps you don't want the security issues with giving the public an account :)

    The real security issue comes in when you give the demo user's login info out to the public. Its the same as posting a regular user's login info on your website. People will abuse it so you don't give them that information so lightly.

    What ever the case and as with any software or feature it is up to you what features to enable or not and what policies to apply to them based on your needs, abilities, security concerns, etc etc.

    Just my .02 ;)
     
    #4 cPDan, Jul 26, 2004
    Last edited: Jul 26, 2004
  5. cPDan

    cPDan cPanel Staff
    Staff Member

    Joined:
    Mar 9, 2004
    Messages:
    711
    Likes Received:
    3
    Trophy Points:
    18
    Some things you can do is:
    Assuming an account name of 'demo':

    1) Set the email accounts it can create to 0 so that only the system user is able to send mail.

    2) disable that system user from sending mail by doing this:

    In /etc/exim.pl in the checkuserpass funtion add this line after the $user if modified:
    Code:
       $user =~ s/\%/@/g;
       $user = 'GoAwayLuser' if $user eq 'demo';
    
    IE it should look like this:
    Code:
    sub checkuserpass {
       my($user,$pass,$shift) = @_;
       my($domain);
       my($owner,$homedir,$uid,$gid);
       if ($user eq "" || ($user eq $pass && length($shift)>0)) { #netscape sucks!
          $user = $pass;
          $pass = $shift;
       }
             
       $user =~ s/\%/@/g;
       $user = 'GoAwayLuser' if $user eq 'demo';
    ...
    
    This may not be 100% effective as there is still PHP scripts running as nobody that they could use, so it'd be good to tighten down your PHP install as well.
     
Loading...

Share This Page