The Community Forums

Interact with an entire community of cPanel & WHM users.
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How safe is cPanel's phpMyAdmin from to these vulnerability scaners:

Discussion in 'Security' started by daw1cked, Jun 20, 2011.

  1. daw1cked

    daw1cked Member

    Joined:
    Jun 20, 2011
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Recently i see useragent logs of Revol, ZmEu etc
    i googled and it turns out they are vulnerability scanners for phpMyAdmin that looks for installs with no passwords and other types of vulnerabilities.
    Is the original install (which i assume occurs through cPanel) secure from this vulnerabilities. Any thoughts?

    I am a little worried since webalizer shows /http://allrequestsallowed.com/ an "Entry Page" with 1 hit. Is that bad?

    Thanks
     
  2. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Re: How safe is cPanel's phpMyAdmin from to these vulnerability scaners: Revolt, ZmEu

    The cPanel installation of phpMyAdmin requires a username and password for each user. Even the root user has to have a password to access the interface. There isn't any blank login allowed via the cPanel or WHM interface anyway.

    Now, it is possible some users might try to install phpMyAdmin as a 3rd party application in their account. If they did that, this wouldn't be a cPanel installation but a custom one. If you find any copies outside /usr/local/cpanel/3rdparty directory in the /home/username location or higher, then that is a user installed copy.
     
  3. daw1cked

    daw1cked Member

    Joined:
    Jun 20, 2011
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Re: How safe is cPanel's phpMyAdmin from to these vulnerability scaners: Revolt, ZmEu

    what about the fact that i found "allrequestsallowed.com" as an Entry Page in one of the account's webalizer stats.. is that something to be worried about? seems a bit weird
     
  4. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Re: How safe is cPanel's phpMyAdmin from to these vulnerability scaners: Revolt, ZmEu

    I have no idea what allrequestsallowed.com even represents to make a comment on it.
     
  5. daw1cked

    daw1cked Member

    Joined:
    Jun 20, 2011
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Re: How safe is cPanel's phpMyAdmin from to these vulnerability scaners: Revolt, ZmEu

    well, isn't it weird that the analytics show a strange url as an Entry Page when all other Entry Pages are things like '/' or '/index.htm' or '/about-us/' ?
     
  6. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    How does this relate to phpMyAdmin? The discussion to my understanding was phpMyAdmin. This url is another discussion entirely, and again one that I cannot make any comment on due to not understanding the context without seeing it.

    If you would like to post a screen print of that area so it is clearer what exact area it was in and what exactly it shows, then please definitely feel free to do that.

    Also, I'm confused as Webalizer was originally mentioned a couple of times, then now analytics is being mentioned (which sounds like Google Analytics), so was this in Webalizer or was it in another non-cPanel provided application for statistics?
     
  7. daw1cked

    daw1cked Member

    Joined:
    Jun 20, 2011
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    it does relate to phpMyAdmin
    as mentioned in the first post, i found useragent records in Webalizer(analytics as in site analytics and not Google analytics) with the following name: Revol, ZmEu and similar non-browser useragents. I read on them and it turned out these are vulnerability scanners that target phpMyAdmin. Then I was worried a vulnerability was indeed found on my server and exploited since, again, I found Top Entry Page records in Webalizer with the name "allrequestsallowed.com" which is abnormal for an entry page. Entry pages should be pages/files on my server, and not a URL that has nothing to do with any of the hosted websites.

    Does it make sense?
     
  8. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Please provide a screen print for us to see what it is showing along with the domain logs if you have those for these entries. The domain logs would be at /usr/local/apache/domlogs for the domain name. I cannot state further on that specific question about that url until I see the actual screen print for Webalizer and the domain logs.

    Have you checked to see if the account in question is running their own copy of phpMyAdmin rather than using cPanel's copy? Again, the cPanel copy requires a username and password for authentication.
     
  9. daw1cked

    daw1cked Member

    Joined:
    Jun 20, 2011
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    here is the screenshot:

    scr1.jpg
     
  10. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,458
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    The phpMyAdmin application as provided with cPanel & WHM is not directly accessible via Apache. Rather it is only accessible via the cPanel & WHM daemon (cpsrvd). Log entries reported by webalizer, awstats and analog are for requests against Apache, not cpsrvd.

    Accessing phpMyAdmin as provided by cPanel & WHM requires successful authentication before access to the application is granted.

    The vulnerability scanners you are concerned about are not able to access the phpMyAdmin application provided by cPanel & WHM.
     
  11. grayloon

    grayloon Well-Known Member

    Joined:
    Oct 31, 2007
    Messages:
    98
    Likes Received:
    2
    Trophy Points:
    8
    Location:
    Evansville, IN
    cPanel Access Level:
    Root Administrator
    Twitter:
    I found the following directive that can help protect against scans by a ZmEu user agent. Which config file would I edit to use this for all virtual hosts?

    Code:
    <IfModule mod_rewrite.c>
    RewriteEngine on
    RewriteCond %{REQUEST_URI} !^/path/to/your/abusefile.php
    RewriteCond %{HTTP_USER_AGENT} (.*)ZmEu(.*)
    RewriteRule .* http://www.yourdomain.com/path/to/your/abusefile.php [R=301,L]
    </IfModule>
    
     
Loading...

Share This Page