The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Latest Exim mod - Tracking spammers at the expense of security

Discussion in 'Security' started by peterr, Jun 27, 2004.

  1. peterr

    peterr Well-Known Member

    Joined:
    Sep 24, 2003
    Messages:
    75
    Likes Received:
    0
    Trophy Points:
    6
    Hi,

    As a CPanel user, I was disappointed to learn that one of the latest modifications, includes running a Perl script from Exim to add some email headers, in an attempt to trace the source of spammers.

    These new "X-Source" headers added are of the format:

    X-Source:
    X-Source-Args: /usr/local/apache/bin/httpd -DSSL
    X-Source-Dir: /home/username/public_html

    where 'username' is the "root/shell" username of the
    domain.

    Whilst I support the idea/concept of doing more to trace the source of spamming (I send any spam to SpamCop, so I do support anti-spam measures), it shoud NEVER be at the expense of security.

    Now we have domain login usernames being sent out in emails, not a very intelligent or security conscious modification, to say the least.

    There are other methods to trace WHO the person was.

    Surely CPanel developers can come up with a method that still addresses tracing the source of spamming, but at the same time, does not, in any way, compromise website security.

    Peter
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    If you don't like it, why don't you just turn the feature off, then? It's hardly much of a security risk.
     
  3. peterr

    peterr Well-Known Member

    Joined:
    Sep 24, 2003
    Messages:
    75
    Likes Received:
    0
    Trophy Points:
    6
    Hi,

    The feature was developed in an effort to track the source of people spamming. By turning it off, you then loose that information. Not very sensible if you want to stop spammers.

    If you read my post again, you might notice that I was not opposing the use of anti-spam measures, only that the latest method used by CPanel is at the expense of security.

    Hackers need a username and password to login to a website (obvious I know), and if they know the username, it is, I am well informed, then reasonably easy to brute force the login to the website. Why would you want to assist a hacker, and make it easy for them, by making the username public ??

    Strange though it seems, people who say it is not a security risk for the (login) username to be made public, are never willing to make their own usernames public. :D

    Peter
     
  4. LP-Trel

    LP-Trel Well-Known Member

    Joined:
    Oct 13, 2003
    Messages:
    184
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Nirvana
    Did you ever think that your forum username is public here, or that your email username is public?

    Just because a username is public doesn't mean a thing. ;)
     
  5. peterr

    peterr Well-Known Member

    Joined:
    Sep 24, 2003
    Messages:
    75
    Likes Received:
    0
    Trophy Points:
    6
    Hi,

    Of course it is public.

    1. Do you really think I would use the same (forum) username for any logins to websites. (doh !!! ).

    2. If someone did happen to 'crack' my CPanel password, it's no concern to me, after all a forum login is not the same as a website login. What can be done in a forum, post, that's all. What can be done on a website, a lot. You cannot therefore compare a forum login to a website login, the two are mutually exclusive.

    .... wrong, my email is NOT public. :D

    Possibly you need to qualify the statement, and append this:

    ".... to me".

    Peter
     
  6. LP-Trel

    LP-Trel Well-Known Member

    Joined:
    Oct 13, 2003
    Messages:
    184
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Nirvana
    Your email username is available to anyone you send email to. Security by obscurity doesn't work very well. :D
     
  7. peterr

    peterr Well-Known Member

    Joined:
    Sep 24, 2003
    Messages:
    75
    Likes Received:
    0
    Trophy Points:
    6
    Hi,

    As I don't send emails, your comment is nebulous.

    Peter
     
  8. myusername

    myusername Well-Known Member
    PartnerNOC

    Joined:
    Mar 6, 2003
    Messages:
    691
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    chown -R us.*yourbase*
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    How about logging in as root? Everyone knows that username, and it is on most every box that dont have it setup to su after root login.

    Chances are they would want to root a box rather than /home/someuser

    If you have a hard to impossible to guess password you should be all set.

    However I agree even parsing the domain name rather than /home/user would be a better security model.
     
    #8 myusername, Jun 29, 2004
    Last edited: Jun 29, 2004
  9. peterr

    peterr Well-Known Member

    Joined:
    Sep 24, 2003
    Messages:
    75
    Likes Received:
    0
    Trophy Points:
    6
    Hi,

    Yep, agreed. :)

    As the CPanel 'mod' is apparently a perl script, I have been finding out how to 'disguise' the UID in Perl, and use the Blowfish algorithm to encrypt either the username or UID. Only the 'sysadmin' type person would know the key parsed to the Perl/encrypt module, to be able to then decrypt it, if need be.

    Peter
     
  10. Website Rob

    Website Rob Well-Known Member

    Joined:
    Mar 23, 2002
    Messages:
    1,506
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    Alberta, Canada
    cPanel Access Level:
    Root Administrator
    Peter, although you bring up a good point, sending your concerns to DarkOrb and/or creating updated (better?) code for the situation would be the best thing to do. Discussing these type situations is a good thing, but will not usually bring any satisfactory results.

    Your point is also somewhat old as this is the same method/problem used by Cpanel and the Web based eMail -- Horde, SquirrelMail, NeoMail. By default these scripts use the accountID in the eMail address and, although I can see & understand the reasoning behind it, Clients need to be taught the security issues and how to change these defaults.


    Also, I just had a look at the Headers of a recent eMail and do not see what you describe. Is what you mention a feature that must be manaully turned on somewhere?

    WHM 9.4.0 cPanel 9.4.1-E54
    RedHat 9 - WHM X v3.1.0
     
  11. rs-freddo

    rs-freddo Well-Known Member

    Joined:
    May 13, 2003
    Messages:
    832
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Australia
    cPanel Access Level:
    Root Administrator
    I have to agree with Perterr on this issue. Yes, my forum name is public, but so what - all anybody can do using my username in these forums is post a few bogus messages - big deal. As for WHM username being common knowledge - well hopefully admins use a random password so brute force can't crack it.

    When it comes to clients though - the situation is VERY DIFFERENT. Although I provide free scripts to generate random passwords MOST of my clients choose a dictionary word as the password. Brute force is easy.

    Once a hacker breakes into a clients cpanel they can basically spam away, they can also install nasty scripts to port scan. This can basically lead your DC to thinking your box is hacked and it being disconnected.

    Not a happy scenario.

    I use many better methods to check for spamming so hopefully cpanel will make this new feature turn off-able - as i sure don't want it.

    If your worried about spammers install mailwatch - this is a much better way to catch spam BEFORE it becomes a problem.
     
  12. peterr

    peterr Well-Known Member

    Joined:
    Sep 24, 2003
    Messages:
    75
    Likes Received:
    0
    Trophy Points:
    6
    Hi Rob,

    Okay, point taken. Sorry, I don't know 'DarkOrb', but I assume it is a person/process for submitting suggestions or mods to code. I was informed the mod by CPanel works by running a Perl script from Exim, and as I'm not real good with Perl, sought the Perl Monks forum (http://perlmonks.org), and the mods would be very minor to still send out the username in the "X-Source-Dir:" email header, but encrypted, An example, if we had the username of 'billblog'

    1. Send out the username (encrypted).

    Code:
    use Crypt::Blowfish;
    
    my $username = 'billblog';
    my $key = pack("H16", "0123456789ABCDEF");
    my $cipher = new Crypt::Blowfish $key;
    my $ciphertext = $cipher->encrypt($username);
    #my $uname_encrypt = unpack("H16", $ciphertext)
    I have commented out the last line, because the working example is somewhere else at present, and I can't remember if I had to do the unpack. Essentially, it is like encoding emails, you have to make sure there are no special chars which tend to upset email servers. :D

    All the above code does is do a HEX pack of length 16, the encryption key in this example is "0123456789ABCDEF", and can be anyting of course. Only the sysadmin type person would know this. I have been well informed that the Blowfish encryption is very good, basically without the key, you cannot decrypt it (unless you are a hacker/criminal).

    2. This part only needs to be done to see who is spamming (i.e. when it happens)

    Code:
    use Crypt::Blowfish;
    
    my $key = pack("H16", "0123456789ABCDEF");
    my $cipher = new Crypt::Blowfish $key;
    my $username = $cipher->decrypt($uname_encrypt);
    
    Again, not too sure about unpacking, but my working example did the decryption back to value 'billblog' perfectly.

    So what we may see in an email header is:

    X-Source-Dir: /home/3E9jF5W10PlB74cs1a/public_html

    (That's not the real encrypted username, but you get the idea. :)

    Yes, client education is a big issue. I just installed osCommerce for a client and usually I look after everything, so I can account for all the security side of things. However, he needs to maintain the website content, now there will be potentially more places where security _may_ lapse. It will be a mix of education and some security changes I think.

    Re Cpanel, yes there are issues there, I'm also amazed that WHM sends an email with the username and password when a new account is created. Sorry, but I can't understand that ?? Web based email, ... I always setup websites with at least one email box/account, so that nothing goes to the default email (the one that will put the accountID in the email address). That seems to work fine, except it can depend on the hosts you use and their setup.

    I see them in the CPanel notification emails, although they are currently empty:

    From my understanding, yes. The info from WHM is:

    WHM 9.4.0 cPanel 9.4.1-E62
    RedHat Enterprise 3 - WHM

    Peter
     
  13. peterr

    peterr Well-Known Member

    Joined:
    Sep 24, 2003
    Messages:
    75
    Likes Received:
    0
    Trophy Points:
    6
    Hi Michael,

    Our host lets us use an SSL connection to the WHM, I guess most would do this, nice to know the connection is secure. But then all that "good" is wasted when WHM sends out an email, in plain text. of usernames and passwords when a new account is created, and to add to the 'torture', puts the WHM username at the bottom of the email (yikes). Possibly there is a config somewhere to stop this, I, as a WHM user don't want to know that info, or if I do, I copy/paste it somewhere. Passwords; ...... yep, something long and full of strange chars helps a lot.

    Well, you are being very responsible to help your clients that way. Would it be much work for the script to check a db of dictionary names, or make sure the pwd was completely nonsense, if you know what I mean ?? I remember my days on a VAX computer (Digital - DEC) and we had to change our passwords about every 3 mths, and it couldn't be one we had used before, nor one that could be easily guessed.

    Yep, good point, so if a clients CPanel is hacked, and spam gets sent out, who gets the blame, the client for not keeping login details more secure, or the host, for turning on mods that give hackers the username. :D

    I don't know much about hacking, but without the username, nothing can be hacked, true ?? Unless osmeone would be crazy enough (or criminally minded enough) to try and brute force both, wow, think of the maths to work out how many combinations to try, absolutely millions, and then they usually are matched to dictionaries/words,etc.

    I'm 100% certain it is turn-offable, as when I complained to the hosts, they did take it off, and now emails don't have those headers.

    Hmm, haven't heard about that product. I have also asked in the Exim forums, if there is a method to configure the Exim logs to show email message ID (unique# I understand), time/date stamp and username. That way, only the 'sysadmin' people can see it, and not the public.

    Thanks, :)

    Peter
     
  14. myusername

    myusername Well-Known Member
    PartnerNOC

    Joined:
    Mar 6, 2003
    Messages:
    691
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    chown -R us.*yourbase*
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    If you are so concerner about the encrypted username thing in the emails, have you made it so that you need multiple logins to get root to your box?

    A simple ssh brute force with the default username is going to do a hell of a lot more dameage then the guy (most likely) could if he were in a /home directory.

    Granted a cracker might be after the particular site, but I would say in most cases they just go after the whole kitten kaboodle.

    And yes, they know the default username. it is HaX0r 101.
     
  15. rs-freddo

    rs-freddo Well-Known Member

    Joined:
    May 13, 2003
    Messages:
    832
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Australia
    cPanel Access Level:
    Root Administrator
    mailwatch is a little php script put out there by a cpanel user. I have mine setup to notify me whenever a user sends out more than 20 emails in 10 minutes. This is probably a bit low for most Hosting companies but it works for me. I collect email every 10 minutes so basically I know within 20 minutes if bulk email is being sent out. I use phpsuexec so the email logs always show the correct sender (not nobody). It's usually easier for me to just check the queue as there is always some email caught in it - I can read the bulk email and make sure the bulk email is one of my clients valid lists (not a hacker).

    to find out more about mailwatch just do a search on this forum for mailwatch and rs-freddo - you'll find the thread where someone put me onto this (about 3 months old).
     
  16. SarcNBit

    SarcNBit Well-Known Member

    Joined:
    Oct 14, 2003
    Messages:
    1,010
    Likes Received:
    3
    Trophy Points:
    38
    Here ius a link to that forum thread and here is the link to the mail-watch script.
     
  17. peterr

    peterr Well-Known Member

    Joined:
    Sep 24, 2003
    Messages:
    75
    Likes Received:
    0
    Trophy Points:
    6
    Hi Michael,

    Okay, thanks, sounds like it is for a sysadmin person/use. I don't have that level of access, only do web hosting, look after websites, so I use WHM/CPanel quite a bit. I'm simply trying to protect the usernames of my clients, some of the sites they run people can send themselves an email (oops, I fogot my password), and so anything like that, email initiated from the website, will have the "X-Source" email hdrs, if configured that way.

    If I don't be responsible and do all I can to protect my clients username, then the security to their websites is compromised, and the buck stops at me. :D

    Thanks,

    Peter
     
  18. peterr

    peterr Well-Known Member

    Joined:
    Sep 24, 2003
    Messages:
    75
    Likes Received:
    0
    Trophy Points:
    6
    Hi Rob,

    Can you please advise how I may contact "DarkOrb" ?

    Thanks,

    Peter
     
  19. myusername

    myusername Well-Known Member
    PartnerNOC

    Joined:
    Mar 6, 2003
    Messages:
    691
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    chown -R us.*yourbase*
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    Dark Orb = cPanel.

    Submit a trouble ticket.

    Better yet, do some research.
     
  20. peterr

    peterr Well-Known Member

    Joined:
    Sep 24, 2003
    Messages:
    75
    Likes Received:
    0
    Trophy Points:
    6
    Hi,

    Okay, thanks.

    Well from the following ............

    I'm not a licensed cPanel customer, just a mild mannered end user. Can I contact a cPanel developer, or someone else ??

    ... research on what I may ask ?? :confused:

    Peter
     
Loading...

Share This Page