The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Major security hole

Discussion in 'Security' started by chirpy, Apr 9, 2006.

  1. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Yup. If you believe there's a security issue with WHM, then you should be logging a ticket with cPanel. Posting here is inviting comment about your security implementation, so that is what you will get.

    If you're concerned about your security then you should not be allowing connections over port 2086 in the first place. IF you have an insecure local network a packet sniffer can easily pick it out from the HTTP traffic to port 2086. You can also restrict port 2087 access to your own IP or ISP IP range.

    The length and strength of your root password is meaningless if your server has suffered a root compromise, which could justa s easily be through a multitude of daemons and user scripts, so you need to be 100% sure that it's not been through a different route with a root password sniffer uploaded.

    All in all, you need to have cPanel investigate in the first instance, and a security admin check the server over in the second.
     
  2. jcase

    jcase Well-Known Member

    Joined:
    Jun 1, 2004
    Messages:
    50
    Likes Received:
    0
    Trophy Points:
    6
    again I do NOT understand why you allow people to login as root simply doesnt make ANY sense. This morning I awoke to my server being rebooted. Certainly this wasnt me. So I take a look at /usr/local/cpanel/logs/access_log


    203.162.157.105 - root [09/Apr/2006:07:25:51 -0400] "" 500 0 "http://67.19.108.250:2086/scripts/command?PFILE=main" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    203.162.157.105 - root [09/Apr/2006:07:25:52 -0400] "" 500 0 "http://67.19.108.250:2086/scripts/command" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    203.162.157.105 - root [09/Apr/2006:07:26:09 -0400] "GET /scripts/dialog?dialog=reboot HTTP/1.1" 304 0 "http://67.19.108.250:2086/scripts/command" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    203.162.157.105 - root [09/Apr/2006:07:26:10 -0400] "GET /themes/x/bg.gif HTTP/1.1" 304 0 "http://67.19.108.250:2086/scripts/dialog?dialog=reboot" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
    203.162.157.105 - root [09/Apr/2006:07:26:10 -0400] "GET /themes/x/images/reboot.gif HTTP/1.1" 200 0 "http://67.19.108.250:2086/scripts/dialog?dialog=reboot" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.


    Oh wow it looks like another person from asia logging into whm as ROOT via 2086 and rebooting the box.
    And of course dont even think about advising me on security tips believe me I have a password thats about as long as your windows serial number chmod 000 almost everything that would be useful to a hacker and of course run ipfw on the box (which was renabled at reboot) and of course lock down ssh to ONLY my ips.

    This is the latest "stable" release of WHM for freebsd. I would suggest a fix ASAP
    Im losing faith in you guys real quick on the security side of things.
     
  3. webignition

    webignition Well-Known Member

    Joined:
    Jan 22, 2005
    Messages:
    1,880
    Likes Received:
    0
    Trophy Points:
    36
    I don't believe that ranting about this issue on the forums will get the issue drawn to the attention of cPanel. You should really submit a ticket directly to cPanel.

    Have you done so? An update on the progress of the ticket would be interesting.
     
  4. fred123123

    fred123123 Well-Known Member

    Joined:
    Jul 23, 2005
    Messages:
    74
    Likes Received:
    0
    Trophy Points:
    6
    is this real ???

    I think i was victim of this!!!!!

    My server root password was changed and rebooted. It was changed 4 times in few minutes and the server was rebooted 2 times....

    Any updates about the security problem ???
     
Loading...

Share This Page