The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Security violation. How was our demo account deleted?

Discussion in 'Security' started by ozzi4648, Nov 7, 2002.

  1. ozzi4648

    ozzi4648 Guest

    I m still trying to work out how this happened and im wondering if the security guru's and Cpanel have any information on this.

    A month ago we created an account called We flagged the account as a demo account so that we could invite would be clients to view the demo account. My understanding was that if an account was flagged as DEMO that it would be safe and secure for anyone to log in to see the site demo. How can we be sure its safe and secure. That somebody with bad intentions could possibly log in and screw up the account, worst yet, delete it?

    When i logged into my windows pc tonight, i was greeted with AIM messages stating that apache was down but couldnt be re -started. Well that was strange i thought, because the server has been stable and not showing signs of any problems. I tried to SSH to my box only to told the server couldnt be reached. Very strange. Im glad i had an open WHM session running so i checked that stats. Apache was showing RED and everthing else seemed to be functioning properly. Weird. No ssh, apache was down, time for a graceful reboot.

    The server rebooted and thankfully i was able to ssh to the box. Upon looking at the logs i found reference to the words demo and user demo and that apache was down because user demo account no longer existed on the system. How could that be? In order to get apache back online i had to go into httpd.conf and COMMENT out the entire virtual site for demo that was left behind so i could restart apache.

    WHAT HAPPENED TO /HOME/DEMO? How did it just dissappear like that? Why was the following left in httpd.conf?

    #DocumentRoot /home/demo/public_html
    #BytesLog domlogs/
    #User demo
    #Group demo
    #CustomLog domlogs/ combined
    #ScriptAlias /cgi-bin/ /home/demo/public_html/cgi-bin/

    If it was deleted from WHM by somebody why was the virtual site not removed from httpd.conf? All these questions yet i have no answers. The server is clean, running iptable firewalls. There is no sign of a break in and there are no root kits on my server. There are no signs of a system compromise whatsoever so where did my demo account go? How was it deleted? Is there a security hole in the control panel where somebody could actually delete a site? What would happen if a reseller created a demo account under his/her account? If they then deleted it would that also delete our demo account or conflict with site?

    I am not happy and i need answers from Nick. This is not right.
    I would like to know what your feelings are on this.
  2. dgbaker

    dgbaker Well-Known Member

    Sep 20, 2002
    Likes Received:
    Trophy Points:
    Toronto, Ontario Canada
    cPanel Access Level:
    DataCenter Provider
    I cannot answer to the exact reasons, BUT! One thing to watch with demo accounts. If the demo account is set to allow CGI scripts and is allowing access to the filemanager it is possible to delete the account. There are several scripts out there that allow a suedo ssh through the browser. Once it is uploaded to the server it allows shell commands to be executed.

    There are several kinds, some run as the user, while others run as user nobody. If it runs as the user, then /home/user could be deleted.

    Suggest to do not allow hasCGI in demo accounts. I would also recommend that when an account is in demo mode that the file manager be disabled by cpanel. (enhancement)?

    This is only but one possible explaination or reason.
  3. ozzi4648

    ozzi4648 Guest

    [quote:e78a2059a4][i:e78a2059a4]Originally posted by thaphantom[/i:e78a2059a4]

    yea, dont allow cgi and also dont allow ssh through the demo account. I have a demo account and have yet to have a problem with it.[/quote:e78a2059a4]

    Cgi, ftp, ssh, and everthing was set OFF. If that is true how were any files uploaded thru file manager? I just tried it on the new demo account and it would not let me do anything. So there must be another hole somewhere. There has to be, it doesnt make any sense on how this account was removed.

Share This Page