Since I've got multiple cPanel servers, I'd like them to share information regarding various security aspects. Maybe someone has already done this, so I'd appreciate some help.
I would like my servers to "transfer" (via scp for example) various updates (via diff files maybe?) of things like these:
/etc/spammeripblocks
cphulkd blacklist
iptables bans
etc..
Something that works like the current DNS cluster would be best. Servers synchronizing various updates among them.
Is there a Linux utility that can help me? or should I just build my own set of shell tools for that based on things like scp and diff?
Any help would be appreciated.
multiple servers sharing security information
Cpanel Blog How to force secure login to _private folder? May,2012
Rabu, 30 Mei 2012
[Cpanel Blog] multiple servers sharing security information May,2012
[Cpanel Blog] Mod_Evasive May,2012
we installed Mod evasive on our testing server and followed the article
http://systembash.com/content/how-to...h-mod_evasive/
Can anyone tell us how we can test Mod_Evaisve with CSF firewall. when we try to refresh pages again and again CSF does not seem to block the IP.
Mod_Evasive
[Cpanel Blog] CSF and Google bots ??? May,2012
[Cpanel Blog] I need help -- server got hacked, php injection May,2012
Hello,
I have 290 hosted sites.
For some vulnerability in joomla, (what I'd consider), some people managed to insert malicious files in the tmp folder of some domains, and executed them.
Several shell scripts encrypted (such as c99shell) were injected. Most of the process in my server was being killed every minute.
I also found a script that list the cpanel users of all domains in my server and email bomber scripts.
And what worries me most:
Joomla stores the information related to the database in a file called configuration.php.
90% of the sites that I host are made in Joomla.
I found a perl script in some domains that scans for files configuration.php, config.php, wp-config.php in all domains on my server, and saves a copy in a file .txt
That makes possible to have access to all databases on my server, everything, including WHMCS, Worldpress, Magento, and Drupal databases..
My question is:
I need to change the password for all databases, and also change them in the configuration.php file, but I do not know one way to do this automatically.
Is there is a script that does this change either in the configuration.php file and in mysql?? (mysql user password)
I have no idea how to do this. I'm using "grep" to find the malicious files on the server, since I have to delete them before making any changes to mysql.
Last question: Was it a problem in Joomla (very onder 1.5 version) or was it because my /tmp folder was not in a isolated partition? (I use OpenVZ).
I also have no rules in mod_security running, because they were causing problems in my wordpress sites.
Furthermore, grep is dramatically increasing the server load..
Any help will be highly appreciated.
Edit: I have all the IPs in Apache logs, are from Nigeria .. But I'm sure these IPs will not help much.
I need help -- server got hacked, php injection
Cpanel Blog Directing http to https May,2012
Senin, 28 Mei 2012
[Cpanel Blog] Reserving passive ftp port range? May,2012
To get my ftp server working completely I had to assign a port range for it to use for passive connections but that port range is not reserved. I would rather not have open ports for people on my server to take advantage of so is there a way to reserve the ports for pure-ftpd only?
Reserving passive ftp port range?
[Cpanel Blog] Suhosin : custom setting Per user account May,2012
[Cpanel Blog] Report of a cpanel CSRF 0 day on twitter May,2012
I found this in my twitter feed this morning:
[webapps / 0day] - Cpanel 11.X Multiple CSRF Vulnerability /http://t.co/My79Xgmg/
Haven't had a chance to try it yet.
Report of a cpanel CSRF 0 day on twitter
Cpanel Blog How to force secure login to _private folder? May,2012
[Cpanel Blog] Password Reset Feature May,2012
Hello,
I want to enable this password reset option because sometime users forget their passwords and they call me to reset but sometime i cant reach near computer... So just want to know is it secure to enable it? and if it is secure then why there is written default setting is off for this? If it is ok to enable and no any hacking attempts made can i enable it?
Password Reset Feature
[Cpanel Blog] What to do about Ddos attacks to my server? May,2012
Kamis, 24 Mei 2012
[Cpanel Blog] Security bug in cPanel login May,2012
Hi,
turns out this is probably the easiest way to report a problem...
You have (what I'd consider) a security bug in your cPanel login system. On a reseller account (for example) if a user has the same password as the administrator then even if the user logs into their site with their username and their password (which happens to be the same as the admin) then they get logged in as the admin! = Not good!!
James
Security bug in cPanel login
[Cpanel Blog] Is it neccessary to setup manual clam scan? May,2012
[Cpanel Blog] Share your Mod Security configuration May,2012
If you all would not mind to share your custom Mod Security configuration from WHM. This I feel would helpful for those who want to piece together and write their own Mod Security configuration file.
Share your Mod Security configuration
[Cpanel Blog] reporting abuse proceedure? May,2012
[Cpanel Blog] Ip in spamhaus CBL May,2012
Our IP address was listed in CBL of spamhaus, is it really caused by a backdoor trojan? How can I find it and who uploaded the script?
Thanks to all of you guys.
Ip in spamhaus CBL
[Cpanel Blog] Site Down due to IP flood? May,2012
Selasa, 22 Mei 2012
[Cpanel Blog] More and more "closed by DROP in ACL" in exim logs. May,2012
I'm seeing more and more of these kinds of entries in the exim_mainlog file:
2012-05-20 03:36:37 SMTP connection from (hxsf8pgx3x2uk) [41.136.196.2]:34124 closed by DROP in ACL
2012-05-20 03:36:43 SMTP connection from (bxkqlnohhfh) [110.172.150.2]:42054 closed by DROP in ACL
2012-05-20 03:37:23 SMTP connection from (windows-xp) [218.48.74.98]:42242 closed by DROP in ACL
2012-05-20 03:37:27 SMTP connection from (dell-2e58bfb0ba) [182.182.60.148]:16332 closed by DROP in ACL
2012-05-20 03:37:39 SMTP connection from (bubu-b74b3fbaa7) [89.137.235.17]:25125 closed by DROP in ACL
2012-05-20 03:38:01 SMTP connection from (school-0a0b7ad4) [106.66.249.123]:3029 closed by DROP in ACL
All of the IPs in such entries seem to be from notoriously shady sources, e.g. Iran, Korea, Russian Federation, and so on. We are seeing anywhere from 2 to 20 per minute of these "closed by DROP in ACL" log entries.
I'm guessing that that this is Exim protecting itself from likely spam probes or something to that effect. But I am wondering if these guys are taking up POP ports with these attacks? And do you suppose it would be worth writing a script to drop these IPs in the server firewall, at least for the ones that hit the server repeatedly, i.e. for the worst offenders?
Thanks much.
More and more "closed by DROP in ACL" in exim logs.
[Cpanel Blog] Trouble installing LCAP on new 64bit server. May,2012
Minggu, 20 Mei 2012
[Cpanel Blog] Version scans May,2012
Hey guys,
I'm aware there are a LOT of security plugins. But I've been through a large number and most appear focussed on either detecting intrusions, or providing "generic" filters.
I'm considering this.
90% of our hosts just run a Wordpress installation.
90% of those never update it.
A plugin that would simply email me and say "these four accounts have out of date Wordpress installations" sounds interesting.
Does such a thing exist? I'm interesting in a development effort once I'm sure I'm not covering someone elses ground.
Version scans
[Cpanel Blog] Site Down due to IP flood? May,2012
Jumat, 18 Mei 2012
[Cpanel Blog] Site Down due to IP flood? May,2012
Hi,
My site has been going down recently and I have checked NETSTAT (please see attached)
Do you think this is what is causing the problem?
Thanks,
Danny Attached Files 
test.txt (189.0 KB)
Site Down due to IP flood?
[Cpanel Blog] Is it neccessary to setup manual clam scan? May,2012
[Cpanel Blog] how to protect whm/cpanel (the host web application ) using mod_security? May,2012
Hi,
I just wondering how could I protect the whm/cpanel by the help of mod_security.
I mean when I try to enter to whm panel using port 2086 I want to add more constraints on my mod_Security so he can be able to protect cpanel/whm.
At the moment I'm not able to do that.
cheers
how to protect whm/cpanel (the host web application ) using mod_security?
[Cpanel Blog] Suhosin : custom setting Per user account May,2012
[Cpanel Blog] Apache security May,2012
Do I have to run patch described at below URL. I am running apache-2.2.22 build date 1st March
http://forums.cpanel.net/f185/how-pr...tml#post996441
I was a victim of this issue the day before yesterday
Apache security
[Cpanel Blog] reporting abuse proceedure? May,2012
[Cpanel Blog] What to do about Ddos attacks to my server? May,2012
Howzit...
Had a Ddos attack last week...
What is the best action to take?
Thanks...
What to do about Ddos attacks to my server?
Cpanel Blog PHP 5.3.12 Security Vulnerability Patch May,2012
Rabu, 16 Mei 2012
[Cpanel Blog] Lost password May,2012
Hello, my name deroch I am Belgian and since yesterday I forgot my password to access CPanel. I contact my herberger -removed link-, but he does not answer.
Will you help me get my password?
Sorry for my English
I need help please : (
Lost password
Cpanel Blog Globalsign OneClickSSL WHM/cPanel Addon Not Working May,2012
[Cpanel Blog] The site's security certificate is not trusted! May,2012
Hi Everyone
I am new to this forum and to cPanel so please forgive my ignorance and I am sorry if I have put this thread in the wrong place.
I have a dedicated server that uses WHM and cPanel with a small number of hosting accounts on it.
All has been going well with it until recently when I spoke to my supplier about how I could get Parked Domains to work on my accounts.
The supplier talked me through the process which was basically to go to tweaks and change a setting.
After doing this the issue with Parked Domains was solved and all was well and good.
I then noticed that any time myself or one of my clients tried to log into cPanel or Webmail we now got a warning screen with "The site's security certificate is not trusted!".
Now my supplier is telling me I will need to buy a SSL certificate to stop the warning message.
My questions are these:
Why would a small change to WHM cause such an issue?
How could I have had a https connection before and now I don't, is there some sort of certificate provided with new installs of WHM? Sorry I am pretty ignorant on certificates as you can probably tell.
Is it unreasonable of me to ask for the system to be put back to how it was without buying a certificate? Can that even be done?
I am not trying to be mean or anything and I am happy to buy a certificate if I need one but it is more the issue that it did work and now it does not and I just hate not knowing what caused a problem or how it was working before the simple change.
Any advice or guidance on this is greatly appreciated
Alex
The site's security certificate is not trusted!
[Cpanel Blog] Beast TLS Vulnerability May,2012
[Cpanel Blog] PCI Complianc with SecurityMetrics - Weak Ciphers May,2012
Hi,
I'm been having a hard time with passing a securitymetics scan.
The problem seems to be related to ports 443 and port 465 supporting weak ciphers.
I have followed all the recommendations to disable ss2 and low and medium ciphers for exim and openSSL.
However, securitymetrics techs just emailed me the following:
Any idea please!
----------------------------------------------------------------------------------------
Here is the list of SSL ciphers supported by the remote server Host
Low Strength Ciphers (< 56-bit key)
TLSv1
EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
High Strength Ciphers (>= 112-bit key)
TLSv1
EDH-RSA-DES-CBC3-SHA Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
DHE-RSA-AES128-SHA Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
DHE-RSA-AES256-SHA Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
DES-CBC3-SHA Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
AES128-SHA Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
AES256-SHA Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
==========================================================================
Once these ciphers have been disabled a new scan should be ran to remove the issues.
--------------------------------------------------------------------------------------------------------------
Here's what I got from my server:
root@dipel [/home/user]# openssl ciphers
Code: DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:KRB5-DES-CBC3-MD5:KRB5-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DES-CBC3-MD5:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:RC2-CBC-MD5:KRB5-RC4-MD5:KRB5-RC4-SHA:RC4-SHA:RC4-MD5:RC4-MD5:KRB5-DES-CBC-MD5:KRB5-DES-CBC-SHA:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:DES-CBC-MD5:EXP-KRB5-RC2-CBC-MD5:EXP-KRB5-DES-CBC-MD5:EXP-KRB5-RC2-CBC-SHA:EXP-KRB5-DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC2-CBC-MD5:EXP-KRB5-RC4-MD5:EXP-KRB5-RC4-SHA:EXP-RC4-MD5:EXP-RC4-MD5
PCI Complianc with SecurityMetrics - Weak Ciphers
Cpanel Blog PHP 5.3.12 Security Vulnerability Patch May,2012
Selasa, 15 Mei 2012
[Cpanel Blog] Add new User or what May,2012
A friend of mine asked how to add a developer (I'm sure they'd be temporary) to their cPanel.
I think they would only want to add an FTP user.
What is the way they should handle this?
Add new User or what
[Cpanel Blog] Intsalling SAN SSL Certificate May,2012
[Cpanel Blog] IPTABLES Issue, not saving in CentOS 6.2 May,2012
Hi,
I'm using CentOS 6.2 86_64 with CloudLinux and it seems IPTABLES is not saving.
I am trying to make it that you can only access whm on our main IP of the server. But trying other IPs I can still connect to WHM.
I have tried
iptables -A INPUT -s ! xxx.xxx.xxx.xxx -p tcp --dport 2082:2087 -j DROP
which warns Using intrapositioned negation (`--option ! this`) is deprecated in favor of extrapositioned (`! --option this`) and after a save I can still access WHM on other IPs
iptables -A INPUT -s xxx.xxx.xxx.xxx -p tcp --dport 2082:2087 -j DROP
which no errors but after save I can still reach WHM on that IP.
IPTABLES Issue, not saving in CentOS 6.2
[Cpanel Blog] Beast TLS Vulnerability May,2012
Senin, 14 Mei 2012
[Cpanel Blog] error install ConfigServer Security&Firewall May,2012
ERROR:
[root@ns204624 csf]# perl /etc/csf/csftest.pl
Testing ip_tables/iptable_filter...OK
Testing ipt_LOG...OK
Testing ipt_multiport/xt_multiport...OK
Testing ipt_REJECT...OK
Testing ipt_state/xt_state...OK
Testing ipt_limit/xt_limit...OK
Testing ipt_recent...OK
Testing xt_connlimit...FAILED [Error: iptables: Unknown error 4294967295] - Required for CONNLIMIT feature
Testing ipt_owner/xt_owner...FAILED [Error: iptables: Unknown error 4294967295] - Required for SMTP_BLOCK and UID/GID blocking features
Testing iptable_nat/ipt_REDIRECT...OK
RESULT: csf will function on this server but some features will not work due to some missing iptables modules [2]
error install ConfigServer Security&Firewall
Cpanel Blog Root logins from single unknown IP - what next steps, suspicious changes May,2012
[Cpanel Blog] Suhosin : custom setting Per user account May,2012
Hello :
Is it possible have custom suhosin setting per domain or user account ?
server : fcgi
Thank you
Suhosin : custom setting Per user account
[Cpanel Blog] CSF and Google bots ??? May,2012
[Cpanel Blog] specific rule on modsecurity to scan any uploaded file May,2012
Hello mate,
I am searching about specific rule lines for scanning any uploaded file via any scripts such as vb or wordpress ,etc
I want modsecurity rule to scan any uploaded file with my custom Anti-Virus script
Can any one provide me one???
as know the version of modsecurity nowadays on cpanel servers is 2.6.3
Thank you in advance
specific rule on modsecurity to scan any uploaded file
[Cpanel Blog] Intsalling SAN SSL Certificate May,2012
[Cpanel Blog] Change All Cpanel User Passwords May,2012
Hello All,
My server was recently compromised by a hacker which installed some malware on the server, and after cleaning up, I wanted to change all users passwords on the server since many of them had be compromised. I searched around and it came down to I needed to use the api to do this couldn't find any scripts, so I took the time and throw a quick php script together to get the job done.
Hope this helps someone
You can change the password length by changing the number in this function call $pass = random_gen(12);
And you can run the code and save the passwords by doing
Code: php nameofscript.php > newpasswords.csv
PHP Code: <?
$whmusername = "root";
$whmpassword = "password";
$domain = "domain.com";
$query = "https://".$domain.":2087/json-api/listaccts";
$curl = curl_init();
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER,0);
curl_setopt($curl, CURLOPT_SSL_VERIFYHOST,0);
curl_setopt($curl, CURLOPT_HEADER,0);
curl_setopt($curl, CURLOPT_RETURNTRANSFER,1);
$header[0] = "Authorization: Basic " . base64_encode($whmusername.":".$whmpassword) . "\n\r";
curl_setopt($curl, CURLOPT_HTTPHEADER, $header);
curl_setopt($curl, CURLOPT_URL, $query);
$result = curl_exec($curl);
if ($result == false)
{
error_log("curl_exec threw error \"" . curl_error($curl) . "\" for $query");
}
curl_close($curl);
$result = json_decode($result);
foreach ($result->acct as $acct)
{
$user = $acct->user;
$pass = random_gen(12);
$query2 = "https://".$domain.":2087/json-api/passwd?user=".$user."&pass=".$pass;
$curl2 = curl_init();
curl_setopt($curl2, CURLOPT_SSL_VERIFYPEER,0);
curl_setopt($curl2, CURLOPT_SSL_VERIFYHOST,0);
curl_setopt($curl2, CURLOPT_HEADER,0);
curl_setopt($curl2, CURLOPT_RETURNTRANSFER,1);
$header[0] = "Authorization: Basic " . base64_encode($whmusername.":".$whmpassword) . "\n\r";
curl_setopt($curl2, CURLOPT_HTTPHEADER, $header);
curl_setopt($curl2, CURLOPT_URL, $query2);
$result2 = curl_exec($curl2);
curl_close($curl2);
$result2 = json_decode($result2);
if($result2->passwd[0]->status == 1)
{
echo '"'.$user.'","'.$pass.'"'."\n";
}
}
function random_gen($length)
{
$random= "";
srand((double)microtime()*1000000);
$char_list = "ABCDEFGHIJKLMNOPQRSTUVWXYZ";
$char_list .= "abcdefghijklmnopqrstuvwxyz";
$char_list .= "1234567890";
$char_list .= "!@#$%^*";
// Add the special characters to $char_list if needed
for($i = 0; $i < $length; $i++)
{
$random .= substr($char_list,(rand()%(strlen($char_list))), 1);
}
return $random;
}
?>
Change All Cpanel User Passwords
Cpanel Blog Installing a UCC SSL Cert May,2012
Sabtu, 12 Mei 2012
[Cpanel Blog] Is it neccessary to setup manual clam scan? May,2012
Hi;
We have configured ClamAv scanner (global setting) via WHM to scan:
Entire home directory
Mail
Public FTP space
Public web space
My questions:
With these settings configured is it neccessay to cron a scan of /home or / ? Or can I rest assure that what we have is sufficient?
Where do I configure ClamAv to E-mail the administrator if it finds any suspected files?
Thanks in advance
Is it neccessary to setup manual clam scan?
Cpanel Blog can't access our website May,2012
[Cpanel Blog] Large Number of Failed Login Attempts from IP ... - auto blacklist? May,2012
I am getting email often with "Large Number of Failed Login Attempts from IP ..." and options to block or white list. Can t automatically block it without me clicking link and logging in to website?
Code: 5 failed login attempts to account admin (system) -- Large number of attempts from this IP: 221.128.103.20
Reverse DNS: tot-103-20.pacific.net.th
Origin Country: Thailand (TH)
Please use the following links to add to the black list:
Single Ip: https://ip-111-222-333-444.ip.secureserver.net:2087/cgi/bl.cgi?ip=221.128.103.20
/24: https://ip-111-222-333-444.ip.secureserver.net:2087/cgi/bl.cgi?ip=221.128.103.0/24
/16: https://ip-111-222-333-444.ip.secureserver.net:2087/cgi/bl.cgi?ip=221.128.0.0/16
Please use the following links to add to the white list:
Single Ip: https://ip-111-222-333-444.ip.secureserver.net:2087/cgi/wl.cgi?ip=221.128.103.20
/24: https://ip-111-222-333-444.ip.secureserver.net:2087/cgi/wl.cgi?ip=221.128.103.0/24
/16: https://ip-111-222-333-444.ip.secureserver.net:2087/cgi/wl.cgi?ip=221.128.0.0/16 P.S. what means /24 and /16?
Large Number of Failed Login Attempts from IP ... - auto blacklist?
[Cpanel Blog] Intsalling SAN SSL Certificate May,2012
Kamis, 10 Mei 2012
[Cpanel Blog] CSF and Google bots ??? May,2012
Hello Every one,
Since i am using CSF on my server, my clients are complaining that their google rankings are coming down as Google cannot communicate to the domains on the server and this is what it has to say :-
URLs timed out - Network availability of your DNS and web servers
I need to know how can i white list Google bots in CSF so that this issue gets addressed ??
This is what Google has to say :
Google doesn't post a public list of IP addresses for webmasters to whitelist. This is because these IP address ranges can change, causing problems for any webmasters who have hard coded them. The best way to identify accesses by Googlebot is to use the user-agent (Googlebot).
Hence, How can we add Googlebot to CSF ?
Please assist !!!!
CSF and Google bots ???
[Cpanel Blog] Beast TLS Vulnerability May,2012
Selasa, 08 Mei 2012
[Cpanel Blog] Beast TLS Vulnerability May,2012
I did some searching, and I can't find any cPanel references for this vulnerability. Will the fix below work with cPanel?
Mitigating the BEAST attack on TLS
This is the vulnerability information from McAfee Secure:
Quote: SSL/TLS Protocol Initialization Vector Implementation Information Disclosure Vulnerability
A vulnerability exists in SSL 3.0 and TLS 1.0 that could allow information disclosure if an attacker intercepts encrypted traffic served from an affected system. TLS 1.1, TLS 1.2, and all cipher suites that do not use CBC mode are not affected. This script tries to establish an SSL/TLS remote connection using an affected SSL version and cipher suite, and then solicits return data. If returned application data is not fragmented with an empty or one-byte record, it is likely vulnerable. OpenSSL uses empty fragments as a countermeasure unless the 'SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS' option is specified when OpenSSL is initialized. Microsoft implemented one-byte fragments as a countermeasure, and the setting can be controlled via the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\SendExtraRecord. Therefore, if multiple applications use the same SSL/TLS implementation, some may be vulnerable while others may not, depending on whether or not a countermeasure has been enabled. Note that this script detects the vulnerability in the SSLv3/TLSv1 protocol implemented in the server. It does not detect the BEAST attack where it exploits the vulnerability at HTTPS client-side (i.e., Internet browser). The detection at server-side does not necessarily means your server is vulnerable to the BEAST attack because the attack exploits the vulnerability at client-side, and both SSL/TLS clients and servers can independently employ the split record countermeasure.
Configure SSL/TLS servers to only use TLS 1.1 or TLS 1.2 if supported. Configure SSL/TLS servers to only support cipher suites that do not use block ciphers. Apply patches if available.
Beast TLS Vulnerability
[Cpanel Blog] Intsalling SAN SSL Certificate May,2012
[Cpanel Blog] reporting abuse proceedure? May,2012
Two questions:
1. What's the standard procedure for reporting abuse, i.e. another IP just hammering your box? I can get the abuse email (usually) from a whois on the IP - is there a better way? After getting the correct abuse email, what should typically be contained in the email?
2. Is there any way to get cphulk to automatically fire off abuse emails when an IP repeatedly triggers it?
Thanks!
reporting abuse proceedure?
Cpanel Blog Strange email with attachment from "cpanel" May,2012
Senin, 07 Mei 2012
Cpanel Blog PHP 5.3.12 Security Vulnerability Patch May,2012
Can we please get PHP 5.3.12 released into easyapache..
There is a vulnerability in certain CGI-based setups (Apache+mod_php and nginx+php-fpm are not affected) that has gone unnoticed for at least 8 years. Section 7 of the CGI spec states:
Some systems support a method for supplying a [sic] array of strings to the CGI script. This is only used in the case of an `indexed' query. This is identified by a "GET" or "HEAD" HTTP request with a URL search string not containing any unencoded "=" characters.
So, requests that do not have a "=" in the query string are treated differently from those who do in some CGI implementations. For PHP this means that a request containing ?-s may dump the PHP source code for the page, but a request that has ?-s&=1 is fine.
A large number of sites run PHP as either an Apache module through mod_php or using php-fpm under nginx. Neither of these setups are vulnerable to this. Straight shebang-style CGI also does not appear to be vulnerable.
If you are using Apache mod_cgi to run PHP you may be vulnerable. To see if you are, just add ?-s to the end of any of your URLs. If you see your source code, you are vulnerable. If your site renders normally, you are not.
To fix this, update to PHP 5.3.12 or PHP 5.4.2.
We recognize that since CGI is a rather outdated way to run PHP, it may not be feasible to upgrade these sites to a modern version of PHP. An alternative is to configure your web server to not let these types of requests with query strings starting with a "-" and not containing a "=" through. Adding a rule like this should not break any sites. For Apache using mod_rewrite it would look like this:
Code: RewriteCond %{QUERY_STRING} ^(%2d|-)[^=]+$ [NC]
RewriteRule ^(.*) $1? [L] If you are writing your own rule, be sure to take the urlencoded ?%2ds version into account.
PHP 5.3.12 Security Vulnerability Patch
Cpanel Blog can't access our website May,2012
Hi guys,
Am new here so please bear with me.
i am not sure if it's a problem with csf/lfd but the problem is,
access to our website is erratic.
it goes on and off every once and will take as long as 30minutes - 1 hour before it comes back again
unless i restart the csf/lfd.
i checked the logs everytime the access goes down and says that
there is a failed login to the cpanel.
access gets blocked even though i already added our IP to the whitelist and the ignorelist.
can anybody assist me with this please...
been having the problem for two weeks now...
please any ideas will be greatly appreaciated...
Thanks in advance.
can't access our website
Cpanel Blog Strange email with attachment from "cpanel" May,2012
Hello forum members -
I've had a server leased from a reputable cPanel partner for almost 2 years now. For the first time ever, I received an email apparently from cPanel with the following identifying information in the header:
<cpanel@host.servername.net>
Backup complete on host.servername.net
Received: from root by host.servername.net
(envelope-from <root@host.servername..net>)
for myname@sbcglobal.net; Wed, 02 May 2012 01:11:22 -0500
To: myname@sbcglobal.net
From: cpanel@host.servername.net
Subject: [cpbackup] Backup complete on host.servername.net
There was an attachment to the message: filenumber.log.txt
The message seems legitimately from cPanel, but as I say, I've never had one before, and have not opened the attachment for security concerns.
Should I be worried?
Best wishes
Strange email with attachment from "cpanel"
Minggu, 06 Mei 2012
Cpanel Blog Installing a UCC SSL Cert May,2012
We're running an Apache virtual server on Linux. WHM/cPanel is installed on top of that. I was reading past entries that talked about the issues installing a goDaddy UCC through WHM. My question is has anyone ever installed the UCC manually in Apache and by-passed using WHM to install the cert? My thought is that if the UCC were installed through Apache that the need to do the multi-step installs can be avoided. Has anyone done this? How did it workout?
Thanks!
Installing a UCC SSL Cert
Cpanel Blog Directing http to https May,2012
Hi
How can I direct visitng my domain www.mydomain.com to https://www.mydomain.com all the time?
I have a valid SSL for my domain with www. subdomain
Thank you
Directing http to https
[Cpanel Blog] Trouble installing LCAP on new 64bit server. May,2012
I finally went with a 64bit server (as opposed to 32bit), and now I can't seem to get lcap installed properly.
Here's the result of running uname -mrs
Linux 2.6.32-220.13.1.el6.x86_64 x86_64
I found what I believe to be the correct RPM here:
195.220.108.108/linux/dag/redhat/el6/en/x86_64/rpmforge/RPMS/lcap-0.0.6-6.2.el6.rf.x86_64.rpm
After downloading the rpm I install it with this:
rpm -Uvh lcap-0.0.6-6.2.el6.rf.x86_64.rpm
And I get what appears to be the normal output with the above.
But then, upon running this:
lcap CAP_SYS_PTRACE
I get this:
/proc/sys/kernel/cap-bound: No such file or directory
And sure enough, there is no cap-bound like there is on all the other cPanel servers where I have installed lcap installation.
Anyone know what may be the problem with this?
Thanks very much!
Trouble installing LCAP on new 64bit server.
[Cpanel Blog] Intsalling SAN SSL Certificate May,2012
Hello,
We have a CentOS (Linux) based web server which hosts multiple domains on single IP (Virtual Hosts) and managed through WHM/Cpanel. We are in need to install SAN SSL certificate (Purchased from Trustwave) for 5 domains hosted on the server. Can you please provide me step by step procedure to install/configure the above said through WHM/CPanal.?
Any help in this regard will be highly appreciated.
Thanks in Advance.
Suresh.
Intsalling SAN SSL Certificate
Sabtu, 05 Mei 2012
Cpanel Blog A-List or A-Record May,2012
Hello there,
Can you please inform me how to make the SSL certificate work for both www.domain.com and domain.com at the same time? is it better to have it for www.domain.com or for domain.com?
I have been told that it is good idea to make an A-record from the DNS area, I am not sure how to do that. From DNS I clicked on Add an A entry to your hostname and I received this message
Adding an A entry for your hostname
Adding A Entry...Bind reloading on vdc using rndc zone: [xxxx.com]
...Done
I appreciate your help.
A-List or A-Record
Cpanel Blog How to force secure login to _private folder? May,2012
During my latest PCI Compliance scan, one vulnerability that came up was that "web application transmits login credentials without encryption". The two examples it gave were:
http://www.domain.com/_private/
http://0.0.0.0/_private/
In WHM, I have the following security settings in place:
Require SSL: On
Enable HTTP Authentication: Off
I tried to use the following code in the .htaccess file in the _private folder, but it did not work:
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteCond %{REQUEST_URI} _private
RewriteRule ^(.*)$ https://www.domain.com/_private/$1 [R,L]
Can anyone tell me how to force SSL when accessing the _private folder from a browser?
How to force secure login to _private folder?
Cpanel Blog Disable wildcard subdomain May,2012
There is an option (way) to disable wildcard subdomain creation, like *.domain.com ?
I don't know if I am in the good forum.
Regards
Disable wildcard subdomain
Cpanel Blog Root logins from single unknown IP - what next steps, suspicious changes May,2012
Hi,
We have had root logins from an unknown IP a few times in the last few hours. Nothing seems to have been changed or damaged. This one was not a brute force attempt. So it could be someone in the organisation, legitimately logging in, but finding out who takes time in a company - and some damage can be done by then.
The damage could be insidious, hidden - installation of some rogue software / script / etc.
1. First thing I did was to change the root password.
2. Next, I plan to install and run rkhunter (which, yes, wasn't installed, so my bad). I have read that if root is compromised then a worst case scenario is that system binaries and even an installed rkhunter can be compromised/modified. So luckily in that sense, rkhunter is now reliable ;)
3. I have CSF+LFD running which is how I found out in the first place.
But the interesting thing is that in CSF, there is the option LF_INTEGRITY which I *definitely* had set to enabled, and it now shows the red "Warning" message.
I had to put CSF back into "Testing" mode for a while - does this disable LF_INTEGRITY checking automatically?
PT_SKIP_HTTP and PT_ALL_USERS are also not in force ("Warning")
Do these three have to re-enabled every time when setting Testing to 0?
4. Brute force login attempts from rogue IP ranges is a very common daily occurrence with us now. CpHulk seems to discourage those fairly well (30 tries = banned for 15 days)
We have, of course, backed up everything offline.
Any other suggestions?
Thanks in advance,
Dave
Root logins from single unknown IP - what next steps, suspicious changes
Cpanel Blog Globalsign OneClickSSL WHM/cPanel Addon Not Working May,2012
I have a ticket open with my host and with globalsign, but you guys are the smart ones... anyone else having issues with the latest whm/cpanel upgrade killing their Globalsign OneClickSSL addon?
Is anyone's working properly on whm 11.32.2 (build 25)
Globalsign OneClickSSL WHM/cPanel Addon Not Working
Langganan:
Komentar (Atom)