I have just discovered a massive security in the CPANEL 10.9 software. This problem is in the BACKUP FEATURE. If you do remote ftp back onto the same account. It will put the file in the account home directory and it will have this type of stuff accountname:ROOTPASSWORD@serverhostname.com
View 14 RepliesAfter reading an article on command line FTP, I FTP'd to my VPS and was shocked out much access someone without logging in (and Anonymous FTP is off) has. I am running cPanel Release on CentOS 4 and Virtuozzo 3. How can I improve server security without giving any SSH access? I was all ready to use WebDav over SSL but then it doesn't allow you to change permisisons. Security is my #1 priority. My friend who I host says his clients like FTP and FTP is a standard service.
Would FTP with SSL be more secure, or still pose the same problems with sniffers and people connecting and being able to do something? Can I force FTP over SSL while not having cPanel over-ride my settings wiht an update?
What can I do to solve this major security hole? Next on my list is forcing POPs and IMAPs, authentication for SMTP and even SSL SMTP. Then only SMTP incomg 25 and HHTP port 80 would be none secure, but everything mostly secure.
My understanding is that currently the only way to protect against it is to deny any requests for PDFs where the request string takes that particular form? Is that correct? Or will the browser not even submit anything beyond the # sign in the request for the PDF?
And if it is correct.... has anyone tried to cook up a recipe that we can all dump in our .htaccess files to get this fixed up?
A client hacked another client of mine using the following Perl code:
#!/usr/bin/perl
symlink ("/home/john/public_html/config.php","/home/carole/public_html/forums/includes/config.php");
After the hacker got the DB name, username and password it's very easy to change anything in the forum using PHP.
I'm using cPanel.
I'm starting to test out VPS panels and found vePortal 2. I purchased it and installed it. Now I'm checking some security, as we all know about the terrible result of HyperVM as everyone blindly used it because it was "pretty" but it was not secure.
Some serious concerns I'd like to share with vePortal 2.
1) It makes no backups of any of the files it modifies during install, or so I haven't seen any, like httpd.conf.... more of a pain than anything. There is no way to auto uninstall it either..
2) vePortal gives full root access to the Apache user, letting apache run any root commands!
They add this to your /etc/sudoers
apache ALL=(root) NOPASSWD:ALL
[root@nd11108 myadmin]# su -s /bin/sh apache -c "whoami"
apache
[root@nd11108 myadmin]# su -s /bin/sh apache -c "sudo whoami"
root
This is a root exploit waiting to happen. I asked them about this and got the response.
Quote:
It would be a security breach if a) apache was allowed SSHD Access, or b) the server was running scripts that havn't been marked secure, We have a very comprehensive team of beta testers including one of the largest providers around, They and their staff have not been able to break the security or integrity of the panel as of yet.
All panels in one way or another have root control over the system, for example they wouldnt be able to have a SSH Console without it, as only specified commands would work, we do have a list of the commands required by vePortal if you wish to limit it, but the console and the Shell Commander functions would stop working.
Regards,
Gavin H.
Chief Information Officer
That's funny I have been using the panel a few minutes and already found they've ignored the biggest security hole possible..
3) In 5 minutes I've found multiple XSS vulnerabilities in the admin area... Like search customers, I was able to generate JavaScript alerts in multiple fields....
4) It stores the MySQL root password in clear text in a .php file... yeah that's real secure. Why does it even operate under the MySQL root user, its using a single database....
5) I forgot to add, it doesn't recognize ANY OpenVZ Vps's you've created manually. It has no idea they exist and you cannot view them at all.
I'm sure I could dig deeper into the source code and find more but it's not worth it. Judging by what I found without actually trying to spend time on security I completely removed the product.
The panel does look nice but it sure gets a mark of insecure for me, I would advise others seriously look into the security of this new panel if you're considering using it.
I am a web designer, and have been doing this for about 5 years now and have never encountered such a problem. I had a problem come up a few days ago where one of my clients got into an argument with the Mavrick Team web hosting and computer services company's owner regarding services. She has reported to me that he went into her email account, and has emailed her clients false information about her services after their heated discussion. She told him that she was going to press charges. He told her that he had harvested all of her clients email addresses and will email them to her competitors if she does not back down. What can she do? I feel awkward as I am in the middle of it now. I was the one who referred her to Mavrick Team (aka as I host them) for web hosting services, and moved her site to their servers. This man has created such a big problem for this women now. Her clients are doubting her services and he is blackmailing her. She does not owe him any monies. She has forwarded two of the emails that her clients forwarded to her, so I know she is not making this thing up. I advised her to move all of her emails to a personal email account, contact all of her clients to let them know that someone has access to their info, and I am helping her move her site. Who can she report them to?
View 12 Replies View RelatedMy computer's HDD crashed last night and I only have an old backup.
The problem is my new server's root password was stored there and it's 20 digits totally random password.
Is there any way to reset the server password by the dedicated server provider?
I haven't asked my provider yet.
May I know how to change the password of the root and directadmin through SSH?
View 14 Replies View RelatedI have dedicate servers and I want to change the root password. I'm using whm/cpanel.
What happen when I forget my root password?
I'm still trying to figure this one out. I got an email last night about 10:30pm that a weird IP had logged with root. I thought it was a guy that helps with tech things but I ran the IP... it came back from Korea and I knew I was in trouble. I immediately logged into WHM and changed the root password then sent the server down for a reboot. He was only in there for about 3 minutes before I nailed him. I've banned the IP from the server and have been watching it for nearly 12 hours now and they haven't came back yet.
Now comes the task of trying to figure out how he got the password. This is mind boggling to me. He knew the password, like someone gave it to him... there were no incorrect guesses or brute force. The password was a series of random letters, both upper and lower case. Is it possible he got it through getting to /etc/passwd via a PHP script? I have open basedir restrictions in place, can they get around that? I noticed at the time he logged in there were several IPs trying to exploit PHP scripts on my server, you know, setting the parameters to txt files but I assumed with shell functions disabled (except exec) and with open basedir this wouldn't be possible. Is there a hole in cpanel / PHP / kernel recently I may have missed?
how can i change root's password with SSH command?
View 3 Replies View Relatedim forget my server root password, i have kvm access to server, i have centos5 dvd on server too.
how can reset root password now?
when log in via user in wheel group it works
but when su to root
it show incorrect password
/etc/pam.d/su
Code:
#%PAM-1.0
auth sufficient /lib/security/$ISA/pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth sufficient /lib/security/$ISA/pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth required /lib/security/$ISA/pam_wheel.so use_uid
auth required /lib/security/$ISA/pam_stack.so service=system-auth
account required /lib/security/$ISA/pam_stack.so service=system-auth
password required /lib/security/$ISA/pam_stack.so service=system-auth
# pam_selinux.so close must be first session rule
session required /lib/security/$ISA/pam_selinux.so close
session required /lib/security/$ISA/pam_stack.so service=system-auth
# pam_selinux.so open and pam_xauth must be last two session rules
session required /lib/security/$ISA/pam_selinux.so open
session optional /lib/security/$ISA/pam_xauth.so
id
Code:
uid=32006(admin) gid=32010(admin) groups=10(wheel),32010(admin)
Is it possible to change to root password to a VPS from inside HyperVM? I currently have 4 VPS's setup and I need to change the password for one of the VPses. Can I do this from inside HyperVM without having to go to SSH?
View 7 Replies View RelatedI have VPS's with two companies that have managed/semi-managed support (depending on how you define it) and rely on them for a fair amount.
Whenever submitting a support request, I have to submit my root and cPanel passwords. Do people in my situation leave their root password as they would normally and just changing it however often they would if it wasn't given to support? Or, do you change your root/cpanel passwords before making a support request, and then change it back after the ticket is closed?
No offense intended to either of the VPS companies or their personell (that monitor WHT), both have been great. But, the reality is that I take it everyone at the company that has access to submitted tickets now have access to the root password, and since as a customer, I don't know when there has been employee turnover, that seems a security risk.
So, I am curious how others handle this. Not really sure if this belongs here or in the VPS forum, but since it could apply to any type of server/hosting account, I figured it belonged here.
how to change root password from shell....
View 2 Replies View RelatedHow would I go about enabling the root user on a FreeBSD 6.1 system? I've got a dedicated colocated server (hardware, not virtual) and I can't for the life of me do anything with root. I can't "su", I can't "sudo", and I can't "passwd root". I've tried different shells, etc, but nothing works. I am the server admin, but I'm doing it remotely and I just can't figure this out. I know it's not, but I'm going to ask it for the sake of it being out there anyway: Is it possible that the server lacks a root user and that I'm unable to create one?
View 5 Replies View RelatedI can't seem to get passed p21 of Database Driven Website by Kevin Yank. But I'm learning
Ive got the latest copy and and want to follow it through to see what i can learn (lots I'm sure)
Im on a mac osx and am trying to set the root password. He says to do this using terminal in the bin directory of my MySql installation.
Where is it? i know basics about getting round terminal i.e changing directories and stuff.
I have recently leased Kayako support suite and I have not been able to get email piping to work. They have asked several times for the root password of my dedicated server and I have denied it. They now tell me they cannot help me if I do not provide them with the password. I find this very ridiculous since I know it is not safe to give that password. Is it advisable to give them the password and then change it after they get kayako working? What risks would I be going through?
View 7 Replies View RelatedHow can change mysql root password with ssh access?
View 6 Replies View RelatedWe've had a customer do something strange to their server. They were playing with /etc/passwd or /etc/shadow or similar (not quite sure of the details) but the upshot is booting the server into single user and trying to reset the password via passwd gives
passwd root (and any user)
passwd: Authentication token manipulation error
So far I've
Replaced /etc/passwd* and /etc/shadow* with a copy from another server
Turned off SeLinux
/etc/pam.d/passwd is fine
Root file system is r/w
Are that possible to change root password on plesk?
I have a man so work for me on my server and install double php version on my server and maybe it`s best and change password to root!
So no one have access to my root more.
i have installed phpMyAdmin becouse I don't like the limitation of db management of Plesk, but I can't find the root password to access in it. I read that Plesk rename "root" user in "admin", but I can't find the password. Where is it?
View 4 Replies View Relatedhow do you guys reset the Administrator (for windows) and root password (linux)?
Do you guys use any kind of tools, boot-cd, software?