Cpanel - Can You Really Trust Your Webhost?

[skraps]

Cpanel went on for 2 years with a remote root exploit in exim 4.69(released: 12-27-2007 11:29 AM) that allowed attackers to gain complete control over the servers. Hosts that use cpanel, Hostgator.com and many others. Unlike qmail(qmail.org) that has a track record of zero security flaws. Along with tinydns that has had one security flaw but not a serious one. It only allowed attackers to crash the daemon then it needed to be restarted.

Why is this so serious? Imagine how many E-Commerce sites are built on top of that platform. If you run a cpanel server inside yhour network that has access to the outside world. You could now have crackers using that cpanel box as a base to compromise and attack other computers on the network from. The possiblitiy that a massive DDOS attack was on it's way the 2012 of the internet? Your whole datacenter turns on you.

("200,000 "web site hosting vendors", all cPanel-based, yet uniquely labeled")

("Here's where: more than 98% of these 200,000+ different web hosting brand names in the world will offer you exactly the same cPanel Control Panel and platform, labeled in a different way, with the same price tags!")

Information taken from - www.resellerhostingclue.com

Any site in the past 3 years that has received your personal information , name , address, telephone, and credit card numbers has more than likely been compromised and "black hat hackers"(the evil doers) have your information at their disposal.

A lot of shared servers. Like hostgator.com , and many more here -

Google Search

This is how easy it was for a attacker to gain complete control over these hosts.

www.youtube.com/watch?v=DnSgOGIxjaQ

Also cpanel prefers performance over security. None of these services include chkrootkit, rkhunter, obscure installs of tripwire. None of the services use chroot for the daemons. http://en.wikipedia.org/wiki/Chroot

10 other web hosting panel alternatives that are free

10 free cpanel alternatives

ISPConfig is a great alternative that is feature rich and even includes multiple server monitoring and virtual machine monitoring/control. This is put together by the people at howtoforge.com , the only thing they ask is if you can, buy a subcription for 6-USD to their site. Where they give the same support and quality tutorials to everyone for free anyways! That is nothing more genuine than that.

Basically every host I have talked to only say they patched their servers. None of them reinstalled the base then reinstalled cpanel. Knowing Hostgator there is no tripwire and most hosting companies would not take the time to ensure the safety of the data. Mainly because that would cost them money and resources. Moving the accounts, going through all the code of the websites looking for malware and web based shells. Last updates made to the most popular root kit checking software on the market. AVG also has a Linux virus scanner but I am unsure of its capabilities. The windows version of AVG is rock solid. ( http://free.avg.com )

To ensure integrity/safety of the data is by reinstalling the base and then cpanel or a alternative, finally moving the accounts back to the servers is the only solution. This is because chkrootkit and rkhunter only have been trained to find known root kits in common places. This does not include back doors implanted into obscure places. This does not include checking the kernel for mods that enable a attacker to compromise the host.

Last updates to these pieces of software -

2009-30-9 rkhunter

2010-11-17 - chkrootkit

Responses from a couple cpanel hosts:

Hostgators Responses:

Live Chat Powered By Live chat powered by GatorChat Rate And Exit Rate / Exit

Your Chat ID is: 5126762. Your initial question is:: My Domain Name is:"techjunkies.com"

Welcome to GatorChat!

You are being connected to a representative in our Technical Support department right now.

For immediate answers to your questions, check out our knowledge base and video tutorials at http://support.hostgator.com/.

(2:10:55pm)SystemCustomer has entered chat and is waiting for an agent.

(2:13:15pm)Leslie A.Welcome to HostGator LiveChat. My name is Leslie. I'd be glad to assist you today with your inquiry.

(2:13:17pm)Leslie A.Hello, John!

(2:13:19pm)Leslie A.How may I assist you today?

(2:13:30pm)John WalkerWhats this ?https://www.facebook.com/pages/Boycott-Cpanel/324347710917547

(2:13:38pm)John WalkerI found it on facebook

(2:15:46pm)Leslie A.After glancing over the article, I can see that they mention us, but I have no knowledge of this "exploit", and I can assure you we have full security on all our servers.

(2:16:01pm)Leslie A.This page was made without our knowledge, and I cannot comment directly on the subject.

(2:16:23pm)John WalkerThank you. Good bye.

Your Chat ID is: 5126817. Your initial question is:: My Domain Name is:"Mashable.com"

Welcome to GatorChat!

You are being connected to a representative in our Billing department right now.

For immediate answers to your questions, check out our knowledge base and video tutorials at http://support.hostgator.com/.

(2:21:29pm)SystemCustomer has entered chat and is waiting for an agent.

(2:23:26pm)Grant C.Welcome to HostGator Live Chat. My name is Grant, I would be more than happy to assist you today.

(2:23:37pm)John MayersWhats this? https://www.facebook.com/pages/Boycott-Cpanel/324347710917547

(2:24:11pm)Grant C.Looks like a facebook page for people who dont like cPanel.

(2:24:48pm)John MayersIt says that all cpanel server where compromised by a security flaw that was in the wild for 2 years before being discovered

(2:24:54pm)John Mayersservers*

(2:25:23pm)John MayersDi you guys patch the servers?

(2:25:38pm)Grant C.Oh, yes, that was a while ago, we took care of that, John.

(2:25:53pm)John MayersSo all the server where just patched?

(2:26:13pm)Grant C.Yes, we ran the cPanel patch over a month ago.

(2:26:34pm)John MayersThanks that makes me feel so much better about the whole issue

(2:26:59pm)Grant C.I am happy to hear it, John.

(2:27:00pm)Grant C.Is there anything else I can clear up for you/do for you to bring resolution to this issue?

(2:27:13pm)John MayersNope I was just concerned.

Routehosts Response:

Hi,

Thanks for the update. We've already installed necessary security patches to avoid such vulnerabilities.

Regards

Support Team

----------------------------------------------

Ticket ID: #546697

Subject: Exim 4.69 major problem

Status: Answered

Ticket URL: http://secure.routhost.com/viewticket.php?tid=546697&c=BahshgvT

----------------------------------------------

Hurdles pushing this information to the public -

Grub Help mailing list -

Greg implicitly states he knows a person that works at one of the two companies. Then proceeds to calls this a scam and me a fraud. Greg and Mark then decided to move the argument off list and proceed to call me a liar after moving the private message he sent me that was vulgar to the public list saying I am a fraud/liar because I changed the reply to the group and not directly to them. I admit I'm not the best but I am not scamming anyone about these issues.

Emails of the conversations and these are also available via the mailing list archives publicly search able on google.

http://www.mediafire.com/?j30de481uyj1oac email1

http://www.mediafire.com/?x088yxb07j8ow84 email2

http://www.mediafire.com/?eic2c4byi4zqq1s email3

Web Hosting Talk -

Then on web hosting talk I started a thread called "Boycott Cpanel". That was shutdown after about a hour after mentioning the connections between the site and having hostgator employees as their own content curators. I also mentioned the connections between cpanel and hostgator. I even went as far as I posted a message and link back to the facebook boycott page and my account was then banned. Apparently touching on the sensitive areas of their operations they try to keep quite upsets them.

http://tinyurl.com/6ptrwgy Webhosting talk thread

http://tinyurl.com/74hl4f4 PDF

To hosting companies -

By using cpanel, you are supporting your competition. Hostgator and cpanel routinely trade employees and small amount of evidence can be found on likedin. You can see from the profiles on linkedin. If your a good admin at cpanel you get sent to hostgator. If your a good programmer or one of the trusted higher ups with a impeccable background you get sent to cpanel.

Nate Custard

http://tinyurl.com/738l5m6 PDF

http://tinyurl.com/7m6spwg Linkedin

Josh B. -

http://tinyurl.com/8yaokav PDF

http://tinyurl.com/7mfg92y Linkedin

Chris B. -

PDF copy - http://tinyurl.com/8ydvcpe

Linkedin - http://tinyurl.com/6lhtdku

Join the facebook page - https://www.facebook.com/pages/Boycott-Cpanel/324347710917547

Same article found with responses from cpanel server providers that only patched @ http://www.webhostchat.co.uk/general-chit-chat-discussion/23879-cpanel-boycott-can-you-really-trust-your-cpanel-host.html#post231010

[digip]

Well @DeAuthThis is right about one thing. cPanel is kind of like windows, in that it has a large market share for what it is the same way windows is the most widely used OS. Larger market, also makes you a larger target and more than likely, more flaws and exploits to be found. But not every implementation of cPanel is a problem. If a host secures their servers properly for customers, even if cPanel has a flaw, they shouldn't be able to do much of anything if they lock down the rest of their stuff. Not saying people won't get in, but this is nothing new either. All software has bugs, many of which people sit on and don't share, so just because it isn't public yet, doesn't make some other host somehow safer if they don't use cPanel. Personally, I don't care for cPanel or Webmin. A lot of Webmin implementations also come with a browser based command line utility, so if someone did get into your webmin area through brute force or such, they could potentially do a lot more damage to the server(as webmin is usually a server/root user utility vs vhost utility) than merely say, a user account on a vhost with cPanel and /user/home directory only access. If cPanel could be leveraged to elevate user access to root, well, its game over at that point, but if implemented properly, should not let attackers go further than the users home directory and www files.

[skraps]

If cafe press will not participate I will ask Linus Trovalds or someone else trust worthy to monitor the progress of the sales so no one can say I am scamming to make a gain out of this.

This is the message I have sent to cafepress.

Cafe press shop

We are organizing something right now that is important and I would like to know if you guys would participate. I made all these shirts and would like 100% of the profits to go back to open source development. I would like to know if you guys would print and ship them at cost and keep this thing going until more is given to the open source community from CPanel Inc. And all the servers are reinstalled that had the remote Exim 4.69 remote root hole in them.

This wasn't included I just added it in. Also Cpanel give back 50% of their profits annually for what they have done. 50% of their product is open source and the community deserves it for the work that they have done.

Join the boycott - Boycott Page

[skraps]

Cpanel also offer Enkompass for free compared to cPanel, Why are they going to give away a hosting panel to Microsoft based servers but charge everyone else for their software that runs on a platform that is not affordable, insecure, and has more worms and viruses built for it than ever. Seems like they support the microsoft agenda more than opensource. They would rather rape open source more than support it. Then support the monopoly of desktop systems.

[digip]

Cpanel also offer Enkompass for free compared to cPanel, Why are they going to give away a hosting panel to Microsoft based servers but charge everyone else for their software that runs on a platform that is not affordable, insecure, and has more worms and viruses built for it than ever. Seems like they support the microsoft agenda more than opensource. They would rather rape open source more than support it. Then support the monopoly of desktop systems.

I don't think its an Open Source vs Closed Source issue though. If you are using IIS in the first place, cPanel is the least of your worries.

[skraps]

I don't think its an Open Source vs Closed Source issue though. If you are using IIS in the first place, cPanel is the least of your worries.

I wasn't saying it was a opensource versus a closed source issue. Closed source has the same issues as open source. Just open source is always discovered/publicized before closed source because its easier for the grey hats to find.

[skraps]

I think this of more a strategy. Take advantage of open source to do something like this and if it was found out about or made a big deal about it could be used as a way to debunk open source to try and level the server market to MS solutions. Notice the choice of mailers. Exim was used. Now postfix and sendmail are too mature and qmail is too mature and the code is too heavily monitored to have a bug like this placed in it. Join the boycott and let your friends on facebook know. https://www.facebook.com/Boycottcpanel This is way too serious, to be brushed off like hosting companies are trying to do.

[skraps]

This is why cpanel needs to be boycotted - https://www.facebook.com/Boycottcpanel - join the boycott

Your Chat ID is: 5138773. Your initial question is:: My Domain Name is:"www.squiggles.com"

Welcome to GatorChat!

You are being connected to a representative in our Technical Support department right now.

For immediate answers to your questions, check out our knowledge base and video tutorials at http://support.hostgator.com.

(8:05:55pm)SystemCustomer has entered chat and is waiting for an agent.

(8:07:54pm)Andre B.Welcome to HostGator Live Chat! My name is Andre. How may I assist you today?

(8:08:17pm)JohnnyWhats this? https://www.facebook.com/Boycottcpanel

(8:08:44pm)JohnnyCan I trust cpanel after this? Or anyhost that uses cpanel?

(8:10:24pm)Andre B.cPanel is the most used and trusted Control Panel for web hosting.

(8:11:06pm)JohnnyWell what happened between 2007 and 2010?

(8:11:21pm)Andre B.To be honest Johnny, there is no software that is completely infallible. It's a matter of degrees.

(8:11:59pm)JohnnyWhere there not security implementations that could have been used that were not in cPanel?

(8:13:00pm)JohnnyOr would that slow the servers down too much so not as many accounts could be crammed on them?

(8:13:37pm)JohnnySo this basically boils down to a matter of profits made per server?

[/qoute]

Andre avoids the questions and changes the subject.

[qoute]

(8:14:11pm)Andre B.cPanel provides a GUI for the Linux web hosts.

(8:14:17pm)JohnnyWasn't there better MTAs that could be used? With a more mature and secure code base?

(8:14:30pm)JohnnyNot just a GUI

(8:14:41pm)Johnnyit is a whole system that works with a GUI

(8:14:47pm)Andre B.Exactly, but that's the primary purpose of it.

He now offers to sell me a plesk install but lies to me and says cpanel is just a gui

(8:15:18pm)Andre B.We do offer Plesk as a Control Panel as well.

(8:15:26pm)JohnnySo cPanel picks the daemons that it uses, and security implementations that are used on the install

(8:17:30pm)JohnnycPanel does recommend instlling on a clean RHEL OS

(8:17:34pm)Andre B.Honestly, any layer of additional software will have potential issues.

(8:18:21pm)JohnnyOnly the daemons and kernel allow unauthorized access

(8:18:29pm)Andre B.If you want higher security with HostGator you may want to manage it further by choosing a VPS or Dedicated Server where you have root access and do not have to use cPanel or Plesk.

(8:18:41pm)Johnnyso tripwire wouldn't have made it worse.

(8:18:58pm)JohnnycPanel is primary hosting panel, how many server do you have?

(8:19:12pm)JohnnyThat use cpanel?

(8:19:51pm)Johnnyservers*

(8:20:00pm)Andre B.I wouldn't be able to say exactly, because I do not have access to those numbers. But I know it is quite a bit since we hold about 1% of the market share wordlwide.

(8:21:20pm)Johnnyso roughly 75% of your servers have been more than likely compromised during those 2 years? Also who knows how many crackers are inside your network.

(8:21:35pm)Andre B.I would definitely not say that.

(8:21:49pm)Andre B.I would say that very small percentage perhaps.

Admits servers have been compromised

(8:22:27pm)Andre B.We have very high end Security Admin team, system engineers and developers working at HostGator.

(8:22:31pm)JohnnySo there are not many servers that are still in use after December 2010?

(8:23:05pm)JohnnyHow can that be with the cheapest hosting plans and unlimited bandwidth?

(8:24:01pm)Andre B.I am not sure what you are referring to, but I do know that most of the servers are the latest technologies.

Andre now says they have a high end team when they obviously can't obviously afford this

(8:24:20pm)Andre B.We use 8 and 16 core servers.

(8:24:46pm)Andre B.And continue to add newer and faster technology as it is available.

(8:25:19pm)Andre B.Where there any other questions regarding HostGator accounts that I can help you with?

(8:25:35pm)JohnnyNo thats alright.

(8:25:52pm)Andre B.We are here to assist you with your hostgator account 24 hours a day 365 days a year!

(8:26:10pm)Johnnyhave a good one

(8:26:14pm)Andre B.We are always here to answer your questions!

(8:26:17pm)Andre B.Ok, take care and have a great one!

(8:26:21pm)Andre B.Happy Holidays!

(8:27:26pm)JohnnyMerry chirstmas, today is Baby Jesus's day

(8:27:37pm)Andre B.Yes it is! Merry Christmas!

(8:27:50pm)Andre B.Thank you for using HostGator Live Chat. If you could take a minute to rate your experience with HostGator as well as my overall performance, that would help us to improve our customer service. To do that, just click the button that says Rate and Exit in the upper right hand corner. The survey takes less than a minute to fill out.

(8:30:59pm)SystemThis chat has ended. Click Rate And Exit to rate the representative and our company!

(8:30:55pm)Andre B.has closed the chat.

(8:31:01pm)SystemThis chat has ended. Click Rate And Exit to rate the representative and our company!

Edited December 26, 2011 by skraps

[digip]

Change the peoples names, change the software, change the OS, and the conversation would be the same. cPanel definitely has its flaws, not going to argue that point. But I think the bigger problem is the lax security at Host Gator in the first place. Many host companies have weak, lax or just down right misconfigured web hosting. I've had my share of bad luck with different web hosts in the past as well, and they didn't have cPanel involved and still were compromised. I've had clients who had GoDaddy sites, who had php settings with allow_url_fopen and were compromised by RFI attacks. GoDaddy told my client that someone must have guessed their password, when I could clearly see where they attackers were accessing his site.

Bottom line, it is more the web hosting companies security in place, than so much of flawed software that is the culprit. If there was a publicly known flaw in the software, that the vendor was made aware of and they didn't put out an update, then yeah, they should be chastised for it. But most hosting companies, don't even update or patch when new releases are out, until long after its already become a problem for them. Until they lose money and customers, they won't care. So long as they are making money, they will continue to use cPanel. I don't forsee web hosting companines boycotting cPanel any time soon, and while we might agree with you its a crappy product, you are preaching to the choir.