Announcement

Collapse
No announcement yet.

vB.com / vB.org / vB-Germany.com Security Risks?!

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • vB.com / vB.org / vB-Germany.com Security Risks?!

    I noticed that you guys are running cPanel. I am actually surprised that you have to run a control panel at all! The point of having a product like cPanel is so that people who don't know system administration can be webhosts.

    Just last week: http://www.securiteam.com/unixfocus/5CP061FCKS.html
    Another one: http://www.securityfocus.com/archive...8/2004-03-14/0 (http://www.hostinglife.com/cpinfo/cpanelvuln.php)
    Another in the past: http://[your site.com]/cgi-sys/guestbook.cgi?user=cpanel&template=|[command]| (http://www.packetstormsecurity.org/0...oits/cpanel.pl)

    And many others. cPanel is everytime but surely not known for its security. Don't expect a hacker to try only already-known exploits on you.

    Honestly: vB and cPanel - they just don't match ... I expect that your recent downtime was also due to cPanel's famous bug'ed code

  • #2
    We are running CPanel because our host accidentally installed it without permission or a request from us. This was the major reason why the import scripts are delayed. We are in the process of setting up a new server (sans CPanel) and will be moving to it as fast as we can.
    Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
    Change CKEditor Colors to Match Style (for 4.1.4 and above)

    Steve Machol Photography


    Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


    Comment


    • #3
      Originally posted by AlexanderT
      ...The point of having a product like cPanel is so that people who don't know system administration can be webhosts...
      Actually (unless I misread how you meant that statement),
      People that run cPanel on servers may be experienced in system administration. However, cPanel provides a way for their clients to get things done easily (.htaccess directory protection, setup e-mail accounts, MySQL administration, etc.).
      - AJ Zmudosky

      Comment


      • #4
        Yep but who is the admin and who is the client in this case? I am assuming that Jelsoft has its own dedicated server.

        Besides, if there was really need for a control panel, it wouldn't have to be cPanel which is known for its weak security.

        Comment


        • #5
          Jelsoft gets their servers from VONOC
          ManagerJosh, Owner of 4 XenForo Licenses, 1 vBulletin Legacy License, 1 Internet Brands Suite License
          Director, WorldSims.org | Gaming Hosting Administrator, SimGames.net, Urban Online Entertainment

          Comment


          • #6
            Originally posted by Steve Machol
            We are running CPanel because our host accidentally installed it without permission or a request from us.
            Your host have root-access to the server ???

            Comment


            • #7
              Originally posted by zfrank
              Your host have root-access to the server ???
              it would be kinda hard to install the operating system without it...

              Comment


              • #8
                Perhaps it's not too good an idea to post the exploits here...
                Dean Clatworthy - Web Developer/Designer

                Comment


                • #9
                  I agree, but since Steve already replied I think it is ok to leave them in, otherwise he'd probably removed them already? (steve?)

                  Comment


                  • #10
                    Just mentioning them is a bad idea as someone will go searching. However it is too late so you minus well leave them posted.

                    Comment


                    • #11
                      Originally posted by ManagerJosh
                      Jelsoft gets their servers from VONOC
                      Not anymore.
                      Translations provided by Google.

                      Wayne Luke
                      The Rabid Badger - a vBulletin Cloud demonstration site.
                      vBulletin 5 API

                      Comment


                      • #12
                        Originally posted by ManagerJosh
                        Jelsoft gets their servers from VONOC
                        Looks like their Netblock belongs to The Planet now.

                        Comment


                        • #13
                          Originally posted by DWZ
                          it would be kinda hard to install the operating system without it...
                          tztz
                          if I´ve an new server, my first step is to change root-password. Maybe jelsoft forgot this and later provider installed cpanel.
                          yes, I know, provider can change always root-password....
                          after this I think it is better to search an new provider...

                          Comment


                          • #14
                            There are various service monitoring systems provided to us by The Planet which require that they retain root access to our servers.

                            Nevertheless, we are not at all happy that they accidentally installed cPanel on our server, overwriting all our Apache, PHP, MySQL and email configuration.

                            We are in the process of building a totally new server, and will be moving all services to it as soon as it's ready.

                            Comment


                            • #15
                              Originally posted by zfrank
                              yes, I know, provider can change always root-password....
                              What?

                              If you own the server and just rent rack space and bandwidth then what kind access would they have to be able to change the password?


                              *Edit*


                              Never mind.

                              Kier just answered my question.
                              Sig? What sig?

                              Comment

                              widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                              Working...
                              X