Page 1 of 2 12 LastLast
Results 1 to 40 of 46
  1. #1
    Join Date
    May 2002
    Posts
    431

    Scary CPanel/WHM Issue!

    Perhaps everyone already knows about this but I just found out about it...

    Any website that is hosted on CPanel, if you type /bandwidth/ after the domain, you can view the bandwidth stats for that server. These stats also display ALL the domains hosted on that server!

    Imagine your competitor just loading up your /bandwidth/ page and viewing all your hosted sites, they contact them all offering a better deal!

    What I did is put a .htaccess file in /usr/local/bandmin/htdocs that blocks anyone not coming from my IP address. For those who have a CPanel server but don't understand .htaccess... here is the contents of the file. Remember to replace the x's with your IP address!

    /usr/local/bandmin/htdocs/.htaccess
    Code:
    allow from xxx.xxx.xxx.xxx
    deny from all
    If you haven't already taken care of this problem I suggest you do ASAP. If you don't have a static IP, you can also setup password protection on it. Do a search for .htaccess on google
    Jordan Bouvier

  2. #2
    Join Date
    Jul 2001
    Location
    Australia
    Posts
    113
    nice post. It shows all subdomains and all.. i was like wtf..

    I hope webhost do disable access to it, i would hate for my information to been seen. how much transfer i use and all my hidden subdomains.. :O

  3. #3
    Join Date
    Jan 2002
    Location
    Scotland, UK
    Posts
    2,687
    Yeah, was aware of this and already taken care of it, but thanks for reminding me
    Chris Adams - CEO - Rochen Ltd. - chris (at) rochen (dot) com

    Now offering both US & UK premium business hosting, reseller hosting and managed virtualized services.
    rochen.com | rochen.co.uk | blog.rochen.com | forums.rochen.com | Twitter: @rochenhost

  4. #4
    Join Date
    Jan 2002
    Location
    Scotland, UK
    Posts
    2,687
    Just as a side note, instead of blocking per IP. We just password protected it

    http://www.rochenhost.com/bandwidth/
    Chris Adams - CEO - Rochen Ltd. - chris (at) rochen (dot) com

    Now offering both US & UK premium business hosting, reseller hosting and managed virtualized services.
    rochen.com | rochen.co.uk | blog.rochen.com | forums.rochen.com | Twitter: @rochenhost

  5. #5
    Join Date
    Oct 2001
    Location
    The Ozarks
    Posts
    888
    It's been blocked most everywhere I know of


    <edit> on second look, it's not blocked on many servers </edit>
    Last edited by RH Robert; 08-19-2002 at 02:28 AM.

  6. #6
    Join Date
    Aug 2002
    Location
    Chandler, Arizona
    Posts
    2,564
    thank god im not using cpanel ...lol
    -Robert Norton
    www.SophMedia.com

  7. #7
    Join Date
    May 2002
    Posts
    431
    Well I decided to post this after deciding to check if I was the only one, and upon loading the bandmin pages for several large hosting companies I decided that I obviously wasn't the last person on earth to realize this!
    Jordan Bouvier

  8. #8
    Join Date
    Jan 2002
    Location
    Scotland, UK
    Posts
    2,687
    ServerSonic - Does the bot know about this important issue yet?
    Chris Adams - CEO - Rochen Ltd. - chris (at) rochen (dot) com

    Now offering both US & UK premium business hosting, reseller hosting and managed virtualized services.
    rochen.com | rochen.co.uk | blog.rochen.com | forums.rochen.com | Twitter: @rochenhost

  9. #9
    Join Date
    May 2002
    Posts
    431
    Originally posted by rochen
    ServerSonic - Does the bot know about this important issue yet?
    Not yet;-) I took him down for a while but you guys were having so much fun, perhaps I should keep him online if not only for me to read the silly logs of people chatting. Can always use some humor when you havent slept in 20 hours!
    Jordan Bouvier

  10. #10
    Join Date
    Oct 2001
    Location
    Ohio
    Posts
    8,299
    Wow, that is kinda cool. I don't think you'd have to worry about a competitor stealing your customers through that though, unless of course your customers were not satisfied with the service that you're providing.

  11. #11
    Join Date
    May 2002
    Posts
    431
    Well for the most part no but I'm not one of those hosts that offers way too low prices in the requests forum... I actually make sure that I can afford to offer service to my customers each month. All someone needs to do is offer few bucks off and some people are going to jump ship. Yeah, theyll probably be back later but I'd rather not give anyone this outlet you know?
    Jordan Bouvier

  12. #12
    Join Date
    Oct 2001
    Location
    Ohio
    Posts
    8,299
    Yeah that is true. I'm currently working up the prices for my hosting company, along with the design. I swear I'm about ready to just go out and hire someone. I get done with a design and then I realize it looks like total crap.

  13. #13
    Join Date
    May 2002
    Posts
    431
    For those of you who want to password protect it here are instructions:

    1) pico /usr/local/bandmin/htdocs/.htaccess
    Code:
    AuthUserFile /usr/local/bandmin/.htpasswd
    AuthGroupFile /dev/null
    AuthName "Bandwidth Monitor"
    AuthType Basic
    
    <Limit GET POST>
    require valid-user
    </Limit>
    Hit Ctrl+X then Y and then Enter

    2) htpasswd -c /usr/local/bandmin/.htpasswd username
    (where username is the username you want to create)
    enter your password
    enter your password again

    Edit: If you dont have htpasswd installed on your server you can go to http://www.euronet.nl/~arnow/htpasswd/ to generate one. Then just use pico to edit /usr/local/bandmin/.htpasswd and paste the line of text that the site gave you into it

    You should be all set at this point!:-D
    Last edited by ServerSonic; 08-19-2002 at 03:15 AM.
    Jordan Bouvier

  14. #14
    Join Date
    Jul 2001
    Location
    Melbourne, AU
    Posts
    1,392
    Thanks for the heads up on this. I'll be passing this info onto our Server Admins to ensure the loophole is fixed, if it hasn't already been done.
    SERVSTRA | THE HIGH BANDWIDTH SERVER SPECIALISTS
    Lowest prices on 2Gbps, 5Gbps & 10Gbps DEDICATED unmetered servers!!!
    █ Custom 10Gbps unmetered clustered server solutions! Email us for more info!
    Over 24 world wide locations to choose from!

  15. #15
    Join Date
    Jun 2001
    Location
    Kalamazoo
    Posts
    33,190
    Thanks, Jordan.

    Seems like this should have been part of the WHM news or something. Or some form announcement.
    There is no best host. There is only the host that's best for you.

  16. #16
    Join Date
    Apr 2002
    Location
    USA
    Posts
    5,779
    LOLOL there are a lot of host that do not read this forum that are going to be pissed

  17. #17
    Join Date
    Jun 2001
    Location
    Kalamazoo
    Posts
    33,190
    Only if they find out.
    There is no best host. There is only the host that's best for you.

  18. #18
    Join Date
    Jun 2002
    Posts
    1,210
    Ohhhhhhhh interesting.
    My host must be rich since there's well over 100 sites hosted so it says .
    Professor of crime at St Andrews university.

  19. #19
    Join Date
    Aug 2001
    Location
    Indiana
    Posts
    421
    Very interesting, indeed. Thanks for the heads up.
    "Last year, some resourceful software enthusiasts cracked Sony Music's proprietary technology simply by scribbling around the edges of the disc with a Magic Marker pen, thus enabling playback on any device." - news.com

  20. #20
    Join Date
    Aug 2002
    Location
    Australia
    Posts
    297
    very interesting. this some kind of mistake or was intended?

    but i dont think this information is much use to anyone. i could be wrong
    Banner Design - Professional Designs - 24hr Turn-Around Guaranteed - 20DollarBanners.com

    Online Photo Editor
    Retouch or Add effects to your photos with 1 click

  21. #21
    Join Date
    Dec 2000
    Location
    "the islands & bays are for sportsmen"
    Posts
    294
    *giggles* It's always been this way, guys... I found out about it on the cpanel.net forums like a year ago.

    Although thanks for the reminder, I have had some fun surfing the 'net tonight.


    Bailey

  22. #22
    Just check out a few hosts to see what I could find, saw one that had almost 3200 sites (name based) on one IP.

  23. #23
    Join Date
    Aug 2000
    Location
    Tacoma, Washington
    Posts
    9,576
    it's not really a security risk as such, unless you have issues elsewhere. I suppose someone could write a script to collect the domains then probe them all for holes, anonftp etc.

    Greg Moore
    Former Webhost... now, just a guy.

  24. #24
    Join Date
    Mar 2001
    Location
    Michigan
    Posts
    1,607
    Very weird...

    Going to /bandwidth/ doesn't go anywhere on my server.. I just get a 404. I don't remember it ever been on my server -- unless the person that setup the server deleted bandmin from it at setup...dunno
    *shrug*

  25. #25
    Join Date
    Sep 2000
    Location
    Alberta, Canada
    Posts
    3,109
    Excellent post ServerSonic and nice one on moving the .htpasswd file one dir. up.

    A question though, for any who would like to respond...

    Not being all the familiar with Bandmin, how is it, that it only shows the "Shared Virtual Host IP" for the Server itself, and not allocated Name Server IPs nor Dedicated?

    And is anyone also using this method for the "manual" directory [ http://domain.com/manual/ ] or do most feel that area is not a bigee?

    I've got people finding that directory through Search Engines. So I'm wondering how in heck it got in there -- definitely not my doing???
    PotentProducts.com - for all your Hosting needs
    Helping people Host, Create and Maintain their Web Site
    ServerAdmin Services also available

  26. #26
    Join Date
    Apr 2002
    Location
    Hollywood, CA
    Posts
    3,046
    mine is .hta password protected , but when i put my password in , it doesnt work .... then again , im sure alan/splashhost did that for a reason

  27. #27
    Join Date
    Oct 2002
    Location
    Virginia
    Posts
    787
    Forbidden
    You don't have permission to access /bandwidth/ on this server.
    ----------------------------------------------------------------------------------

    Does this mean the host has already fixed it from their end?
    UrlRedo.com - short URL service

  28. #28
    Join Date
    Oct 2001
    Location
    Ohio
    Posts
    8,299
    Yes Dsotmoon, either that or cpanel has corrected the problem.

  29. #29
    Nope, Cpanel didn't fix it, You have to lock it yourself.
    WHO AM I? CLICK HERE!

  30. #30
    Join Date
    Oct 2002
    Location
    Canada
    Posts
    3,100
    Originally posted by ServerSonic
    Well for the most part no but I'm not one of those hosts that offers way too low prices in the requests forum... I actually make sure that I can afford to offer service to my customers each month. All someone needs to do is offer few bucks off and some people are going to jump ship. Yeah, theyll probably be back later but I'd rather not give anyone this outlet you know?
    Thnk you for an idea
    http://www.serversonic.com/bandwidth/

  31. #31
    Join Date
    May 2002
    Posts
    431
    I'm not sure what your post is about sasha but if you are indicating that you want to see our hosted list then click away at that link, because its been password protected for quite some time now
    Jordan Bouvier

  32. #32
    Join Date
    Feb 2002
    Posts
    1,298
    Serversonic thanks for the guide on how to password protect it. Do you, or anyone else, know why I am getting the permission denied error when trying to write to the .htaccess file?

    John

  33. #33
    Join Date
    May 2002
    Posts
    431
    You probably will have to be root when you try that
    Jordan Bouvier

  34. #34
    Join Date
    Dec 2001
    Location
    Toronto, Ontario, Canada
    Posts
    5,954
    might want to auth based on the system passwd file (might not, just an idea to verify against /etc/shadow or /etc/passwd, so that legit users can still see if they want to).

    Personally i dont see the big deal, your users are gonna get spammed regardless if they're on the web.

  35. #35
    Join Date
    Feb 2002
    Posts
    1,298
    You probably will have to be root when you try that

    Thanks but I do have root access - I didn't, however, log in at the root, but through the actual account which has root access.

    John

  36. #36
    Join Date
    Feb 2002
    Posts
    1,298
    porcubine, thanks for your suggestion

    John

  37. #37
    Join Date
    Jan 2002
    Location
    Sydney,Australia
    Posts
    972
    Mine doesnt load.

  38. #38
    Join Date
    Nov 2002
    Location
    CA, USA
    Posts
    1,903
    after i apply it, now i get Internal Server Error
    display. Weird.
    ◊ James | [email protected] |
    ◊ aim: vnpixel msn: [email protected] yahoo: vn_pixel
    ◊ http://www.vnpixel.com

  39. #39
    Join Date
    Feb 2001
    Posts
    454
    ahhhh the problems with GUI's - everyone forgets whats going on under the skin

    Its amazing, Ive known this little 'feature' for almost two years, and there are still servers out there that havent protected it
    back from the dead

  40. #40
    Join Date
    Feb 2001
    Posts
    1,227
    hahaha u only found this out recently? this thing existed in cpanel since the start of time! muahahha if only u knew how many customers u lost to me..
    I have servers at: NetDepot/GNAX (A), SoftLayer (A), LiquidWeb (B+), DedicatedNow (B+), Nectartech (B) and more!

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •