Results 1 to 30 of 30
  1. #1

    * www.domain.com/~username bandwidth monitoring???

    Ok everyone help me on this one... It seem's as if some people are using other people's bandwidth by going to http://www.somedomain.com/~thereusername and linking downloads off of that. Does cpanel count that as bandwidth usage of the domain it is on, or bandwidth usage of the actual username being accessed? This is a HUGE exploit issue, and need's to be fixed if it does count the domain there on as the account to apply bw usage to.

    EVERYONE help me get this one solved ASAP, as this is a problem for every cpanel/whm user out, so please help me here .

  2. #2
    Join Date
    Sep 2002
    Location
    http://www.hostriot.com
    Posts
    135
    Cpanel counts that as the bandwidth usage on that domain.

  3. #3
    Let me note if it's clear: This is with CPANEL.

  4. #4
    Originally posted by HostRiot
    Cpanel counts that as the bandwidth usage on that domain.
    Ok that's what I'm thinking, any clearfication on this or any other opinions, on this. This is a HUGE problem that need's to be addressed and FIXED FAST.

  5. #5
    *SERIOUS* issue people, where is everyone we need to find out what is going on fast, and how to solve it...

  6. #6
    Am I the first, ane only to discover this? Let me do some searches, as this is just crazy...

  7. #7
    Join Date
    Sep 2002
    Location
    http://www.hostriot.com
    Posts
    135
    Ok, myself and ChickenSteak have figured out that there is a huge exploit in cpanel.

    I hope they can fix this quickly.

  8. #8
    ;o) it need's to be fixed before anyone else end's up with bandwidth bills because of this.

  9. #9
    Join Date
    Apr 2001
    Location
    Paradise
    Posts
    11,868
    that's why the first domain on all my boxes is a dummy one
    Shared Web Hosting - Reseller Hosting - Semi-Dedicated Servers - SolusVM/XEN VPS
    LiteSpeed Powered - R1Soft Continuous Data Protection - 24/7 Chat/Email/Helpdesk Support
    Cpanel/WHM - Softaculous - R1soft Backup - Litespeed - Cloudlinux -Site Builder- SSH support - Account Migration
    DowntownHost LLC - In Business since 2001- West/Center/East USA - Netherlands - Singapore

  10. #10
    Join Date
    Dec 2000
    Location
    Leesburg, VA
    Posts
    3,205

    Re: www.domain.com/~username bandwidth monitoring???

    Originally posted by ChickenSteak

    EVERYONE help me get this one solved ASAP, as this is a problem for every cpanel/whm user out, so please help me here .
    Have you notified the developer's of CPanel yet?

  11. #11
    Jedito, it has nothing to do with the first domain, lol are you sure you replyed to the correct thread?

    Here are some examples:
    www.favoriteweddingmemories.com/~rackeasy
    www.rackeasy.com/~morgan
    www.lanaddict.com/~rackeasy ( which is morgan )

    It is all connected every single domain on the shared ip is connected and can be viewed as /~ which is why this is so dangerous...

  12. #12

    Re: Re: www.domain.com/~username bandwidth monitoring???

    Originally posted by uuallan


    Have you notified the developer's of CPanel yet?
    Yes, I have emailed Nick and sent this issue into bugzilla.

  13. #13
    Join Date
    Dec 2000
    Location
    Leesburg, VA
    Posts
    3,205

    Re: Re: Re: www.domain.com/~username bandwidth monitoring???

    Originally posted by ChickenSteak
    Yes, I have emailed Nick and sent this issue into bugzilla.
    Then why are you asking people on this board to solve it? That would fall under the realm of the CPanel developers.

  14. #14
    Correct although other people should be notifyed. Also other people may have a "fix" for it, among other reasons .

  15. #15
    Join Date
    Apr 2001
    Location
    Paradise
    Posts
    11,868
    Originally posted by ChickenSteak
    Jedito, it has nothing to do with the first domain, lol are you sure you replyed to the correct thread?

    Here are some examples:
    www.favoriteweddingmemories.com/~rackeasy
    www.rackeasy.com/~morgan
    www.lanaddict.com/~rackeasy ( which is morgan )

    It is all connected every single domain on the shared ip is connected and can be viewed as /~ which is why this is so dangerous...
    Ohh, I misunderstood the problem, sorry
    Shared Web Hosting - Reseller Hosting - Semi-Dedicated Servers - SolusVM/XEN VPS
    LiteSpeed Powered - R1Soft Continuous Data Protection - 24/7 Chat/Email/Helpdesk Support
    Cpanel/WHM - Softaculous - R1soft Backup - Litespeed - Cloudlinux -Site Builder- SSH support - Account Migration
    DowntownHost LLC - In Business since 2001- West/Center/East USA - Netherlands - Singapore

  16. #16
    It's all good .

  17. #17
    ChickenSteak, try turning on hotlink protection, should be helpful..

    Miha.
    Powered by AMD & FreeBSD.
    "Documentation is like sex:
    when it is good, it is very, very good;
    and when it is bad, it is better than nothing."

  18. #18
    Join Date
    Jul 2002
    Posts
    3,729
    You need mod_bwprotect. It will stop that.

  19. #19
    Originally posted by Miha
    ChickenSteak, try turning on hotlink protection, should be helpful..

    Miha.
    No, I don't want this as I don't want to terminate /~user access I want that access to go against the /~user that is being acessesed as his bandwidth not the domain's.

    Lightin how exactly would this work?

  20. #20
    Join Date
    Aug 2001
    Location
    United kingdom
    Posts
    1,003
    Having mod_bwprotect actually works, since it's gives a 511 error, saying access denied when accessing someone else's user space from this domain is not allowed. But as ChickenSteak has said, it's good to have this feature available. I've found for a shared SSL cert to work that is NOT the same as the server name and on a different IP address will not work and will give the access denied error. The only way around this was to disable mod_bwprotect in Apache. I think notifying Nick at CPanel is probably the best way to get the problem solved.

    Alan
    Alan Ho
    Former Systems Administrator

  21. #21
    Correct, I will wait and see what Nick has to say.

  22. #22
    Join Date
    Aug 2001
    Location
    United kingdom
    Posts
    1,003
    Could you try to remember to update this thread so that other CPanel users know too please?

    Thanks,
    Alan
    Alan Ho
    Former Systems Administrator

  23. #23
    Yes, I will do so.

  24. #24
    Join Date
    May 2001
    Location
    Dayton, Ohio
    Posts
    4,962
    In your /usr/local/apache/conf/httpd.conf

    Find:

    AddModule mod_userdir.c

    Chanage to:

    #AddModule mod_userdir.c

    Save and restart apache

    That will disable the ~username option...
    -Mat Sumpter
    Director, Product Engagement
    Penton Media

  25. #25
    Join Date
    Aug 2001
    Location
    United kingdom
    Posts
    1,003
    We don't want to disable the feature though, since it's useful to have /~username for users to check their website before DNS propagates and also for shared SSL access.

    Alan
    Alan Ho
    Former Systems Administrator

  26. #26
    Join Date
    May 2001
    Location
    Dayton, Ohio
    Posts
    4,962
    Originally posted by ho247
    We don't want to disable the feature though, since it's useful to have /~username for users to check their website before DNS propagates and also for shared SSL access.

    Alan

    My post was more about blocking while nick made a fix but oh well...

    Since nick didn't make the mod_userdir code, I think it would be better to take this problem to the auhtor of the module.. I don't see nick doing much about it anyway, since he can't do all that much for it...

  27. #27
    Join Date
    May 2001
    Posts
    697
    Yes, I've been aware of this problem for quite some time. Never really thought of the ability of linking off of someone else's domain though... I always just assumed people would be using the temp domain that we assign them. Its still a big deal, but not as big as stealing another user's bandwidth.

    Hopefully Nick can put something together and get this fixed asap!

  28. #28
    Join Date
    Aug 2002
    Location
    Utah
    Posts
    25
    wow, that's cool. i didnt know that. your right, haha, i went to http://www.rackeasy.com/~morgan/../~rackeasy/ and Vise versa http://www.rackeasy.com/~rackeasy/../~morgan/ .
    That is a HUGE Problem!!! haha, good thing i have a custimized Control Panel for all of my customers.
    Good Luck to you all!
    Last edited by Einewton; 10-26-2002 at 04:39 PM.

  29. #29
    I found one customer had put www.mydomain.com/~hisusername in a search engine listing a few months ago

    I asked the search engine to delete it and they did (which surprised me )

    yellow_belly

  30. #30
    how about some mod_rewrite monekying? just rewrite the ~user url to the full-blown domain and have cpanel count it as used bw.

    cheers,
    paul
    * Rusko Enterprises LLC - Upgrade to 100% uptime today!
    * Premium NYC collocation and custom dedicated servers
    call 1-877-MY-RUSKO or paul [at] rusko.us

    dedicated servers, collocation, load balanced and high availability clusters

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •