One problem that companies in the web security space have to deal with is the large volume of inaccurate security advice that is out there, much it coming from people that you should be able to rely on, including web security companies.
One company that you would hope that you could rely to provide accurate security information would be company behind the widely used cPanel web hosting control panel. That isn’t the case with something we ran across recently.
The answer to a Q&A question, “What is the anonymousfox address on my system? ” on their website starts out:
Anonymousfox is a WordPress vulnerability where users are able to exploit vulnerable WordPress plugins to get access to the account’s files on the system. While not an issue with the cPanel software, the attacker can gain access to that particular cPanel account by editing the contact address file and then resetting the account’s password.
It isn’t a great sign that WordPress is miss capitalized there, but the rest of that doesn’t even make sense. If the vulnerability is in a WordPress plugin, then it isn’t a vulnerability with WordPress, but with the plugin. Also, what is described there sounds like it isn’t a WordPress specific issue, as it sounds like an attacker that gains access to the website can change a cPanel account file, which wouldn’t be something that would be WordPress specific.
Skipping past a paragraph you see this:
There are excellent forums posts that have additional details you may want to read at the following links:
If you follow that link you will find a cPanel employee wrote this:
This kind of activity can be achieved by a compromised password, script or plugin used on the site. It isn’t just WordPress related. I would strongly suggest you not only enlist the services of a qualified system administrator to audit your installations and security but you must identify the point of entry or the issue will continue to occur.
If you read through the rest of the information on that page, other people are stating they ran into the issue despite not using WordPress, so it is hard to understand how that is being cited and yet the information in it was ignored and the information provided in the answer is incorrect in the way it is.
What seems of more concern is that someone with just access to a website in the cPanel account could edit that file, a concern that was raised in comments on that linked page.
3 thoughts on “This Doesn’t Inspire Confidence in cPanel’s Understanding and Handling of Security”
I got anonymousfox hacked and also other CMS attacks. Since discovery of the problem I have extensively studied my logs, the constant attacks and structural flaws to website design, starting with the issue that cpanel stores the contactemail (where to send admin password changes) in plain text, along with other critical data that can be altered once write access privileges are gained anywhere in the website. I’ve written about my research here: https://daltrey.org/doti/iagth.html. Until I became aware of the problem, I was complete unaware that my website (which contains very little of value to anyone) is under constant attack 24/7. Attacks come daily from all of the major cloud services and rent-a-VPN networks. My htaccess block list is now HUGE! However, I am now working on a webpage resdesign that will only allow public access to a single webpage. In other words, it’s become apparent to me that in the future the default will need to be “block all” and then allow only trusted ips. The future will require certified, trusted VPNs that block hacking at the source. Presently, only the opposite is true — all VPNs are apparently in the business of providing global conduits for hackers. The closest I can come to that paradigm is to lock down my entire site and allow access only through a single page. I will post at the link I mentioned above the results of my testing of this concept when I see how it works out.
Trying to secure websites by IP based restrictions is a very bad idea. If the website is properly secured, then a hacker will not be able to gain access no matter what IP address they are using, but hackers can always gain access to additional IP addresses. So if your website has been hacked, you want to figure out how the hacker got in and fix that issue, instead of trying to block IP addresses.
I agree with your reply … and I’m just an amateur. The problem was insecure (and inactive) CMS installs, now removed — but also the cPanel issues that enabled the exploit(s) to change cPanel ownership. Unfortunately, there are a lot of us “amateurs” with $6.99/mo websites using CMS systems provided by our hosting companies — and that provides a target-rich environment for hackers. So, I’ve been collecting information from studying my logs and FWIW have provided it at the my site (new url) https://daltrey.org/content/doti/iagth.html and also http://daltrey.org/content/doti/say_goodbye.html. I have a new issue with cPanel webmail, as bots are accessing fonts and css pages in the cPanel webmail system unimpeded. I’m checking with my hosting company as to what this is all about and whether there are any security implications.