I was thinking about php-nuke I while back and it's terrible security rep. I figured it was just the regular PHP foot guns of the era, but I took a look at the code recently and boy howdy that was some truly atrocious code. I'm not security person (although perhaps security minded) and I found a million problems after a cursory glance.
I mostly disagree on your disagreement unless the entire project was based on top security practices and good code in the first place. The vast majority of these web panels are a security nightmare.
These PHP systems be it cPanel, wordpress or PHP itself are most likely the biggest target besides windows. It's incredibly uncool stack especially here but it is running most of the "independent" small web.
They cannot be that bad if they are managing to be ductape of the internet.
I've done PHP development for over 20 years, including some pretty large projects. I've never had a situation where a security flaw in PHP itself forced me to scramble to patch something before it got hacked.
On the other hand, for my Linux servers, I had to do that twice in the last month with CopyFail and DirtyFrag.
That's a fair point, using 'interpreter' specifically was imprecise language on my part. My main point was php-fpm is developed by the core PHP team and is often the default in how PHP projects deploy these days, and that CVE was very similar to the recent 'fail' LPE vulnerabilities in the kernel.
Every time I venture in the the web server's error log, I see all of the skiddie's attempts at accessing the most common things with most of them being .php files. Lots of /wp/admin.php and /phpadmin/ type requests. Of course, none of those are available which is why the requests are in the error log. I've never paid attention, but I wonder how long (as in how little time) for a new server to come online before it starts to get probed by a skiddie. Whether they are just war dialing IPs or paying attention to new domain announcements but I'd put it on a few hours tops.
Dismissing these as script kiddie attempts is no longer correct. This is a real industry now. It’s not like the large scale actors are going to pass up a valid unpatched vector just because it’s old hat.
I’ve tested this recently (this post week). Had a dns entry up and pointing to an nginx server for ~12 hours, zero requests. 17 seconds after the letsencrypt cert was issued, the floodgates opened. Over a dozen of requests per second.
I don't think it's necessarily specific to LE but rather to public certificate transparency logs. LE being free and easy to automate means it's very widely used these days, but if you theoretically go to a "pay" root CA and get a cert that covers thing.com and www.thing.com , the same probing will happen on the same time scale.
> They cannot be that bad if they are managing to be ductape of the internet.
Oh, it very much can be that bad. Most "security" relies on the Hungry Tiger Theory of Security(tm).
My system doesn't need to be "secure". My system simply needs to be more secure than yours. As long as there is an easier and/or more valuable target somewhere, I'm "secure". I don't need to outrun the hungry tiger; I only need to outrun you outrunning the hungry tiger.
That theory, of course, doesn't hold anymore when there are enough tigers to simply eat everybody. And that's what AI did; it multiplied the tigers enough that they can just gorge on everything.
Now, people are going to have to put in "actual security" or lose real money over and over and over. And since everybody has outsourced everything, nobody knows how to fix it quickly. The lawyers are going to have a field day.
At the end, however, we'll have real security on our internet facing systems. But man, it's going to be painful for a while.
CPanel and hosters who use them are in big trouble now; there are millions of servers running them, many of them for decades. Their clients can run code as an user without much sandboxing/guardrails at all.
Wow, similar sentiments about this being a throw back. I’d rather roll my own almost everything these days, may not be as good, but certainly won’t be targeted exploited broadly.
Many years ago. Maybe 2005 to 2015? I had a friend who used cpanel to run a web hosting company. He made quite a bit of money doing that. He was not a programmer, but he could setup up wordpress and install plugins. I remember asking him once if he was worried he would get hacked and then lose control of his servers? Lose his customers?
He said he was worried but he had backups upon backups. I saw him restore a bunch of websites once, using cpanel, and I thought it is an amazing little bit of software with all of the click a button to setup many different things (like WAF). A real time saver and provides some guidance if you are not a unix-internet guru.
Friendly reminder that there aren't that many ways for a normie to create their own (sub)domain with TLS and an email in under five minutes. That's cPanel for ya.
The alternatives to cpanel would mostly be all-in-one hosting providers like 'squarespace' or similar, which have rolled their own web GUI to automate a basic normie workflow of domain registration, putting basic DNS records in a zone, hosting the DNS, getting TLS certs, putting basic content on a httpd. It's interesting to see the "set up your small business website now!" advertising to totally non technical people.
Yes, there are many ways to do that now, in under 5 minutes. Cloudflare will set all of that up just fine. GSuite is much easier to set up than CPanel.
I highly doubt that. It's giant market and with these custom small sites made by third parties you actually want to have client owned hosting and third parties who deploy to that hosting. Clients have learned to separate these otherwise the third party can have huge leverage (your business and all data is ours).
There's still a very big market of people for whom being given a VPS with ssh access and a command line is beyond their technical capability or comfort level.
Ever seen the upsell offers in the check-out workflow for hosting packages that come when you buy a new .com domain from any major registrar? All those are shared hosting packages where everything is done through some sort of web gui.
I'm especially curious how much small-scale shared hosting is left. The big companies like EIG are certainly still around, but the little one-off hosting companies are much less common.
There are a lot of things that have been up for decades. The ROI on moving a simple PHP or static website to new hosting situation hasn’t been that compelling… though that could change. Thing is, I suspect most users of shared hosting which is Cpanel’s bread and butter are not reading the latest cybersecurity news.
Facebook started out PHP; but they ship-of-theseus'ed it into Hack by replacing the standard library, the language, and the runtime engine, so now it's a totally different thing with only a few superficial similarities (FWIW IMO Hack is much better than PHP, I'm sad that it never gained traction...)
"AI safeguards" are not working I guess.. or maybe they're only working against those who'd like to secure their software.. good job Anthropic + OpenAI!
The AI safeguards are indeed a joke, you can get around their classifier by simply masking out all the unsafe words and it will happily work on your rootkit.
65 comments:
Ages ago I used php-nuke to manage my forum and it got hacked and I thought it would get taken seriously
Seeing these CPanel hacks remind me how old these codebases are and how much more vulnerability remain
Cpanel is Perl, not PHP. Probably the grayest of the gray beards. Perhaps not enough Perl Wizards left to maintain it nowadays.
Php-nuke was the hacking testing ground. Nuke was atrocious for exploitation.
I was thinking about php-nuke I while back and it's terrible security rep. I figured it was just the regular PHP foot guns of the era, but I took a look at the code recently and boy howdy that was some truly atrocious code. I'm not security person (although perhaps security minded) and I found a million problems after a cursory glance.
I don't agree that "old" necessarily implies vulnerability.
I mostly disagree on your disagreement unless the entire project was based on top security practices and good code in the first place. The vast majority of these web panels are a security nightmare.
These PHP systems be it cPanel, wordpress or PHP itself are most likely the biggest target besides windows. It's incredibly uncool stack especially here but it is running most of the "independent" small web.
They cannot be that bad if they are managing to be ductape of the internet.
I've done PHP development for over 20 years, including some pretty large projects. I've never had a situation where a security flaw in PHP itself forced me to scramble to patch something before it got hacked.
On the other hand, for my Linux servers, I had to do that twice in the last month with CopyFail and DirtyFrag.
CVE-2021-21703 [0] is a similar class of bug in the PHP interpreter itself that was pretty recent
https://www.sentinelone.com/vulnerability-database/cve-2021-...
This is not a PHP language interpreter bug this is a PHP FPM bug.
That's a fair point, using 'interpreter' specifically was imprecise language on my part. My main point was php-fpm is developed by the core PHP team and is often the default in how PHP projects deploy these days, and that CVE was very similar to the recent 'fail' LPE vulnerabilities in the kernel.
Every time I venture in the the web server's error log, I see all of the skiddie's attempts at accessing the most common things with most of them being .php files. Lots of /wp/admin.php and /phpadmin/ type requests. Of course, none of those are available which is why the requests are in the error log. I've never paid attention, but I wonder how long (as in how little time) for a new server to come online before it starts to get probed by a skiddie. Whether they are just war dialing IPs or paying attention to new domain announcements but I'd put it on a few hours tops.
Dismissing these as script kiddie attempts is no longer correct. This is a real industry now. It’s not like the large scale actors are going to pass up a valid unpatched vector just because it’s old hat.
They're skiddies if they're trying WordPress attacks on domains that have never hosted anything remotely close to a CMS before...
yes, but how often otherwise would i get to use the word skiddie?
If you get a letsencrypt certificate it will get probed within a minute
I’ve tested this recently (this post week). Had a dns entry up and pointing to an nginx server for ~12 hours, zero requests. 17 seconds after the letsencrypt cert was issued, the floodgates opened. Over a dozen of requests per second.
I don't think it's necessarily specific to LE but rather to public certificate transparency logs. LE being free and easy to automate means it's very widely used these days, but if you theoretically go to a "pay" root CA and get a cert that covers thing.com and www.thing.com , the same probing will happen on the same time scale.
22 minutes. I got my new ISP with fibre. Placed my web server online. 22 minutes my honey pot got stung.
> They cannot be that bad if they are managing to be ductape of the internet.
I think there are just a whole lot of tools written for them. So non devs can spin things up and click some things together.
Is that safe and secure? Maybe, if the devs did their work well. But I'm positive no one reads the docs on how to configure something securely.
I think the real reason is that it's very cheap to host, and always has been
cPanel is Perl.
Yes. Perl for core backend logic, automation, legacy systems, APIs. Some other languages used for bits and pieces.
https://api.docs.cpanel.net/guides/guide-to-perl
How does that follow?
They have a big target on their back so the low hanging fruit is (mostly) gone.
> They cannot be that bad if they are managing to be ductape of the internet.
Oh, it very much can be that bad. Most "security" relies on the Hungry Tiger Theory of Security(tm).
My system doesn't need to be "secure". My system simply needs to be more secure than yours. As long as there is an easier and/or more valuable target somewhere, I'm "secure". I don't need to outrun the hungry tiger; I only need to outrun you outrunning the hungry tiger.
That theory, of course, doesn't hold anymore when there are enough tigers to simply eat everybody. And that's what AI did; it multiplied the tigers enough that they can just gorge on everything.
Now, people are going to have to put in "actual security" or lose real money over and over and over. And since everybody has outsourced everything, nobody knows how to fix it quickly. The lawyers are going to have a field day.
At the end, however, we'll have real security on our internet facing systems. But man, it's going to be painful for a while.
As a coder who just hit 50, trust me, it does.
CPanel and hosters who use them are in big trouble now; there are millions of servers running them, many of them for decades. Their clients can run code as an user without much sandboxing/guardrails at all.
But those are updated automatically. It's unlike Windows or Linux, where the user decides when to update. cPanel updates are decided by cPanel
Such a different era.
If you look at the usage numbers, you could argue we are still in that era.
I miss this era, we overcomplicated everything
Not all webhosting companies are using cpanel. Cpanel increased their prices exponentially in the last few years.
So CPanel's security is just as bad as their UI, who would have thought?
Yeah, it always was a dumpster fire.
Wow, similar sentiments about this being a throw back. I’d rather roll my own almost everything these days, may not be as good, but certainly won’t be targeted exploited broadly.
Many years ago. Maybe 2005 to 2015? I had a friend who used cpanel to run a web hosting company. He made quite a bit of money doing that. He was not a programmer, but he could setup up wordpress and install plugins. I remember asking him once if he was worried he would get hacked and then lose control of his servers? Lose his customers?
He said he was worried but he had backups upon backups. I saw him restore a bunch of websites once, using cpanel, and I thought it is an amazing little bit of software with all of the click a button to setup many different things (like WAF). A real time saver and provides some guidance if you are not a unix-internet guru.
44,000 servers compromised? Sounds like somebody could've used a software building code
Friendly reminder that there aren't that many ways for a normie to create their own (sub)domain with TLS and an email in under five minutes. That's cPanel for ya.
The alternatives to cpanel would mostly be all-in-one hosting providers like 'squarespace' or similar, which have rolled their own web GUI to automate a basic normie workflow of domain registration, putting basic DNS records in a zone, hosting the DNS, getting TLS certs, putting basic content on a httpd. It's interesting to see the "set up your small business website now!" advertising to totally non technical people.
Yes, there are many ways to do that now, in under 5 minutes. Cloudflare will set all of that up just fine. GSuite is much easier to set up than CPanel.
Most LAMP FOSS web apps have a long history of being hacked.
Is there any specific LAMP web app(s) that has a very good history of not being hacked?
I can't think of any readily but I imagine someone here knows one or two.
Mediawiki seems pretty solid on that front in my 10+ years of running and using it
People are still using cpanel?
Most shared hosting plans use cpanel. It's still widely used yes for a lot of smaller websites.
And even if it doesn’t look like it chances are it still is with a fancier ui on top.
I wonder how much shared hosting is there really left, I imagine much of it move to VPS or cheap cloud boxes.
I highly doubt that. It's giant market and with these custom small sites made by third parties you actually want to have client owned hosting and third parties who deploy to that hosting. Clients have learned to separate these otherwise the third party can have huge leverage (your business and all data is ours).
There's still a very big market of people for whom being given a VPS with ssh access and a command line is beyond their technical capability or comfort level.
Ever seen the upsell offers in the check-out workflow for hosting packages that come when you buy a new .com domain from any major registrar? All those are shared hosting packages where everything is done through some sort of web gui.
I'm especially curious how much small-scale shared hosting is left. The big companies like EIG are certainly still around, but the little one-off hosting companies are much less common.
But you have to keep a VPS updated yourself, right? A hosted site doesn't require any action from the customer to stay up to date.
There are a lot of things that have been up for decades. The ROI on moving a simple PHP or static website to new hosting situation hasn’t been that compelling… though that could change. Thing is, I suspect most users of shared hosting which is Cpanel’s bread and butter are not reading the latest cybersecurity news.
The ROI has just increased by like 10x or 100x this week.
CPanel on shared hosting running WordPress PHP is literally half of the entire internet still.
Half of the entire internet is Meta properties.
That’s the other half.
Coincidentally also PHP.
Facebook started out PHP; but they ship-of-theseus'ed it into Hack by replacing the standard library, the language, and the runtime engine, so now it's a totally different thing with only a few superficial similarities (FWIW IMO Hack is much better than PHP, I'm sad that it never gained traction...)
Much of what was good in Hack just got rolled into PHP.
And if it's not cpanel, it's Plesk
I run an entire saas that 36 companies pay for, built in PHP, and I drag and drop the files to the server via cpanel.
"AI safeguards" are not working I guess.. or maybe they're only working against those who'd like to secure their software.. good job Anthropic + OpenAI!
The AI safeguards are indeed a joke, you can get around their classifier by simply masking out all the unsafe words and it will happily work on your rootkit.
> CPanel
Now there's a name I haven't heard since the 2005 or so era.
How is that thing still around?
Next you're going to tell me people still run phpBB and vBulletin somewhere. And use FileZilla FTP. And manage their database with phpMyAdmin.
Why, is there a better alternative to the PHP-based forums? (I tried Discourse and it sucks.)
Nothing wrong with those stacks. They’re akin to assembly language for the backend. Nitty gritty but super close to the metal.
PHP (apart from the Hack offshoot) isn't a compiled language, so it's nowhere "close" to anything.
LAMP apps are frequently mentioned in RCE CVEs.