CPanel and hosters who use them are in big trouble now; there are millions of servers running them, many of them for decades. Their clients can run code as an user without much sandboxing/guardrails at all.
well, any accounts running outdated workloads (could be anything LAMP-flavored) could be attack vectors, with the entire shared machine possibly compromised by any weak account due to these latest LPEs
these cPanel machines frequently run 4- or low-5-figure quantities of customer accounts, each with potentially multiple domains or CMS deployments, and not always the most technically-engaged customer base, so that's a lot of surface area to account for: how diligent can hosts realistically be about every WordPress plugin, every Drupal or Magento module, and so on?
(nb I don't like shared hosting and am not defending it, just addressing the reality of the long tail)
Wow, similar sentiments about this being a throw back. I’d rather roll my own almost everything these days, may not be as good, but certainly won’t be targeted exploited broadly.
Friendly reminder that there aren't that many ways for a normie to create their own (sub)domain with TLS and an email in under five minutes. That's cPanel for ya.
"AI safeguards" are not working I guess.. or maybe they're only working against those who'd like to secure their software.. good job Anthropic + OpenAI!
The AI safeguards are indeed a joke, you can get around their classifier by simply masking out all the unsafe words and it will happily work on your rootkit.
We've been running Centminmod on our servers for years. Love the software. There is no fancy web UI but it does have CLI menus, etc... so, definitely not for the novice but it's really good at what it does. I'm not affiliated, just a happy customer:
16 comments
[ 2.5 ms ] story [ 47.9 ms ] threadSeeing these CPanel hacks remind me how old these codebases are and how much more vulnerability remain
these cPanel machines frequently run 4- or low-5-figure quantities of customer accounts, each with potentially multiple domains or CMS deployments, and not always the most technically-engaged customer base, so that's a lot of surface area to account for: how diligent can hosts realistically be about every WordPress plugin, every Drupal or Magento module, and so on?
(nb I don't like shared hosting and am not defending it, just addressing the reality of the long tail)
Now there's a name I haven't heard since the 2005 or so era.
How is that thing still around?
Next you're going to tell me people still run phpBB and vBulletin somewhere. And use FileZilla FTP. And manage their database with phpMyAdmin.
Is there any specific LAMP web app(s) that has a very good history of not being hacked?
I can't think of any readily but I imagine someone here knows one or two.
https://centminmod.com/