The other day we were engaged to work on a dedicated box that had WHM & cPanel installed on it. The box had been compromised and it was our job to plug the holes and clean up the box. While it is well know that cPanel is a hugely popular website administration package my experience with cPanel has been somewhat limited because we work from the command line most of the time and have no real reason to use cPanel.
Facts we knew before taking on this project:
Box is a dedicated box set up as a standard LAMP server.
Box is hosted with a reputable host with fantastic and fanatical technical support.
Customer has one or more web sites compromised.
Customer has over 700 Top Level Domains on box.
Customer has CPanel and WHM (Web Hosting Manager) on the box.
A majority of the websites on the box are “Wordpress” blog, shopping carts and low “dynamic” sites.
We dug into the box we noticed there were several Top Level Domains TLDs set up in the home/ directory – nothing out of the ordinary here. But – under the home/public_html/ directories of the TLDs we found literally hundreds of other TLDs each with their own respective “web directories” and their own /public_html/ directories – now this was unusual for sure.
A quick call to the customer and he says “oh yea, that’s how multiple domain accounts are set up on the server, they are added to the server as “addon” domains go to cPanel “help” and they tell you all about it.”
Thinking this was a really goofy way of setting up web sites we immediately felt this whole “website inside a website” situation might be one reason this server became compromised in the first place. We had to educate ourselves about cPanel and their whole “addon” domain feature.
From the start we had feelings this whole “addon” domain scenario had to be a huge security risk.
A few “Google” searches and phone calls to other system administrators painted a clear picture that indeed this whole cPanel “addon” domain feature is a HUGE security risk.
cPanel and WHM are proprietary server/website administration tools and as such are paid for solutions. Generally a host will provide cPanel with shared hosting account at little or no cost to the customer. Reseller accounts and dedicated servers will usually offer the WHM option to administer the server and cPanel to administer the individual domains. Resellers might find that the WHM option is an additional cost but dedicated servers will generally include the WHM bundled into the overall monthly hosting fee.
OK back to the “Shared,” hosting accounts with cPanel, many times people will purchase individual hosting accounts with a cPanel and will then either set themselves up as a “reseller” or offer the account for sale as a “reseller,” account. cPanel was never intended to be a “reseller” account administration tool but because of the “addon” domain feature many people gloom onto these type of accounts and try to use them as resellers accounts or sell them as such.
Anytime you see hosting offered with “unlimited accounts” and/or “unlimited bandwidth” you have to stop and ask yourself – is this too good to be true? eBay and the Internet abound with slick propaganda type advertising promising “unlimited” hosting accounts on a non-dedicated server for next to nothing in price.
In short – if you have to ask…
then you need to proceed on with the task below illustrated in the photo.
Please do us all a favor and stick the knife right on in the outlet.
(Just kidding)
Yes, unlimited accounts and/or unlimited bandwidth is too good to be true.
Many times these offerings of unlimited hosting accounts are nothing more than a hosting account on a shared server that has cPanel and the seller tells you that using the “addon” domain option is the way to set up your “unlimited accounts.”
The whole cPanel “addon,” domain option in our humble opinion should be scrapped. What the “addon” domain option does is allows the account holder to set up a Top Level Domain (TLD) and then create individual additional TLDs inside of the first TLD.
While this concept might make sense from an organizational standpoint, it creates a huge security risk for the TLD and all the “addon” domains.
One not accustomed to how a LAMP server works might think it was easier to group “like” domains for administration purposes not realizing the security risks.
If you set up three TLDs; 1)Beer.com 2)Cheese.com and 3)Bread.com
Then took all your other TLDs and put them under the “master” TLD as “addons” it might look like this.
Beer.com Cheese.com Bread.com
Ale.com Swiss.com Cornbread.com
Light.com Cheddar.com White.com
Dark.com Japoleno.com Wheat.com
The path of the beer.com website might be /home/beer/public_html/
In this example the path of the “addon” domains would look something like this…
ale.com would be /home/beer/public_html/ale/public_html
light.com would be /home/beer/public_html/light/public_html
dark.com would be /home/beer/public_html/dark/public_html
cheese.com would be /home/cheese/public_html/
swiss.com would be /home/cheese/public_html/swiss/public_html
and so on and on…
For brevity sake and the rest of this document we will deal only with the TLD of beer.com
Anyone security minded would notice the inherent flaw with the above outlined structure, which is EVERYTHING contained in the /public_html/ of the Top Level Domain of beer.com is exposed to the Internet.
ANYTHING inside of the public_html/ folder is exposed to the public and Internet – hence the directory name of public_html/. Because of the nature of the /public_html/ directory anyone can traverse the entire contents once inside of the first TLD.
If the TLD of beer.com or ANY other “addon” TLD under beer.com is compromised then all the other TLDs of light.com, dark.com and ale.com are also subject to compromise.
The above scenario is exactly what we found when we got inside this clients box. The client had started out on a “shared” server with cPanel and was instructed to set up his additional “addon” TLDs under the primary TLD for the cPanel; then not knowing any better the customer continued this practice for years until he moved to a dedicated server as his business grew.
Upon moving to the dedicated server the customer did not know any better so he just used the WHM as an organization tool to set up the Primary TLDs and then populated all his other TLDs as “addon” domains under subject specific Primary TLDs.
This particular customer had set up their box with 5 “primary”, top level domains and 700 other TLDs set up as “addon” domains.
1.com – 100 “addon” domains
2.com – 65 “addon” domains
3.com – 90 “addon” domains
4.com – 223 “addon” domains
5.com – 222 “addon” domains
When we examined the box we found that 1.com and all 100 “addon” domains were compromised along with 3.com and its 90 “addon” domains, as well as a hand full of “addon” domains under other “primary” TLDs.
If one has availability of WHM it makes no sense to use “addon” domains via cPanel. Take the time and set up individual TLDs using WHM – your box will be much more secure and you will not risk all your intellectual property by putting all your eggs in one basket.
In this posting we will not discuss the SEO and DNS issues associated with “addon” domains but if you Google “cPanel addon domains seo” you can find enough information on the subject to keep you reading for the next year or so.
To be blunt – if anyone uses the “addon” domain option for hosting serious websites in production environments then we don’t really care if you have good SEO or not because the whole “addon,” domain philosophy is probably how you run your entire operation and we hope you do not get more exposure.
It is only logical thought that if you put TLD home directories of TLD domains within the public_html of a “primary” TLD then you are basically creating an umbrella effect. The apex of umbrella is the “primary” TLD and all the “addon” TLD’s are children under the umbrella of the “primary”.
cPanel is a mature package that has a long standing reputation of being one of the top tier website administration packages on the market and the concept of the “addon” domain option is easy to envision but in practical use, “addon” domains are a security risk to the entire security of the box.
Save yourself some headaches and trouble, do not allow “addon” domains to be part of your hosting services.