Does Webhosting Buzz Allow Unauthorized FTP Access?

**Colin** · 04-23-2009, 01:40 PM

If so, then good, however, I had that feature disabled on a previous version of cPanel, seems one of the recent upgrades may have enabled it. And having it enabled, if the WHB global, err, barfs, and switches to enabled, means that every website which it is still enabled becomes vulnerable.

**Maxim M.** · 04-24-2009, 09:59 AM

Anonymous FTP access is disabled on all our shared servers by default. Moreover, it cannot be enabled in cPanel.

**Alan B** · 04-24-2009, 10:01 AM

Good, that's what I thought. Thanks for that confirmation, Maxim.

It seems that the original poster's problem with unathorized access to his account was caused by someone obtaining his passwords, not by a flaw in cPanel.

**Keith** · 04-28-2009, 10:45 PM

Originally Posted by Colin

Make sure this:
Allow anonymous access to ftp://ftp.yourdomain.com
Is not enabled under cPanel's Anonymous FTP Controls

Just now read this. It WAS enabled in my cpanel. I unchecked it. That must be a default setting.

**Keith** · 04-28-2009, 10:46 PM

Alsio I found this thread that is definitely of interest to everyone....

http://www.webdeveloper.com/forum/sh....php?p=1001327

**Keith** · 04-28-2009, 10:59 PM

I checked several other accounts I host for allowing anonymous access. Several were enabled but not all of them. I changed them to unallowed.

**Alan B** · 04-29-2009, 10:06 AM

It's good to uncheck that option, however: anonymous FTP is disabled on all servers by WHB. That default is done at a "higher level" than your individual cPanel setting.

Your problem was not caused by anonymous FTP. Somehow your passwords were used. The fact that the unauthorized access stopped as soon as you changed your passwords seems to confirm that.

**Keith** · 04-29-2009, 06:21 PM

Originally Posted by Alan B

It's good to uncheck that option, however: anonymous FTP is disabled on all servers by WHB. That default is done at a "higher level" than your individual cPanel setting.

Your problem was not caused by anonymous FTP. Somehow your passwords were used. The fact that the unauthorized access stopped as soon as you changed your passwords seems to confirm that.

That is good to know and I hope you are right because that is under the users control. Is there a way to change the ftp account username as well if necessary?

Also do you have a suggestion for a good password generating program? I know there is one within webhost as well but I'm not sure that it is even secure enough.

It's interesting that Yahoo is carrying an article on web security today that speaks to hacked passwords. http://tech.yahoo.com/blogs/null/141067

**Alan B** · 04-29-2009, 06:27 PM

You should use a long password containing a mix of upper- and lower-case letters, numbers and special characters such as #, *, ~, ?, -, etc. There likely are password-generating tools available on-line if you search.

**Anna M.** · 04-29-2009, 06:55 PM

2Keith

There is no way to change usernames for additional ftp accounts
You can only delete one and create another
As for main ftp, which username matches cpanel login, we can change it for you.
To do that you need to submit a ticket to our tech dept at whbsupport.com
But in fact complicated password which can't be fetched through your computer is enough to provide your account security

**Tony** · 04-29-2009, 07:51 PM

I wonder what the current maximum length of an FTP password is on these servers? Yes, these are easily generated and stored (and never typed!) by an app like Roboform.

**Alan B** · 04-29-2009, 08:10 PM

Most FTP clients will store the passwords if desired, without need of a separate app like Roboform.

**Anna M.** · 04-29-2009, 08:18 PM

generally, a password utilizing at least 8 characters including alphanumeric and grammatical symbols is sufficient.
but you may try more if you find it necessary

**Keith** · 04-29-2009, 09:54 PM

I reset all of mine using the Web Host Manager's password generating tool. I set it to 15 characters. I think that will do it! Thanks again for all of your help and sorry to be such a pain.

**Anna M.** · 04-29-2009, 10:00 PM

no problem =)

**Tony** · 04-30-2009, 01:49 PM

Originally Posted by Alan B

Most FTP clients will store the passwords if desired, without need of a separate app like Roboform.

This might be safe on your personal computer - I do it myself at home. However, when logging in from elsewhere, I allow no passwords to be stored locally, and instead use Portable Roboform on my flash drive.

8 characters is a fairly weak password these days. even my home network uses what - 64? But 256 is more reasonable.

Maybe the lesson we'd be good to take away from this thread is that we should now STOP storing these ftp passwords locally.

**Maxim M.** · 05-01-2009, 09:35 AM

There exist plenty of viruses (such as trojans for example) that could find passwords stored locally and send them via the Net.
I hope everyone has antiviral software installed and keeps its database updated.
Nevertheless we can't feel absolutely secure.
Hope I don't seem paranoiac

Thread: Does Webhosting Buzz Allow Unauthorized FTP Access?

LinkBack

Thread Tools

Display

Posting Permissions