IX webhosting: the default backdoor

IX webhosting offers a very solid product for a reasonable price. Using cPanel it allows an easy administration of services and domains. You can choose between Linux or Windows hosting and with single clicks you can quickly install many of the available web applications. In the first days, I was very happy, that after the infinite number of manual installation of applications on the university servers I don't need to care about mail and mysql servers.

However, the answer for my first bug report was interesting:

Question:

" - Using phpshell and runing the chsh program on server side
the users are able to change their default shell from /bin/nologin to any other shell and get
access to the IX servers by ssh.
I hope my effort to inform you about the flaw will you not understand as a malicious activity. "

The answer:

" - Although pointing out that minor security flaw wasn't viewed as malicious activity, please understand that any other attempts to hack into our system will be viewed as such, and it will be treated according to our policies. Thank you very much for understanding."


Nothing serious. It is not so interesting to be publish on a blog. The bug was fixed and someone in the deep universe realized that pam.d in the /etc directory is not the short of PAMpers Discount.

Today I reported my second bug:

The default installation of IX's "click and install" E-commerce software allows read and write rights to users directory to anyone on the internet.
Probably you have lot of affected users.

No state of the art hacking needed. There is a nice php admin interface without password. OK, I know what is in your mind: You will notice at the first login that nobody asked your admin password. The trap is that the admin interface is linked only in to the cPanel and when you access it you have the feeling that the password authentication is missing because the authentication is derived from your cPanel access (as in many other applications and settings in cPanel). After all, a hacker can easily upload a malicious php file and execute some nice exec() calls affecting the rest of your domains hosted by IX webhosting.

The response of the hosting service was simple with showing the signs of deep philosophical understanding of basic forces governing the universe

"If you don't like it, don't use our Easy Install products."

and some more words about that they will not change the security policy.

....end of discussions ....

Conclusion:
If you are using the osCommerce product at IX webhosting check if you are able to login without password at www.your_domain.com/admin and if it necessary secure your site by setting up a .htpasswd file (google for how-to).