Your Pants Are Down... And Yes, This Is Going To Hurt

[DeadGuy]

As a courtesy Public Service Announcement... you need to be aware of this, if you have not already read about it. If you don't own a website, disregard this notice.

There have been numerous threads posted on the forum about site hacking, here is one way you can minimize it. Please check your Anonymous FTP settings. Go to your hosting account control panel, look for Anonymous FTP, and turn it off... like now! This is a major security hole and most hosting providers have this enabled by default.

Bluehost and other hosting providers have started issuing warnings about this setting, and it is a change that many simply are not aware of or overlook. Maybe this will help someone out there.

[Lou Diamond]

Hello,
thanks for the heads up, I do not know why this setting is even allowed in this day and age.

[DeadGuy]

There are actually legitimate reasons that someone could use this with their internet business... like allowing their customers to upload things. There are other, much better ways to do that now. But back in the day when the internet was pristine, tecky an honest, who would have thunk?

I agree with you wholeheartedly. The default position should be "OFF", not "ON".

[Joseph Then]

Thanks for the update. Good thing that my host turns it off by default. Whew!

[rosetrees]

Sorry to be thick DeadGuy - can you give me some clues about where to find this in cpanel? Thanks

[DeadGuy]

Quote:

Originally Posted by rosetrees

Sorry to be thick DeadGuy - can you give me some clues about where to find this in cpanel? Thanks

No problem. The Annonymous FTP is usually located in the "Files" section of the cpanel.

[Michael Oksa]

I agree. It should be turned off by default.

If it isn't already, then the host could certainly make it the default.

In other words, the notices they are sending should say something like, "We have just changed all accounts to the off position for anonymous FTP. If you would like to have that feature enabled, you will have to[list of steps]."

At the very least, give a few days notice before the change so those that do use it wouldn't have an interruption of that feature.

All the best,
Michael

[esr]

Thanks for the heads up. I never even thought about this. I just went in to my cpanel and there it was, plain as day, enabled.

If you use Hostgator, as I do, you'll want to check this out immediately.

[DPM70]

I use hostgator and mine was not enabled. Having said that, my sites are less than a year old, so perhaps they have fixed it on newer accounts?

Thanks for the heads up, though!

[Dennis Gaskill]

Good warning. It's the first thing I do when I set up a new account. I don't know why, but every host I've every seen has Anonymous FTP enabled as the default setting. Maybe it's because that's the way Cpanel is configured when they install it, but regardless, it is a setting that needs to be disabled unless you have a good reason to want it.

[rosetrees]

Edited - found it!

If anyone else is still looking - in my cpanel it isn't under files. It's in "ftp manager" - and then "setup anonymous ftp access"

[Crew Chief]

Quote:

Originally Posted by DeadGuy

As a courtesy Public Service Announcement... you need to be aware of this, if you have not already read about it. If you don't own a website, disregard this notice.

There have been numerous threads posted on the forum about site hacking, here is one way you can minimize it. Please check your Anonymous FTP settings. Go to your hosting account control panel, look for Anonymous FTP, and turn it off... like now! This is a major security hole and most hosting providers have this enabled by default.

Bluehost and other hosting providers have started issuing warnings about this setting, and it is a change that many simply are not aware of or overlook. Maybe this will help someone out there.

The only words I can use to describe this type of security breach is eerily dangerous.

@ DeadGuy, you have done more than a public service, you pretty much just saved the arses of a lot of IMers. I only wished that more people would read this thread, comprehend what they are reading and take the corresponding actions.

Quote:

Originally Posted by rosetrees

Sorry to be thick DeadGuy - can you give me some clues about where to find this in cpanel? Thanks

If you have cPanel, look for the "Files" and click on the "Anonymous FTP" ICON and untick the "Anonymous FTP" box and then click "Save"

Quote:

Originally Posted by esr

Thanks for the heads up. I never even thought about this. I just went in to my cpanel and there it was, plain as day, enabled.

If you use Hostgator, as I do, you'll want to check this out immediately.

Hostgators users, there's your warning... JUMP ALL OVER THIS! Don't get caught with your pants down.

[WikiWarrior]

Quote:

Originally Posted by DeadGuy

No problem. The Annonymous FTP is usually located in the "Files" section of the cpanel.

Cpanel must have been updated recently as I don't have a folder called 'File Manager'. I do however have a folder called 'Anonymous FTP' and both tick boxes are unchecked by default; one for access and one for upload.

Thanks for this tip though Deadguy. I bet it has helped many people. I had never even looked in this folder and wouldn't have thought to look even if I saw it.

[WealthCoachPro]

Cpanel

Service Configuration >> FTP Server Configuration

[Ace Of Shirts]

I use HostGator for close to 100 sites. I checked a couple and they were enabled.

Anyone know of a way to change it in all of them at once? Maybe in the WHM?

Thanks,

Dennis

[WritingMadwoman]

WOW - I have to say I have never seen or heard anyone mention this before! Just checked my main host and it's already deactivated, but will check the rest.

Thanks for posting this!

Wendy

[Intrepreneur]

Quote:

Originally Posted by rosetrees

Edited - found it!

If anyone else is still looking - in my cpanel it isn't under files. It's in "ftp manager" - and then "setup anonymous ftp access"

Top tip for finding things on a web page that seem to cheat your eyes.

Press Ctrl + F then search for the word on the page.

[Elle Holder]

Thanks for this!

I checked my HG CP and it wasn't allowed, but I also have an account with A Small Orange, and I did need to change my settings there.

[PaulaC]

My Hostgator account was unchecked so I guess it isn't all Hostgator accounts that have the problem.

[Steven Wagenheim]

Never knew, and mine was checked.

Thanks...We need more of these kinds of threads here.

[rosetrees]

Quote:

Originally Posted by Intrepreneur

Top tip for finding things on a web page that seem to cheat your eyes.

Press Ctrl + F then search for the word on the page.

How would that have helped??? It wasn't under file, which is where I was told to look, it wasn't on the main cpanel page either - I had to open a folder called
ftp manager. What do you suggest I should have searched for and where?

[Sco]

Thank you for the critical tip!

[DeadGuy]

The rape and pillage side of me told me to inform everyone that they needed to turn anonymous ftp on, or to buy my ecourse on "how to protect your website income" (for $497)... but I just couldn't bring myself to do it. Glad to help.

[franamico]

Hey thanks so much! I'm going to do that right away!

[Joseph Then]

For warriors who have over 50+ accounts in one server and have a WHM, here's how you can do it:

Go to WHM: Main >> Service Configuration >> FTP Server Configuration.

[ladyspinner]

WOW! I would have never even thought to change this.

Thanks for the heads up!

[Anthony La Tour]

Great, thank your for the update.

Best Regards,
UFG

[Don Schenk]

Quote:

Originally Posted by Michael Oksa

In other words, the notices they are sending should say something like, "We have just changed all accounts to the off position for anonymous FTP. If you would like to have that feature enabled, you will have to[list of steps]."

At the very least, give a few days notice before the change so those that do use it wouldn't have an interruption of that feature.

All the best,
Michael

That is exactly what bluehost did. They explained the security problem and said that on a certain date they will turn it off.

:-Don

[paolo83]

Dude, thanx for that!

i had a look to my hostgator cpanel and the thing was enabled...the site less than six months old so who knows how they setup things there, scary stuff.

You Rock!

[Long Beach Nathan]

Thanks, I should have thought about this, but would have guess that it was off anyways. Yep, it was on. I shut it off. Appreciated.

[bydomino]

What a great post!!! I manage over 1000 domains and I have seen non anonymous FTP get hacked. This is because when you authenticate on FTP your user name and password is sent plain text. The easy answer to this is sFTP or FTP over port 22. the "s" mean secure. This is not always available but if you have WHM and can SSH to your server then you can run sFTP and I recommend that you use it. Filezilla is a good free FTP app that supports sFTP

In many hosting environment you cannot run sFTP so this whole text user and password can be an issue. You can follow some simple rules

1) make difficult passwords
2) change them often

I hope this helps

[All Night Cafe]

I just checked and mine was checked. I just
disabled it. Thanks for the heads up.

[Laura B]

I can't thank you enough for posting this. I have had 5 sites on Host Gator hacked (3 just today), and now I know the likely reason why.

Quote:

Originally Posted by Joseph Then

For warriors who have over 50+ accounts in one server and have a WHM, here's how you can do it:

Go to WHM: Main >> Service Configuration >> FTP Server Configuration.

I can't find this in my WHM, although I have fewer than 50 accounts, but enough that I don't want to do them one by one.

[dave147]

Quote:

Originally Posted by DeadGuy

As a courtesy Public Service Announcement... you need to be aware of this, if you have not already read about it. If you don't own a website, disregard this notice.

There have been numerous threads posted on the forum about site hacking, here is one way you can minimize it. Please check your Anonymous FTP settings. Go to your hosting account control panel, look for Anonymous FTP, and turn it off... like now! This is a major security hole and most hosting providers have this enabled by default.

Bluehost and other hosting providers have started issuing warnings about this setting, and it is a change that many simply are not aware of or overlook. Maybe this will help someone out there.

Thanks for sharing this info.

Quote:

Originally Posted by Steven Wagenheim

Never knew, and mine was checked.

Thanks...We need more of these kinds of threads here.

Yes there should be more like it

[Barbara Eyre]

Same here, the WHM [for my reseller account] -> Service Configuration -> FTP Server Configuration doesn't exist. Other than giving number to how many FTP accounts each package you set up can have, there is no other mention of FTP at all in my WHM.

Now where do I look?

Quote:

Originally Posted by Laura B

I can't thank you enough for posting this. I have had 5 sites on Host Gator hacked (3 just today), and now I know the likely reason why.

I can't find this in my WHM, although I have fewer than 50 accounts, but enough that I don't want to do them one by one.

[Joseph Then]

Quote:

Originally Posted by Barbara Eyre

Same here, the WHM [for my reseller account] -> Service Configuration -> FTP Server Configuration doesn't exist. Other than giving number to how many FTP accounts each package you set up can have, there is no other mention of FTP at all in my WHM.

Now where do I look?

Another easy way for you: Send a support ticket to your hosting support and tell them to disable anonymous FTP and set it to default for all your account/server.

[Biggy Fat]

I don't even see the following:

Quote:

Edited - found it!

If anyone else is still looking - in my cpanel it isn't under files. It's in "ftp manager" - and then "setup anonymous ftp access"

Quote:

WHM: Main >> Service Configuration >> FTP Server Configuration.

I do, however, see an anonymous FTP option under files, and both boxes were unchecked. Am I good? Great tip nonetheless.

[SusanneUK]

Anyone else using Hostgator Reseller manage to do this from the WHM yet?

I can't see where it is and looked all over - when I go to "Server Configuration" all I have as the next choice is "Basic Cpanel/WHM SetUp" and nothing else?

Any help appreciated,
Sue

[SusanneUK]

I had to get hold of HG Support in the end to put my mind at rest, these are the two relevent responses that apply to anyone with reseller hosting:

1st one:

Anonymous FTP is disabled on all of our shared and reseller servers by default, if someone connects anonymously, it will default them to a folder on the server that has no write, or execute perms. Unless you have specifically set it enabled.
Let us know if you have any questions.

2nd one because I did have a question:

Sorry for the confusion - it's technically 'enabled', but it's crippled to the point that it's disabled. Specifically, it's 'enabled' in that someone can FTP to the account anonymously, but it's disabled as in that's all they can do.

If I were to FTP to their account, I'd be put in one directory(public_ftp), and not have the ability to upload any files, nor navigate outside of that directory. I'm essentially jailed to that location. Should something be placed in public_ftp, I'd have the ability to download it, but that's it. So, it's 'enabled', but effectively 'disabled'.

Let us know if you have any other questions, and we'll be happy to help.
Cordially..

Hope that puts people's mind at rest on some areas of this.

Sue

[Bicycle Cat]

Good thing my hosting provider disables this by default!

[Sandor Verebi]

Hi Deadguy,

Thank you for your heads up, this is a very important and useful message.

People (including myself, too) may overlook such things oftentimes. Then we doesn't take it why we had a problem... LOL

Have a nice day,

Sandor
___________________
- nothing to sell now -

[Groovystar]

My host has anon FTP disabled by default. You actually have to pay to have it switched on. I would think most hosts disable it these days.

[Pierre!]

I took a look... and there was no Anonymous FTP icon!

Checked with the tech staff, and Jeff already has it *unavailable* over at ChrisFarrellMembership...

Jeff and his staff *ROCK* !

They spoil us over there...

L8ter...

[bobsstuff]

Thanks for the heads up.
I unchecked my Hostgator domains.
I could not find any settings at GoDaddy or 1and1.
Anyone have any ideas where the settings are on those other hosts?