Your Pants Are Down... And Yes, This Is Going To Hurt

43 replies
As a courtesy Public Service Announcement... you need to be aware of this, if you have not already read about it. If you don't own a website, disregard this notice.

There have been numerous threads posted on the forum about site hacking, here is one way you can minimize it. Please check your Anonymous FTP settings. Go to your hosting account control panel, look for Anonymous FTP, and turn it off... like now! This is a major security hole and most hosting providers have this enabled by default.

Bluehost and other hosting providers have started issuing warnings about this setting, and it is a change that many simply are not aware of or overlook. Maybe this will help someone out there.
#hurt #pants
  • Profile picture of the author Lou Diamond
    Hello,
    thanks for the heads up, I do not know why this setting is even allowed in this day and age.
    Signature

    Something new soon.

    {{ DiscussionBoard.errors[2120694].message }}
    • Profile picture of the author DeadGuy
      There are actually legitimate reasons that someone could use this with their internet business... like allowing their customers to upload things. There are other, much better ways to do that now. But back in the day when the internet was pristine, tecky an honest, who would have thunk?

      I agree with you wholeheartedly. The default position should be "OFF", not "ON".
      Signature

      You are making this work at home stuff way harder than it is. Ready for some sanity? Clear your head and start over.

      {{ DiscussionBoard.errors[2120715].message }}
  • Profile picture of the author Joseph Then
    Thanks for the update. Good thing that my host turns it off by default. Whew!
    {{ DiscussionBoard.errors[2120925].message }}
  • Profile picture of the author rosetrees
    Sorry to be thick DeadGuy - can you give me some clues about where to find this in cpanel? Thanks
    {{ DiscussionBoard.errors[2121225].message }}
    • Profile picture of the author DeadGuy
      Originally Posted by rosetrees View Post

      Sorry to be thick DeadGuy - can you give me some clues about where to find this in cpanel? Thanks
      No problem. The Annonymous FTP is usually located in the "Files" section of the cpanel.
      Signature

      You are making this work at home stuff way harder than it is. Ready for some sanity? Clear your head and start over.

      {{ DiscussionBoard.errors[2121351].message }}
      • Profile picture of the author rosetrees
        Edited - found it!

        If anyone else is still looking - in my cpanel it isn't under files. It's in "ftp manager" - and then "setup anonymous ftp access"
        {{ DiscussionBoard.errors[2121622].message }}
        • Profile picture of the author Intrepreneur
          Originally Posted by rosetrees View Post

          Edited - found it!

          If anyone else is still looking - in my cpanel it isn't under files. It's in "ftp manager" - and then "setup anonymous ftp access"
          Top tip for finding things on a web page that seem to cheat your eyes.

          Press Ctrl + F then search for the word on the page.
          Signature

          Owner easiery.com

          Started in 2009 now working on the above project.

          {{ DiscussionBoard.errors[2121965].message }}
          • Profile picture of the author Elle Holder
            Thanks for this!

            I checked my HG CP and it wasn't allowed, but I also have an account with A Small Orange, and I did need to change my settings there.
            Signature

            {{ DiscussionBoard.errors[2122262].message }}
          • Profile picture of the author rosetrees
            Originally Posted by Intrepreneur View Post

            Top tip for finding things on a web page that seem to cheat your eyes.

            Press Ctrl + F then search for the word on the page.
            How would that have helped??? It wasn't under file, which is where I was told to look, it wasn't on the main cpanel page either - I had to open a folder called
            ftp manager. What do you suggest I should have searched for and where?
            {{ DiscussionBoard.errors[2122299].message }}
      • Profile picture of the author WikiWarrior
        Originally Posted by DeadGuy View Post

        No problem. The Annonymous FTP is usually located in the "Files" section of the cpanel.
        Cpanel must have been updated recently as I don't have a folder called 'File Manager'. I do however have a folder called 'Anonymous FTP' and both tick boxes are unchecked by default; one for access and one for upload.

        Thanks for this tip though Deadguy. I bet it has helped many people. I had never even looked in this folder and wouldn't have thought to look even if I saw it.
        {{ DiscussionBoard.errors[2121708].message }}
        • Profile picture of the author WealthCoachPro
          Cpanel

          Service Configuration >> FTP Server Configuration
          {{ DiscussionBoard.errors[2121835].message }}
  • Profile picture of the author Michael Oksa
    I agree. It should be turned off by default.

    If it isn't already, then the host could certainly make it the default.

    In other words, the notices they are sending should say something like, "We have just changed all accounts to the off position for anonymous FTP. If you would like to have that feature enabled, you will have to[list of steps]."

    At the very least, give a few days notice before the change so those that do use it wouldn't have an interruption of that feature.

    All the best,
    Michael
    Signature

    "Ich bin en fuego!"
    {{ DiscussionBoard.errors[2121366].message }}
  • Profile picture of the author esr
    Thanks for the heads up. I never even thought about this. I just went in to my cpanel and there it was, plain as day, enabled.

    If you use Hostgator, as I do, you'll want to check this out immediately.
    Signature
    Free Report > > > > > "Backdoor Blog Promotion"
    Quickly increase your site traffic, and your profits, with this free top secret promotion tool. http://www.theblogbuilder.org
    "If you don't take effective action, you're robbing yourself of the life you really want."
    {{ DiscussionBoard.errors[2121529].message }}
    • Profile picture of the author DPM70
      I use hostgator and mine was not enabled. Having said that, my sites are less than a year old, so perhaps they have fixed it on newer accounts?

      Thanks for the heads up, though!
      Signature
      I don't build in order to have clients. I have clients in order to build. - Ayn Rand
      {{ DiscussionBoard.errors[2121564].message }}
    • Profile picture of the author Crew Chief
      Originally Posted by DeadGuy View Post

      As a courtesy Public Service Announcement... you need to be aware of this, if you have not already read about it. If you don't own a website, disregard this notice.

      There have been numerous threads posted on the forum about site hacking, here is one way you can minimize it. Please check your Anonymous FTP settings. Go to your hosting account control panel, look for Anonymous FTP, and turn it off... like now! This is a major security hole and most hosting providers have this enabled by default.

      Bluehost and other hosting providers have started issuing warnings about this setting, and it is a change that many simply are not aware of or overlook. Maybe this will help someone out there.
      The only words I can use to describe this type of security breach is eerily dangerous.

      @ DeadGuy, you have done more than a public service, you pretty much just saved the arses of a lot of IMers. I only wished that more people would read this thread, comprehend what they are reading and take the corresponding actions.

      Originally Posted by rosetrees View Post

      Sorry to be thick DeadGuy - can you give me some clues about where to find this in cpanel? Thanks
      If you have cPanel, look for the "Files" and click on the "Anonymous FTP" ICON and untick the "Anonymous FTP" box and then click "Save"

      Originally Posted by esr View Post

      Thanks for the heads up. I never even thought about this. I just went in to my cpanel and there it was, plain as day, enabled.

      If you use Hostgator, as I do, you'll want to check this out immediately.
      Hostgators users, there's your warning... JUMP ALL OVER THIS! Don't get caught with your pants down.
      Signature
      Tools, Strategies and Tactics Used By Savvy Internet Marketers and SEO Pros:

      ProSiteFlippers.com We Build Monetization Ready High-Value Virtual Properties
      {{ DiscussionBoard.errors[2121644].message }}
  • Profile picture of the author Dennis Gaskill
    Good warning. It's the first thing I do when I set up a new account. I don't know why, but every host I've every seen has Anonymous FTP enabled as the default setting. Maybe it's because that's the way Cpanel is configured when they install it, but regardless, it is a setting that needs to be disabled unless you have a good reason to want it.
    Signature

    Just when you think you've got it all figured out, someone changes the rules.

    {{ DiscussionBoard.errors[2121594].message }}
  • Profile picture of the author AceOfShirts
    I use HostGator for close to 100 sites. I checked a couple and they were enabled.

    Anyone know of a way to change it in all of them at once? Maybe in the WHM?

    Thanks,

    Dennis
    {{ DiscussionBoard.errors[2121855].message }}
  • Profile picture of the author PaulaC
    My Hostgator account was unchecked so I guess it isn't all Hostgator accounts that have the problem.
    Signature

    My Blog --> Affiliate Blog Online

    Our New Membership Site - Affiliate Tools HQ

    Amazonian Profit Plan - Our Complete Blueprint for Making Money Online by Promoting Amazon Products - The Amazonian Profit Plan

    {{ DiscussionBoard.errors[2122280].message }}
    • Profile picture of the author Steven Wagenheim
      Never knew, and mine was checked.

      Thanks...We need more of these kinds of threads here.
      {{ DiscussionBoard.errors[2122292].message }}
      • Profile picture of the author dave147
        Originally Posted by DeadGuy View Post

        As a courtesy Public Service Announcement... you need to be aware of this, if you have not already read about it. If you don't own a website, disregard this notice.

        There have been numerous threads posted on the forum about site hacking, here is one way you can minimize it. Please check your Anonymous FTP settings. Go to your hosting account control panel, look for Anonymous FTP, and turn it off... like now! This is a major security hole and most hosting providers have this enabled by default.

        Bluehost and other hosting providers have started issuing warnings about this setting, and it is a change that many simply are not aware of or overlook. Maybe this will help someone out there.
        Thanks for sharing this info.


        Originally Posted by Steven Wagenheim View Post

        Never knew, and mine was checked.

        Thanks...We need more of these kinds of threads here.
        Yes there should be more like it
        Signature

        THESE PRODUCTS FREE @ adsense-expert
        When You Get The 300 Logo Templates Here
        $500.00 in FREE Advertising For You Here

        {{ DiscussionBoard.errors[2123332].message }}
        • Profile picture of the author Barbara Eyre
          Same here, the WHM [for my reseller account] -> Service Configuration -> FTP Server Configuration doesn't exist. Other than giving number to how many FTP accounts each package you set up can have, there is no other mention of FTP at all in my WHM.

          Now where do I look?

          Originally Posted by Laura B View Post

          I can't thank you enough for posting this. I have had 5 sites on Host Gator hacked (3 just today), and now I know the likely reason why.

          I can't find this in my WHM, although I have fewer than 50 accounts, but enough that I don't want to do them one by one.
          {{ DiscussionBoard.errors[2123460].message }}
          • Profile picture of the author Joseph Then
            Originally Posted by Barbara Eyre View Post

            Same here, the WHM [for my reseller account] -> Service Configuration -> FTP Server Configuration doesn't exist. Other than giving number to how many FTP accounts each package you set up can have, there is no other mention of FTP at all in my WHM.

            Now where do I look?
            Another easy way for you: Send a support ticket to your hosting support and tell them to disable anonymous FTP and set it to default for all your account/server.
            {{ DiscussionBoard.errors[2123512].message }}
  • Profile picture of the author Sco
    Thank you for the critical tip!
    {{ DiscussionBoard.errors[2122419].message }}
    • Profile picture of the author DeadGuy
      The rape and pillage side of me told me to inform everyone that they needed to turn anonymous ftp on, or to buy my ecourse on "how to protect your website income" (for $497)... but I just couldn't bring myself to do it. Glad to help.
      Signature

      You are making this work at home stuff way harder than it is. Ready for some sanity? Clear your head and start over.

      {{ DiscussionBoard.errors[2122706].message }}
  • {{ DiscussionBoard.errors[2122754].message }}
  • Profile picture of the author Joseph Then
    For warriors who have over 50+ accounts in one server and have a WHM, here's how you can do it:

    Go to WHM: Main >> Service Configuration >> FTP Server Configuration.
    {{ DiscussionBoard.errors[2122820].message }}
    • Profile picture of the author Laura B
      I can't thank you enough for posting this. I have had 5 sites on Host Gator hacked (3 just today), and now I know the likely reason why.

      Originally Posted by Joseph Then View Post

      For warriors who have over 50+ accounts in one server and have a WHM, here's how you can do it:

      Go to WHM: Main >> Service Configuration >> FTP Server Configuration.
      I can't find this in my WHM, although I have fewer than 50 accounts, but enough that I don't want to do them one by one.
      Signature
      Free ebook: Affiliate Marketing: Just the FAQs
      Affiliate marketing for brand spankin' newbies
      {{ DiscussionBoard.errors[2123249].message }}
  • Profile picture of the author ladyspinner
    WOW! I would have never even thought to change this.

    Thanks for the heads up!
    {{ DiscussionBoard.errors[2122872].message }}
  • Profile picture of the author BrainCopy
    Great, thank your for the update.

    Best Regards,
    UFG
    {{ DiscussionBoard.errors[2122875].message }}
  • Profile picture of the author Long Beach Nathan
    Thanks, I should have thought about this, but would have guess that it was off anyways. Yep, it was on. I shut it off. Appreciated.
    Signature
    Need Music For Your Videos, Podcasts, Sites, etc? Get It Now On My YouTube Channel!
    {{ DiscussionBoard.errors[2122945].message }}
    • Profile picture of the author bydomino
      What a great post!!! I manage over 1000 domains and I have seen non anonymous FTP get hacked. This is because when you authenticate on FTP your user name and password is sent plain text. The easy answer to this is sFTP or FTP over port 22. the "s" mean secure. This is not always available but if you have WHM and can SSH to your server then you can run sFTP and I recommend that you use it. Filezilla is a good free FTP app that supports sFTP

      In many hosting environment you cannot run sFTP so this whole text user and password can be an issue. You can follow some simple rules

      1) make difficult passwords
      2) change them often

      I hope this helps
      {{ DiscussionBoard.errors[2123183].message }}
      • Profile picture of the author All Night Cafe
        I just checked and mine was checked. I just
        disabled it. Thanks for the heads up.
        {{ DiscussionBoard.errors[2123206].message }}
  • Profile picture of the author Biggy Fat
    I don't even see the following:

    Edited - found it!

    If anyone else is still looking - in my cpanel it isn't under files. It's in "ftp manager" - and then "setup anonymous ftp access"
    WHM: Main >> Service Configuration >> FTP Server Configuration.
    I do, however, see an anonymous FTP option under files, and both boxes were unchecked. Am I good? Great tip nonetheless.
    {{ DiscussionBoard.errors[2123540].message }}
  • Profile picture of the author Susan Hope
    I had to get hold of HG Support in the end to put my mind at rest, these are the two relevent responses that apply to anyone with reseller hosting:

    1st one:
    Anonymous FTP is disabled on all of our shared and reseller servers by default, if someone connects anonymously, it will default them to a folder on the server that has no write, or execute perms. Unless you have specifically set it enabled.
    Let us know if you have any questions.
    2nd one because I did have a question:
    Sorry for the confusion - it's technically 'enabled', but it's crippled to the point that it's disabled. Specifically, it's 'enabled' in that someone can FTP to the account anonymously, but it's disabled as in that's all they can do.

    If I were to FTP to their account, I'd be put in one directory(public_ftp), and not have the ability to upload any files, nor navigate outside of that directory. I'm essentially jailed to that location. Should something be placed in public_ftp, I'd have the ability to download it, but that's it. So, it's 'enabled', but effectively 'disabled'.

    Let us know if you have any other questions, and we'll be happy to help.
    Cordially..
    Hope that puts people's mind at rest on some areas of this.

    Sue
    Signature
    One-to-One WordPress Coaching Service Available at Low Hourly Rate - Let the frustration end now! WordPress Installs, Theme Design, Site Tweaks & other WordPress services available
    Find me on Pinterest: PINTEREST
    {{ DiscussionBoard.errors[2124717].message }}
  • Profile picture of the author Bicycle Cat
    Good thing my hosting provider disables this by default!
    {{ DiscussionBoard.errors[2124724].message }}
    • Profile picture of the author Sandor Verebi
      Hi Deadguy,

      Thank you for your heads up, this is a very important and useful message.

      People (including myself, too) may overlook such things oftentimes. Then we doesn't take it why we had a problem... LOL

      Have a nice day,

      Sandor
      ___________________
      - nothing to sell now -
      Signature

      {{ DiscussionBoard.errors[2125031].message }}
  • Profile picture of the author Groovystar
    My host has anon FTP disabled by default. You actually have to pay to have it switched on. I would think most hosts disable it these days.
    {{ DiscussionBoard.errors[2126428].message }}
  • Profile picture of the author bobsstuff
    Thanks for the heads up.
    I unchecked my Hostgator domains.
    I could not find any settings at GoDaddy or 1and1.
    Anyone have any ideas where the settings are on those other hosts?
    Signature
    Bob Hale
    {{ DiscussionBoard.errors[2127408].message }}

Trending Topics