Disable CGI scripting in your cPanel server !

We might decide to disable CGI on the server because of the consequences that weak CGI scripts can have on our server security.

If any vulnerable holes are found and the hacker uploads and runs a CGI script, they can get even root access to the server.

Well then, how to disable this in a cPanel box running on Apache web-server ?

You can turn off ExecCGI by unchecking the following via WHM :

Service Configuration > Apache Configuration > Global Configuration > untick ExecCGI

default1

 

But even with this configuration in running state, your normal users can enable it via .htaccess file by passing ExecCGI with ‘Options‘ directive ( which you don’t disable as users need it)

So to make sure your users do not run cgi scripts, you can take out CGI privilege by modifying the already existing accounts created in the server.

Home » Account Functions » Modify an Account

modify-accounts

When this is in-effect, the following gets added to the VirtualHost section of the account :

Options -ExecCGI -Includes
RemoveHandler cgi-script .cgi .pl .plx .ppl .perl

Finding an issue with Zend Optimizer ?

When you open your webpage, are you getting the message that “Zend Optimizer not installed“, when you are pretty sure that it is installed in your server ? You are also sure that nothing has changed in the server and you get this message all of a sudden.

This file was encoded by the Zend Encoder / Zend SafeGuard Suite. In order to run it, please install the freely available Zend Optimizer, version xx.xx or later."

You can verify it from the result of # php -v, if zend optimizer is installed, you will get a result something like this :

“with Zend Optimizer vxx.xx, Copyright (c) 1998-2009, by Zend Technologies”

Even with this result, if you are getting an error that shows optimizer is not installed, then there is an issue with your codes. You might look at the particular PHP file and might see enormous codes. More likely the domain is compromised.  You will need to clean up the site / restore the domain from a clean backup.