Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Why cPanel not stopping Bypass/Cracked/Illegal License ??
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Why cPanel not stopping Bypass/Cracked/Illegal License ??

Mahfuz_SS_EHLMahfuz_SS_EHL Host Rep, Veteran

Hello,

As we all know, after cPanel increased their price, there had been remarkable scammers who have somehow bypassed/cracked the license of cPanel.

I'm not concluding how cPanel did by the price hike for the license (it was very bad policy of them of course), but, with the help of these illegal licenses, bad providers are ruining the field of hosting industry.

As far as I have diagnosed myself, the scammer bypasses the licensing system but astonishingly when the illegal license VPS/Dedicated Server pulls update from cPanel Server, it just goes through ! Where it should have been pre-checked & denied.

If updates for cPanel can be stopped for these illegal license, these have been stopped already.

What do you think, why cPanel is not doing so ?? Not willing to stop them, or, doesn't know about it (I don't think so), or, any other reason ??

Regards.

«1

Comments

  • FranciscoFrancisco Top Host, Host Rep, Veteran

    It'd be pretty easy to limit too. They already have a list of all licensed IP's, so load it into an ipset and firewall everything else.

    Francisco

  • Mahfuz_SS_EHLMahfuz_SS_EHL Host Rep, Veteran

    @Francisco said:
    It'd be pretty easy to limit too. They already have a list of all licensed IP's, so load it into an ipset and firewall everything else.

    Francisco

    Then, It's not still understandable why they aren't doing so ! They want people to use these illegal licensing system ?

  • FranciscoFrancisco Top Host, Host Rep, Veteran

    @Mahfuz_SS_EHL said:

    @Francisco said:
    It'd be pretty easy to limit too. They already have a list of all licensed IP's, so load it into an ipset and firewall everything else.

    Francisco

    Then, It's not still understandable why they aren't doing so ! They want people to use these illegal licensing system ?

    It's possible they have to refactor things a lot.

    Still, the ipset way would be pretty easy to integrate for them.

    It'd require people register their servers to get a trial license instead of being auto assigned one, unless that's already a thing now?

    Francisco

  • onibdonibd Member

    It can be a policy.
    Like you can buy or you can use a cracked one. But at the end of day,everyone will use cpanel and everyone will know cpanel .

    Because cpanel knows good provider won't use a nulled one !

  • Mahfuz_SS_EHLMahfuz_SS_EHL Host Rep, Veteran

    @Francisco said:

    @Mahfuz_SS_EHL said:

    @Francisco said:
    It'd be pretty easy to limit too. They already have a list of all licensed IP's, so load it into an ipset and firewall everything else.

    Francisco

    Then, It's not still understandable why they aren't doing so ! They want people to use these illegal licensing system ?

    It's possible they have to refactor things a lot.

    Still, the ipset way would be pretty easy to integrate for them.

    It'd require people register their servers to get a trial license instead of being auto assigned one, unless that's already a thing now?

    Francisco

    I think auto assigning would work too ? Because, they are getting the IPs of those VM/Servers too while assigning Trial License & everybody else is already submitting their IP while ordering licenses. So, summing up all these, cPanel is having all those IPs which have valid license. It's not hard to implement ipset.

  • Just like WHMCS, they don't care about pirated stuff anymore.

    Thanked by 1Boogeyman
  • FranciscoFrancisco Top Host, Host Rep, Veteran

    @Mahfuz_SS_EHL said:
    I think auto assigning would work too ? Because, they are getting the IPs of those VM/Servers too while assigning Trial License & everybody else is already submitting their IP while ordering licenses. So, summing up all these, cPanel is having all those IPs which have valid license. It's not hard to implement ipset.

    Sure but then they don't have an email/name/etc to start tracking/linking accounts.

    If you can auto gen a license then all you have is an IP to go by, not a name/email.

    True you can make new accounts, but if they require email verification it'll be a lot of extra work. They already track user IP's in manage2 for instance so they some of the systems there.

    The license abuse will always happen. I've seen a lot of it is usually tied back to Iranian based users, which cPanel is embargo'd from selling to anyway.

    Francisco

  • lentrolentro Member, Host Rep

    I believe they want people who are so poor that they can't pay for cPanel licensing to still use cPanel. That way, it lowers the revenue of cheaper competitors.

    Basically, if there's a tiny host, if it ever scales, there's no way they'd continue to continue pirating on a large scale.

  • NeoonNeoon Community Contributor, Veteran

    The joke about this is, they "encrypt" specific or all files to prevent piracy right.
    But how does the webserver know how to decrypt these files?

    Simple, they give you the lock and the key at the same time, its like glorified base64.
    Its going to happen over and over again, until CPanel and WHCMS is as a service.

    I think I even saw websites, that let you decode files automatically, so yea its pretty fucked. No and you can't stop updates, they just take the newest version and break it again.

  • In my mind, maybe, cPanel is gambling to see how many scammers will create after a price hike. If their project "cPanel price increase" fail they will be back in the old house. If they become successful, they will ban them all later.
    My own funny theory.

    Thanked by 1Chuck
  • raindog308raindog308 Administrator, Veteran

    cPanel has always been incompetent on this.

    Years ago, it was common to buy a VPS license, create a single VM on a host with 32 cores, 128GB of RAM, whatever, and use a VPS license instead of a dedi license.

    This was not prohibited by cPanel's TOS. I had hosts tell me that you couldn't have any more than 2 cores in a VM or you could only have so many VMs, etc. but that was all nonsense...the license agreement said nothing about this.

    I even opened a ticket with cPanel to ask them to clarify and amazingly after several months of pinging them for an answer (and getting nothing back except "we're still checking with legal") I never did get an answer.

    Thanked by 1Chuck
  • RazzaRazza Member

    A large number of providers used to use that loophole to not pay for bare metal licence.

    It was a quite incompetent licence model.

  • jarjar Patron Provider, Top Host, Veteran

    Solutions that seem easy might generate a lot of support requests for people doing unorthodox things with their servers that wasn’t accounted for. That could quickly generate more overhead than revenue, if not careful.

    Sometimes it is honestly just cheaper to let thieves do what they do.

    Thanked by 1Boogeyman
  • @SCAM_DONT_BUY said:
    Just like WHMCS, they don't care about pirated stuff anymore.

    This

    @lentro said:
    I believe they want people who are so poor that they can't pay for cPanel licensing to still use cPanel. That way, it lowers the revenue of cheaper competitors.

    Basically, if there's a tiny host, if it ever scales, there's no way they'd continue to continue pirating on a large scale.

    This

    @jar said:
    Solutions that seem easy might generate a lot of support requests for people doing unorthodox things with their servers that wasn’t accounted for. That could quickly generate more overhead than revenue, if not careful.

    Sometimes it is honestly just cheaper to let thieves do what they do.

    And this

    Thanked by 1lentro
  • Mahfuz_SS_EHLMahfuz_SS_EHL Host Rep, Veteran

    A Quick Update, cPanel replied to Me on this issue with no luck for now.

  • NeoonNeoon Community Contributor, Veteran

    Technically you can't solve this problem, except offering everything as SAAS.

  • Mahfuz_SS_EHLMahfuz_SS_EHL Host Rep, Veteran

    @Neoon said:
    Technically you can't solve this problem, except offering everything as SAAS.

    At least, update can be switched off by rejecting the update request from non-licensed IPs.

  • NeoonNeoon Community Contributor, Veteran
    edited May 2021

    @Mahfuz_SS_EHL said:

    @Neoon said:
    Technically you can't solve this problem, except offering everything as SAAS.

    At least, update can be switched off by rejecting the update request from non-licensed IPs.

    Yes, practically, but can be easy bypassed.
    For example, if you got a shell account on a cpanel server you could download the updates or ask someone that has access to it.

    So in the end, the same way you get your cracked CPanel you would get the updates.

  • zafouharzafouhar Veteran

    I've heard that myself aswell, someone told me that they do that through proxying - they license the proxy IP but the cPanel servers behind the proxy are unlicensed.

    Not sure how it would work as technically updates shouldn't work this way but I guess there is much more than that occurring that makes updates possible.

  • BoogeymanBoogeyman Member
    edited May 2021

    Trying to prevent crack/null completely is too much overhead for a distributed product. Even if someone makes a check every second with the connecting server that server can be faked and replaced in binary. To my understanding the more low level language you use the more script kiddies will hate you. You will have less people cracking your code as they need to be more experienced. And if you mess too much with script kiddies by modifying too much, chances are they might take it as a challenge and every new release will be a fun for them.

    Thanked by 1Chuck
  • FranciscoFrancisco Top Host, Host Rep, Veteran

    What will happen is they will start DMCAing hosts that allow the licenses to be active, and maybe even revoke their NOC license access.

    It’s pretty simple.

    Francisco

    Thanked by 1netomx
  • @Francisco said:
    What will happen is they will start DMCAing hosts that allow the licenses to be active, and maybe even revoke their NOC license access.

    It’s pretty simple.

    Francisco

    Nope. As they gained some "bad" vibes and competitors they won't care as much like they are doing with their other product WHMCS. Unless they start going dry they won't even try to move a rock.

  • FranciscoFrancisco Top Host, Host Rep, Veteran

    @Boogeyman said:

    @Francisco said:
    What will happen is they will start DMCAing hosts that allow the licenses to be active, and maybe even revoke their NOC license access.

    It’s pretty simple.

    Francisco

    Nope. As they gained some "bad" vibes and competitors they won't care as much like they are doing with their other product WHMCS. Unless they start going dry they won't even try to move a rock.

    I don’t think any host out there is going to lose their noc license access and all their licenses get suspended.

    Francisco

  • @Boogeyman said: Nope. As they gained some "bad" vibes and competitors they won't care as much like they are doing with their other product WHMCS. Unless they start going dry they won't even try to move a rock.

    What I want to say is if they take too many bad decisions at a short period of time that will only benefit their competitors and they will lose market share.

    @Francisco said: I don’t think any host out there is going to lose their noc license access and all their licenses get suspended.

    Francisco

    Those who have NOC licenses are their bigger customers and by suspending them cPanel will shoot bullets on their own head which will encourage bigger hosts to invest on control panels for long term which will ultimately reduce their long term cost. And making control panel is not that complicated thing for big hosts and some already did so. If hosts push with articles, ads, video tutorials clients won't ask for the Orange panel and it won't stand a chance.

  • raindog308raindog308 Administrator, Veteran

    @Neoon said: Technically you can't solve this problem

    So couldn't this be solved if the software phoned home periodically and disabled itself if it couldn't verify the subscription was legit? Want to apply an update - no go unless you authenticate your subscription. Your UUID/key is coming from more than one IP? Foul. Need to move your install? Uninstall one first or call support. Etc.

    I have no idea how to implement this but is proving your identity (in this sense) over the Internet with crypto really that hard to engineer? There's a bajillion license management systems I've had to admin over the years for proprietary software.

  • LeviLevi Member
    edited May 2021

    After all, licensing system consists of 2 major parts: local obfuscation and remote checks. Local obfuscation is static and can be easily traced and disabled. For a second part crackers usually intercept calls to "home", analyze and create local "home" or just loop.

    The most advanced drm's are in games. So on-premise software has no chance to properly lock fron determined cracker.

    @raindog308 said: I have no idea how to implement this but is proving your identity (in this sense) over the Internet with crypto really that hard to engineer?

    Theoretically you can create something really hard to crack. But this asks question is it worth it? You need constantly update that system. This means you pay insane amount of dollars to something with decent expertise. Usually extreme licensing systems consume computing resources in appliance/server. Better way is just lawyer up and sue if someone use unlicensed copy of your software.

  • Why somebody will use a hacked cpanel license in a production environment. You don't know how was modified and what spyware or crypto virus they added.

    You manage to get 100 accounts and then the hackers encrypt your server and request $1000 to be unlocked.

  • NeoonNeoon Community Contributor, Veteran
    edited May 2021

    @raindog308 said:

    @Neoon said: Technically you can't solve this problem

    So couldn't this be solved if the software phoned home periodically and disabled itself if it couldn't verify the subscription was legit? Want to apply an update - no go unless you authenticate your subscription. Your UUID/key is coming from more than one IP? Foul. Need to move your install? Uninstall one first or call support. Etc.

    I have no idea how to implement this but is proving your identity (in this sense) over the Internet with crypto really that hard to engineer? There's a bajillion license management systems I've had to admin over the years for proprietary software.

    See, the primary issue is, you run your code on an untrusted machine.
    Aka customer who purchase a license.

    So they came up with ioncube, to "encrypt" the source code.
    The issue is as I said before, how do does the webserver "decrypt" the source code?

    With the ioncube module you download, hence I said you get key and lock at the same time, its just a question of time until someone breaks it again and again.

    If you do crypto correct, you never let the costumer get access to the key but you need to do that, otherwise the pages would not render.

    And if you "decrypt" all the files you can do the fuck you want and disable all the security bla bla.

  • @Neoon said: Aka costumer who purchase a license.

    Costumers are long gone.

  • NeoonNeoon Community Contributor, Veteran

    @SCAM_DONT_BUY said:

    @Neoon said: Aka costumer who purchase a license.

    Costumers are long gone.

This discussion has been closed.