All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Why cPanel not stopping Bypass/Cracked/Illegal License ??
Hello,
As we all know, after cPanel increased their price, there had been remarkable scammers who have somehow bypassed/cracked the license of cPanel.
I'm not concluding how cPanel did by the price hike for the license (it was very bad policy of them of course), but, with the help of these illegal licenses, bad providers are ruining the field of hosting industry.
As far as I have diagnosed myself, the scammer bypasses the licensing system but astonishingly when the illegal license VPS/Dedicated Server pulls update from cPanel Server, it just goes through ! Where it should have been pre-checked & denied.
If updates for cPanel can be stopped for these illegal license, these have been stopped already.
What do you think, why cPanel is not doing so ?? Not willing to stop them, or, doesn't know about it (I don't think so), or, any other reason ??
Regards.
Comments
It'd be pretty easy to limit too. They already have a list of all licensed IP's, so load it into an
ipset
and firewall everything else.Francisco
Then, It's not still understandable why they aren't doing so ! They want people to use these illegal licensing system ?
It's possible they have to refactor things a lot.
Still, the
ipset
way would be pretty easy to integrate for them.It'd require people register their servers to get a trial license instead of being auto assigned one, unless that's already a thing now?
Francisco
It can be a policy.
Like you can buy or you can use a cracked one. But at the end of day,everyone will use cpanel and everyone will know cpanel .
Because cpanel knows good provider won't use a nulled one !
I think auto assigning would work too ? Because, they are getting the IPs of those VM/Servers too while assigning Trial License & everybody else is already submitting their IP while ordering licenses. So, summing up all these, cPanel is having all those IPs which have valid license. It's not hard to implement ipset.
Just like WHMCS, they don't care about pirated stuff anymore.
Sure but then they don't have an email/name/etc to start tracking/linking accounts.
If you can auto gen a license then all you have is an IP to go by, not a name/email.
True you can make new accounts, but if they require email verification it'll be a lot of extra work. They already track user IP's in manage2 for instance so they some of the systems there.
The license abuse will always happen. I've seen a lot of it is usually tied back to Iranian based users, which cPanel is embargo'd from selling to anyway.
Francisco
I believe they want people who are so poor that they can't pay for cPanel licensing to still use cPanel. That way, it lowers the revenue of cheaper competitors.
Basically, if there's a tiny host, if it ever scales, there's no way they'd continue to continue pirating on a large scale.
The joke about this is, they "encrypt" specific or all files to prevent piracy right.
But how does the webserver know how to decrypt these files?
Simple, they give you the lock and the key at the same time, its like glorified base64.
Its going to happen over and over again, until CPanel and WHCMS is as a service.
I think I even saw websites, that let you decode files automatically, so yea its pretty fucked. No and you can't stop updates, they just take the newest version and break it again.
In my mind, maybe, cPanel is gambling to see how many scammers will create after a price hike. If their project "cPanel price increase" fail they will be back in the old house. If they become successful, they will ban them all later.
My own funny theory.
cPanel has always been incompetent on this.
Years ago, it was common to buy a VPS license, create a single VM on a host with 32 cores, 128GB of RAM, whatever, and use a VPS license instead of a dedi license.
This was not prohibited by cPanel's TOS. I had hosts tell me that you couldn't have any more than 2 cores in a VM or you could only have so many VMs, etc. but that was all nonsense...the license agreement said nothing about this.
I even opened a ticket with cPanel to ask them to clarify and amazingly after several months of pinging them for an answer (and getting nothing back except "we're still checking with legal") I never did get an answer.
A large number of providers used to use that loophole to not pay for bare metal licence.
It was a quite incompetent licence model.
Solutions that seem easy might generate a lot of support requests for people doing unorthodox things with their servers that wasn’t accounted for. That could quickly generate more overhead than revenue, if not careful.
Sometimes it is honestly just cheaper to let thieves do what they do.
This
This
And this
A Quick Update, cPanel replied to Me on this issue with no luck for now.
Technically you can't solve this problem, except offering everything as SAAS.
At least, update can be switched off by rejecting the update request from non-licensed IPs.
Yes, practically, but can be easy bypassed.
For example, if you got a shell account on a cpanel server you could download the updates or ask someone that has access to it.
So in the end, the same way you get your cracked CPanel you would get the updates.
I've heard that myself aswell, someone told me that they do that through proxying - they license the proxy IP but the cPanel servers behind the proxy are unlicensed.
Not sure how it would work as technically updates shouldn't work this way but I guess there is much more than that occurring that makes updates possible.
Trying to prevent crack/null completely is too much overhead for a distributed product. Even if someone makes a check every second with the connecting server that server can be faked and replaced in binary. To my understanding the more low level language you use the more script kiddies will hate you. You will have less people cracking your code as they need to be more experienced. And if you mess too much with script kiddies by modifying too much, chances are they might take it as a challenge and every new release will be a fun for them.
What will happen is they will start DMCAing hosts that allow the licenses to be active, and maybe even revoke their NOC license access.
It’s pretty simple.
Francisco
Nope. As they gained some "bad" vibes and competitors they won't care as much like they are doing with their other product WHMCS. Unless they start going dry they won't even try to move a rock.
I don’t think any host out there is going to lose their noc license access and all their licenses get suspended.
Francisco
What I want to say is if they take too many bad decisions at a short period of time that will only benefit their competitors and they will lose market share.
Those who have NOC licenses are their bigger customers and by suspending them cPanel will shoot bullets on their own head which will encourage bigger hosts to invest on control panels for long term which will ultimately reduce their long term cost. And making control panel is not that complicated thing for big hosts and some already did so. If hosts push with articles, ads, video tutorials clients won't ask for the Orange panel and it won't stand a chance.
So couldn't this be solved if the software phoned home periodically and disabled itself if it couldn't verify the subscription was legit? Want to apply an update - no go unless you authenticate your subscription. Your UUID/key is coming from more than one IP? Foul. Need to move your install? Uninstall one first or call support. Etc.
I have no idea how to implement this but is proving your identity (in this sense) over the Internet with crypto really that hard to engineer? There's a bajillion license management systems I've had to admin over the years for proprietary software.
After all, licensing system consists of 2 major parts: local obfuscation and remote checks. Local obfuscation is static and can be easily traced and disabled. For a second part crackers usually intercept calls to "home", analyze and create local "home" or just loop.
The most advanced drm's are in games. So on-premise software has no chance to properly lock fron determined cracker.
Theoretically you can create something really hard to crack. But this asks question is it worth it? You need constantly update that system. This means you pay insane amount of dollars to something with decent expertise. Usually extreme licensing systems consume computing resources in appliance/server. Better way is just lawyer up and sue if someone use unlicensed copy of your software.
Why somebody will use a hacked cpanel license in a production environment. You don't know how was modified and what spyware or crypto virus they added.
You manage to get 100 accounts and then the hackers encrypt your server and request $1000 to be unlocked.
See, the primary issue is, you run your code on an untrusted machine.
Aka customer who purchase a license.
So they came up with ioncube, to "encrypt" the source code.
The issue is as I said before, how do does the webserver "decrypt" the source code?
With the ioncube module you download, hence I said you get key and lock at the same time, its just a question of time until someone breaks it again and again.
If you do crypto correct, you never let the costumer get access to the key but you need to do that, otherwise the pages would not render.
And if you "decrypt" all the files you can do the fuck you want and disable all the security bla bla.
Costumers are long gone.