Page 1 of 3 123 LastLast
Results 1 to 15 of 32

Thread: How does Hacking take place on Cpanel server?

  1. #1
    Registered Member whwrobert's Avatar
    Join Date
    Aug 2009
    Location
    USA
    Posts
    26

    Default How does Hacking take place on Cpanel server?

    How does Hacking take place on Cpanel server?

    I am writing this post to explain how accounts on server get hacked. Many times it happens that cpanel accounts on server are hacked. Most common hacks are like index page is replaced with some other code thus defacing your website. Some times this types of hacks happen on all accounts including backup on server. Many times it is also an Iframe Hack where hacker puts an extra code to your website and whoever accesses that website, a virus enters their computer thus infecting it. We are not going deep in to the types of hacking but what I am going to explain here is how can we stop this from happening or at least prevent or avoid from happening. If you are facing issue of Iframe hack then one of our cpanel forum member have posted a good article which you can find it here:

    http://forums.cpanel.net/f5/solution...tml#post363227

    Now one would ask “How does this hacking takes place?” Such defacing hacking takes place and we get victim of it because we are careless or we don’t have basic knowledge of keeping our site secure. It is us who give a way for any hacking to take place. Any hacking which is taking place by browser happens due to weak permissions. Many common php applications we use like a picture gallery, forum etc are start point of hacking if and only if they are insecure or are of older versions or some files or directories of that applications are having weak permissions like 777 or 755. For example I have a application which has option of uploading a file. Now if that uploaded file is going in directory for example “images” and “images” is having 777 permissions. Now if I upload any defacing script using that options to images directory say “deface.php” then I can easily access that script using link:

    http://domain.com/images/deface.php

    as the images directory is having 777 permissions I can easily execute that script and can deface that account or website. If the permissions on other directories of server are really weak then I can deface the files in other locations of server also. After uploading the script I find more accounts on server who are having weak permissions then I can run my script from its current location and can hack other accounts too. So in this way your account, some other accounts or even whole server is hacked due to weak permissions. To clear this point I have attached a small php script with this post. Just upload it to your account and access it from browser you will see that you can browse other files on server whose permissions are weak.

    THIS IS NOT A HACKING SCRIPT AT ALL, NOR I AM PROMOTING HACKING IN ANY WAY. THIS SCRIPT WILL HELP YOU TO FIND OUT WEAKNESS IN YOUR ACCOUNT SECURITY. THIS IS JUST FOR EDUCATIONAL PURPOSE. IF MODERATORS OF THIS FORUM THINK THIS POST IS AGAINST ANY OF THEIR RULES THEY ARE WELCOME TO DELETE THIS POST.

    This script is type of browser to browse files on the server or account, where file permissions are weak like 777 or 755 you can browse them though they don’t belong to your account. This script cannot be used to modify or execute any command so don’t worry

    So in order to stop all such hackings on the server or to your account always be alert on permissions. Many people use 755 or 777 permissions casually thus becoming victim of some hacking today or tomorrow. Secondly always keep your php applications upgraded to their latest versions so that if there is any code or bug in previous versions they will be cleared. This was very short information but if other forum members want to add more to this they are welcome.

    I will be adding more security tips in coming days so stay tuned
    Attached Files Attached Files

  2. #2
    Registered Member votethehost.com's Avatar
    Join Date
    Oct 2009
    Location
    Chicago
    Posts
    26

    Default

    Great info, Thanks

  3. #3
    Registered Member
    Join Date
    Nov 2009
    Posts
    14

    Default

    If you try to upload deface.php to an image directory that has chmod 777, but gets denial by php script that says only .gif .png .jpg images are allowed, then should you just rename deface.php to deface.jpg before uploading.

    Because the directory is chmod 777, can the user from the same site run a php script to rename deface.jpg to deface.php in that chmod 777 directory?

  4. #4
    Registered Member cPanel Partner NOC Badge
    Join Date
    Jul 2005
    Posts
    624

    Default

    Quote Originally Posted by whwrobert View Post
    How does Hacking take place on Cpanel server?

    I am writing this post to explain how accounts on server get hacked. Many times it happens that cpanel accounts on server are hacked. Most common hacks are like index page is replaced with some other code thus defacing your website. Some times this types of hacks happen on all accounts including backup on server. Many times it is also an Iframe Hack where hacker puts an extra code to your website and whoever accesses that website, a virus enters their computer thus infecting it. We are not going deep in to the types of hacking but what I am going to explain here is how can we stop this from happening or at least prevent or avoid from happening. If you are facing issue of Iframe hack then one of our cpanel forum member have posted a good article which you can find it here:

    http://forums.cpanel.net/f5/solution...tml#post363227

    Now one would ask “How does this hacking takes place?” Such defacing hacking takes place and we get victim of it because we are careless or we don’t have basic knowledge of keeping our site secure. It is us who give a way for any hacking to take place. Any hacking which is taking place by browser happens due to weak permissions. Many common php applications we use like a picture gallery, forum etc are start point of hacking if and only if they are insecure or are of older versions or some files or directories of that applications are having weak permissions like 777 or 755. For example I have a application which has option of uploading a file. Now if that uploaded file is going in directory for example “images” and “images” is having 777 permissions. Now if I upload any defacing script using that options to images directory say “deface.php” then I can easily access that script using link:

    http://domain.com/images/deface.php

    as the images directory is having 777 permissions I can easily execute that script and can deface that account or website. If the permissions on other directories of server are really weak then I can deface the files in other locations of server also. After uploading the script I find more accounts on server who are having weak permissions then I can run my script from its current location and can hack other accounts too. So in this way your account, some other accounts or even whole server is hacked due to weak permissions. To clear this point I have attached a small php script with this post. Just upload it to your account and access it from browser you will see that you can browse other files on server whose permissions are weak.

    THIS IS NOT A HACKING SCRIPT AT ALL, NOR I AM PROMOTING HACKING IN ANY WAY. THIS SCRIPT WILL HELP YOU TO FIND OUT WEAKNESS IN YOUR ACCOUNT SECURITY. THIS IS JUST FOR EDUCATIONAL PURPOSE. IF MODERATORS OF THIS FORUM THINK THIS POST IS AGAINST ANY OF THEIR RULES THEY ARE WELCOME TO DELETE THIS POST.

    This script is type of browser to browse files on the server or account, where file permissions are weak like 777 or 755 you can browse them though they don’t belong to your account. This script cannot be used to modify or execute any command so don’t worry

    So in order to stop all such hackings on the server or to your account always be alert on permissions. Many people use 755 or 777 permissions casually thus becoming victim of some hacking today or tomorrow. Secondly always keep your php applications upgraded to their latest versions so that if there is any code or bug in previous versions they will be cleared. This was very short information but if other forum members want to add more to this they are welcome.

    I will be adding more security tips in coming days so stay tuned
    Great post!

  5. #5
    Registered Member whwrobert's Avatar
    Join Date
    Aug 2009
    Location
    USA
    Posts
    26

    Default Some Tips to Avoid Defacing of your site.

    Some Tips to Avoid Defacing of your site.


    As I always say, most of the defacing around 90% takes place on websites having:

    1) Wordpress
    2) PHP Forums (Any PHP Forum)
    3) Mambo
    4) Joomla


    and there are many names in list ........

    The most important question to ask yourself is, WHY only these types of applications are hacked ? Because they are really easy to hack. To do this actually there is no knowledge is need as you can do it from a simple browser.

    What you should do to avoid defacing of yor website.

    1) If your site is using any above applications then they should be always updated and runing in their latest version.

    2) THIS IS MOST IMPORTANT
    Many users use above applications and to do more customization they install different types of plugins and addons to their application. Now we never check that who has developed this addon, does this addon have any bug which is vulnerable to website. We never check upgraded version of the addon or plugin used by us and thats where we make mistake. Suppose we have upgraded version of any of the specified above applications and we are really relaxed thinking that I have upgraded the application of my website BUT WHAT ABOUT ADDONS AND PLUGINS ? Then later on your site is dafaced and you think "How can this happen when my application was of latest version". This happened because your application was hacked or defaced using the php files of the addon or plugin installed by you and not by using the files of the upgraded application under your site.

    So always verify the developer or code security of addon or plugin which you are thinking to install. Do some research before using any free addon or plugin.

    3) Last but not the least, Secure Permissions.
    Fore more information on permission scroll above for my first post.

    Hope you all find this information usefull. Feed Backs are welcome

    I will be soon back with more useful information, till then Good bye

  6. #6
    Registered Member votethehost.com's Avatar
    Join Date
    Oct 2009
    Location
    Chicago
    Posts
    26

    Default

    Keep Posting the good work. Very Helpfull

  7. #7
    Registered Member
    Join Date
    Mar 2003
    Location
    New York
    Posts
    101

    Default I'm liking it too.

    I think if you make your living online, no matter what time of day, somewhere in our heads we are thinking "I wonder if my site got hacked." I only had a single deface done once to one of my server about 8 years ago. Ever since, I'm super paranoid. Thanks for the info.

  8. #8
    Registered Member whwrobert's Avatar
    Join Date
    Aug 2009
    Location
    USA
    Posts
    26

    Default How To Make My Forums More Secure Eg: Vbulletin

    How To Make My Forums More Secure Eg: Vbulletin

    Here's some things you can do to increase the level of security for your forums:

    1. Always upgrade to the latest stable version.

    2. Do not install any unofficial hacks or plugins as they are not written or reviewed by our developers.

    3. Password protect your Administrator and Moderator Control Panels directories as well as the install and includes directories using .htaccess/.htpassword Comprehensive guide to .htaccess- password protection

    4. Make sure the tools.php (vB3) file is NOWHERE on your website.

    5. Remove the ImpEx files if you had used this import system.

    6. If you have phpMyAdmin make sure it's password protected.

    7. If you suspect a hacking attempt, ask your host to change the login password for your web account.

    8. Make sure all the Admin and Mod passwords are secure. Change them if you have any doubts. And use hard to guess passwords.

    9. NEVER allow HTML in posts, PMs or in sigs.

    10. Make absolutely sure there are no viruses, trojans or keylogger spyware on your PC. Any of these could steal your password and other personal info.

    11. Do NOT upload the directory called do_not_upload/

    12. Use a different password for each forum you sign up with. Use a
    different password for your forum as you do for the .htaccess directory password.

    13. Update the config.php file and set yourself as undeletable user so they can't touch your admin account.

    14. Do Not Upload config.php.new when upgrading your forums.

  9. #9
    Registered Member whwrobert's Avatar
    Join Date
    Aug 2009
    Location
    USA
    Posts
    26

    Default

    How to find PHP Shell on your server


    In most of the hacking or defacing the most common tool used is PHP Shell. If you scan your server regularly for php shell and delete them you can avoid many hacking and defacing attempt on your server.

    #!/bin/bash
    #Scanning all users directory for various php shell
    # Below command is one line so see that its one line in your script or else it will generate error

    echo "No PHP Shell was Found" > /root/scan.txt
    /bin/egrep "cgitelnet|webadmin|PHPShell|tryag|r57shell|c99shell|noexecshell|/etc/passwd|revengans|myshellexec" /home/*/public_html -R | cut -d: -f1 | uniq > /root/scan.txt

    /bin/cat /root/scan.txt | mail -s "PHP Shell Scan" user@domain.com

    #Replace your email address above

    #Cron Settings
    # 0 6 * * * PATH TO SCRIPT
    The above script is a very simple shell script which will scan all public_html directories of all cpanel accounts for various php shell. Then the script will mail you the locations of PHP Shell. You can set cron for this script to run once a day. If you check the code I have added a cron for it which you can use which will execute the script on 6th hour daily.

    PHP Functions which help hackers to hack your server


    I am listing below some PHP Functions which you should keep disabled if you dont need them as they help hackers to deface your websites or hack the server:

    dl
    exec
    shell_exec
    system
    passthru
    popen
    pclose
    proc_open
    proc_nice
    proc_terminate
    proc_get_status
    proc_close
    leak
    apache_child_terminate
    posix_kill
    posix_mkfifo
    posix_setpgid
    posix_setsid
    posix_setuid
    escapeshellcmd
    escapeshellarg
    shell-exec
    fpassthru
    crack_check
    crack_closedict
    crack_getlastmessage
    crack_opendict
    psockopen
    php_uname
    symlink
    mkdir
    ini_restore
    posix_getpwuid
    error_log
    print_r
    scandir
    copy
    phpinfo
    ini_set
    To disable these functions you can add following line to /usr/local/lib/php.ini


    disable_functions = "dl,exec,shell_exec,system,passthru,popen,pclose,proc_open,proc_nice,proc_terminate,proc_get_status,proc_close,leak,
    apache_child_terminate,posix_kill,posix_mkfifo,posix_setpgid,posix_setsid,posix_setuid,escapeshellcmd,escapeshellarg,shell-exec,fpassthru,crack_check,crack_closedict,crack_getlastmessage,crack_opendict,psockopen,php_uname,symlink,mkdir
    ,ini_restore,posix_getpwuid,error_log,print_r,scandir,copy,phpinfo,ini_set"
    Then restart the apache server that is httpd service.

    Please note: Doing this will break some of the php scripts on your clients. I would suggest you to block above functions first and then when you come to know which php scripts are breaking by this, at that time you can remove that particular function needed by the script. This way your disable function list will be perfect as required by your server

    Hope this helps you all.

    For further updates, Stay Tuned

  10. #10
    Registered Member konrath's Avatar
    Join Date
    May 2005
    Location
    Brasil
    Posts
    350

    Default

    Hello

    thank you very much whwrobert

    Konrath

  11. #11
    Registered Member
    Join Date
    Nov 2004
    Posts
    44

    Thumbs up

    Yep, good one.



    Prashant

  12. #12
    Registered User
    Join Date
    Aug 2010
    Posts
    1

    Default

    awesome tutorial buddy
    thanks

  13. #13
    Registered User
    Join Date
    Sep 2010
    Location
    Houston, TX
    Posts
    2

    Default

    Very nice tutorial and very helpful

    Also, This might be an obvious one but I didn't see it in your list

    Make sure you remove the "Install" directory after you have installed a script like wordpress

  14. #14
    Registered Member brianoz's Avatar
    Join Date
    Mar 2004
    Location
    Melbourne, Australia
    Posts
    1,149
    cPanel/WHM Access Level

    Root Administrator

    Default

    Thanks for sharing, seems like this is new information for many people.

    Two points of feedback:

    Firstly, allowing scripts to run from a mode 777 directory is the actual root problem. "Fixing" anything else is a waste of time as the underlying weakness is still there. Mod_Security in any of it's forms, will prevent this from happening - it will not allow a script to run if it is in a writeable directory. With this in place, the baddies can find upload weaknesses all they like and nothing will happen.

    One of the key issues here is that you are running your Apache server in DSO mode - which means that all PHP scripts run as a common user (the user called "nobody"). This makes it absolutely trivial to hack user accounts in a myriad of ways, and your only way of mitigating this is to remove access to nearly all the PHP directives, as you have done.

    The trick here is to turn the water off at the tap, rather than trying to patch the leaky hose - which is a never ending task!

    Second major point - turning off all your PHP directives makes your server a LOT less usable. If I was a customer I would never use your server, as it would just be too locked down to be useful. For instance, directives such as passthru(), system() and phpinfo() are often used in real apps - and in phpinfo()'s case are absolutely essential (without it I can't see what features the server PHP has). And you've even locked down print_r()!! Why you would lock down a trivial debugging command I'm not sure. Apologies if this seems rude, that's not my intent - I guess the real problem is that you have to lock the server down so tight because you are running in DSO mode.

    This brings me back to a key point - if you are running a shared webserver with real users on it, if you are serious about your business and providing acceptable service to your customers, you'll get your server security hardened by a professional who knows all this stuff, rather than trying to guess your way into it one step at a time from threads like this. One very good such company is ConfigServer Services (Chirpy has been a well loved moderator on this forum for years, and we've used his services for 6 years); platinumservers is also very good, as are others. The problem with doing it yourself is that you can just never know as much as a professional, and you need to consider how much it could cost you if your whole server got hacked through a user account. Good security is multi-faceted - many different layers.

    Not to question the usefulness of threads like this, at all, great stuff, and thanks again for sharing, and keep the good thoughts coming.
    White Dog Green Frog - web hosting and web development since 2002
    Blogs: SMB web use cPanel/WHM scripts

  15. #15
    Registered Member brianoz's Avatar
    Join Date
    Mar 2004
    Location
    Melbourne, Australia
    Posts
    1,149
    cPanel/WHM Access Level

    Root Administrator

    Smile

    One more little tip - provide your users with a Cpanel integrated tool like Softaculous, Installatron or Fantastico for script installation.

    These cPanel menu options provide full installation of many common packages like Wordpress, and they get it right out of the box - removing the bits that are insecure if left there, etc.

    Also, don't use the default username for the WordPress admin user - use something like manager, or control, or system, or sysmgr - anything other than the default. This can reduce your chances of being hacked by quite a lot.

    Also, never use your cpanel (or other admin password) as your database password. This is because your DB password has to go in a config file, and if they hack their way into that file, they then have your control panel password!

    The auto installers all make up random passwords for databases, I guess just one more reason to use them.
    White Dog Green Frog - web hosting and web development since 2002
    Blogs: SMB web use cPanel/WHM scripts

Page 1 of 3 123 LastLast

Similar Threads

  1. Replies: 4
    Last Post: 03-02-2011, 01:01 AM
  2. Hacking attempt or cPanel update
    By debug in forum Security
    Replies: 1
    Last Post: 02-19-2011, 10:52 AM
  3. I think my server is hacking other servers...
    By aboleth in forum cPanel & WHM Discussions
    Replies: 4
    Last Post: 04-30-2009, 02:40 PM
  4. Does Cpanel include anything to prevent hacking attempts.
    By travistee in forum New User Questions
    Replies: 3
    Last Post: 06-02-2006, 12:24 AM
bargain