How does Hacking take place on Cpanel server?

[whwrobert]

How does Hacking take place on Cpanel server?

I am writing this post to explain how accounts on server get hacked. Many times it happens that cpanel accounts on server are hacked. Most common hacks are like index page is replaced with some other code thus defacing your website. Some times this types of hacks happen on all accounts including backup on server. Many times it is also an Iframe Hack where hacker puts an extra code to your website and whoever accesses that website, a virus enters their computer thus infecting it. We are not going deep in to the types of hacking but what I am going to explain here is how can we stop this from happening or at least prevent or avoid from happening. If you are facing issue of Iframe hack then one of our cpanel forum member have posted a good article which you can find it here:

http://forums.cpanel.net/f5/solution...tml#post363227

Now one would ask “How does this hacking takes place?” Such defacing hacking takes place and we get victim of it because we are careless or we don’t have basic knowledge of keeping our site secure. It is us who give a way for any hacking to take place. Any hacking which is taking place by browser happens due to weak permissions. Many common php applications we use like a picture gallery, forum etc are start point of hacking if and only if they are insecure or are of older versions or some files or directories of that applications are having weak permissions like 777 or 755. For example I have a application which has option of uploading a file. Now if that uploaded file is going in directory for example “images” and “images” is having 777 permissions. Now if I upload any defacing script using that options to images directory say “deface.php” then I can easily access that script using link:

http://domain.com/images/deface.php

as the images directory is having 777 permissions I can easily execute that script and can deface that account or website. If the permissions on other directories of server are really weak then I can deface the files in other locations of server also. After uploading the script I find more accounts on server who are having weak permissions then I can run my script from its current location and can hack other accounts too. So in this way your account, some other accounts or even whole server is hacked due to weak permissions. To clear this point I have attached a small php script with this post. Just upload it to your account and access it from browser you will see that you can browse other files on server whose permissions are weak.

THIS IS NOT A HACKING SCRIPT AT ALL, NOR I AM PROMOTING HACKING IN ANY WAY. THIS SCRIPT WILL HELP YOU TO FIND OUT WEAKNESS IN YOUR ACCOUNT SECURITY. THIS IS JUST FOR EDUCATIONAL PURPOSE. IF MODERATORS OF THIS FORUM THINK THIS POST IS AGAINST ANY OF THEIR RULES THEY ARE WELCOME TO DELETE THIS POST.

This script is type of browser to browse files on the server or account, where file permissions are weak like 777 or 755 you can browse them though they don’t belong to your account. This script cannot be used to modify or execute any command so don’t worry

So in order to stop all such hackings on the server or to your account always be alert on permissions. Many people use 755 or 777 permissions casually thus becoming victim of some hacking today or tomorrow. Secondly always keep your php applications upgraded to their latest versions so that if there is any code or bug in previous versions they will be cleared. This was very short information but if other forum members want to add more to this they are welcome.

I will be adding more security tips in coming days so stay tuned

[votethehost.com]

Great info, Thanks

[bigal]

If you try to upload deface.php to an image directory that has chmod 777, but gets denial by php script that says only .gif .png .jpg images are allowed, then should you just rename deface.php to deface.jpg before uploading.

Because the directory is chmod 777, can the user from the same site run a php script to rename deface.jpg to deface.php in that chmod 777 directory?

[BianchiDude]

How does Hacking take place on Cpanel server?

I am writing this post to explain how accounts on server get hacked. Many times it happens that cpanel accounts on server are hacked. Most common hacks are like index page is replaced with some other code thus defacing your website. Some times this types of hacks happen on all accounts including backup on server. Many times it is also an Iframe Hack where hacker puts an extra code to your website and whoever accesses that website, a virus enters their computer thus infecting it. We are not going deep in to the types of hacking but what I am going to explain here is how can we stop this from happening or at least prevent or avoid from happening. If you are facing issue of Iframe hack then one of our cpanel forum member have posted a good article which you can find it here:

http://forums.cpanel.net/f5/solution...tml#post363227

Now one would ask “How does this hacking takes place?” Such defacing hacking takes place and we get victim of it because we are careless or we don’t have basic knowledge of keeping our site secure. It is us who give a way for any hacking to take place. Any hacking which is taking place by browser happens due to weak permissions. Many common php applications we use like a picture gallery, forum etc are start point of hacking if and only if they are insecure or are of older versions or some files or directories of that applications are having weak permissions like 777 or 755. For example I have a application which has option of uploading a file. Now if that uploaded file is going in directory for example “images” and “images” is having 777 permissions. Now if I upload any defacing script using that options to images directory say “deface.php” then I can easily access that script using link:

http://domain.com/images/deface.php

as the images directory is having 777 permissions I can easily execute that script and can deface that account or website. If the permissions on other directories of server are really weak then I can deface the files in other locations of server also. After uploading the script I find more accounts on server who are having weak permissions then I can run my script from its current location and can hack other accounts too. So in this way your account, some other accounts or even whole server is hacked due to weak permissions. To clear this point I have attached a small php script with this post. Just upload it to your account and access it from browser you will see that you can browse other files on server whose permissions are weak.

THIS IS NOT A HACKING SCRIPT AT ALL, NOR I AM PROMOTING HACKING IN ANY WAY. THIS SCRIPT WILL HELP YOU TO FIND OUT WEAKNESS IN YOUR ACCOUNT SECURITY. THIS IS JUST FOR EDUCATIONAL PURPOSE. IF MODERATORS OF THIS FORUM THINK THIS POST IS AGAINST ANY OF THEIR RULES THEY ARE WELCOME TO DELETE THIS POST.

This script is type of browser to browse files on the server or account, where file permissions are weak like 777 or 755 you can browse them though they don’t belong to your account. This script cannot be used to modify or execute any command so don’t worry

So in order to stop all such hackings on the server or to your account always be alert on permissions. Many people use 755 or 777 permissions casually thus becoming victim of some hacking today or tomorrow. Secondly always keep your php applications upgraded to their latest versions so that if there is any code or bug in previous versions they will be cleared. This was very short information but if other forum members want to add more to this they are welcome.

I will be adding more security tips in coming days so stay tuned

Great post!

[whwrobert]

Some Tips to Avoid Defacing of your site.

As I always say, most of the defacing around 90% takes place on websites having:

1) Wordpress
2) PHP Forums (Any PHP Forum)
3) Mambo
4) Joomla

and there are many names in list ........

The most important question to ask yourself is, WHY only these types of applications are hacked ? Because they are really easy to hack. To do this actually there is no knowledge is need as you can do it from a simple browser.

What you should do to avoid defacing of yor website.

1) If your site is using any above applications then they should be always updated and runing in their latest version.

2) THIS IS MOST IMPORTANT
Many users use above applications and to do more customization they install different types of plugins and addons to their application. Now we never check that who has developed this addon, does this addon have any bug which is vulnerable to website. We never check upgraded version of the addon or plugin used by us and thats where we make mistake. Suppose we have upgraded version of any of the specified above applications and we are really relaxed thinking that I have upgraded the application of my website BUT WHAT ABOUT ADDONS AND PLUGINS ? Then later on your site is dafaced and you think "How can this happen when my application was of latest version". This happened because your application was hacked or defaced using the php files of the addon or plugin installed by you and not by using the files of the upgraded application under your site.

So always verify the developer or code security of addon or plugin which you are thinking to install. Do some research before using any free addon or plugin.

3) Last but not the least, Secure Permissions.
Fore more information on permission scroll above for my first post.

Hope you all find this information usefull. Feed Backs are welcome

I will be soon back with more useful information, till then Good bye

[votethehost.com]

Keep Posting the good work. Very Helpfull

[pjman]

I think if you make your living online, no matter what time of day, somewhere in our heads we are thinking "I wonder if my site got hacked." I only had a single deface done once to one of my server about 8 years ago. Ever since, I'm super paranoid. Thanks for the info.

[whwrobert]

How To Make My Forums More Secure Eg: Vbulletin

Here's some things you can do to increase the level of security for your forums:

1. Always upgrade to the latest stable version.

2. Do not install any unofficial hacks or plugins as they are not written or reviewed by our developers.

3. Password protect your Administrator and Moderator Control Panels directories as well as the install and includes directories using .htaccess/.htpassword Comprehensive guide to .htaccess- password protection

4. Make sure the tools.php (vB3) file is NOWHERE on your website.

5. Remove the ImpEx files if you had used this import system.

6. If you have phpMyAdmin make sure it's password protected.

7. If you suspect a hacking attempt, ask your host to change the login password for your web account.

8. Make sure all the Admin and Mod passwords are secure. Change them if you have any doubts. And use hard to guess passwords.

9. NEVER allow HTML in posts, PMs or in sigs.

10. Make absolutely sure there are no viruses, trojans or keylogger spyware on your PC. Any of these could steal your password and other personal info.

11. Do NOT upload the directory called do_not_upload/

12. Use a different password for each forum you sign up with. Use a
different password for your forum as you do for the .htaccess directory password.

13. Update the config.php file and set yourself as undeletable user so they can't touch your admin account.

14. Do Not Upload config.php.new when upgrading your forums.

[whwrobert]

How to find PHP Shell on your server

In most of the hacking or defacing the most common tool used is PHP Shell. If you scan your server regularly for php shell and delete them you can avoid many hacking and defacing attempt on your server.

#!/bin/bash
#Scanning all users directory for various php shell
# Below command is one line so see that its one line in your script or else it will generate error

echo "No PHP Shell was Found" > /root/scan.txt
/bin/egrep "cgitelnet|webadmin|PHPShell|tryag|r57shell|c99shell|noexecshell|/etc/passwd|revengans|myshellexec" /home/*/public_html -R | cut -d: -f1 | uniq > /root/scan.txt

/bin/cat /root/scan.txt | mail -s "PHP Shell Scan" user@domain.com

#Replace your email address above

#Cron Settings
# 0 6 * * * PATH TO SCRIPT

The above script is a very simple shell script which will scan all public_html directories of all cpanel accounts for various php shell. Then the script will mail you the locations of PHP Shell. You can set cron for this script to run once a day. If you check the code I have added a cron for it which you can use which will execute the script on 6th hour daily.

PHP Functions which help hackers to hack your server

I am listing below some PHP Functions which you should keep disabled if you dont need them as they help hackers to deface your websites or hack the server:

dl
exec
shell_exec
system
passthru
popen
pclose
proc_open
proc_nice
proc_terminate
proc_get_status
proc_close
leak
apache_child_terminate
posix_kill
posix_mkfifo
posix_setpgid
posix_setsid
posix_setuid
escapeshellcmd
escapeshellarg
shell-exec
fpassthru
crack_check
crack_closedict
crack_getlastmessage
crack_opendict
psockopen
php_uname
symlink
mkdir
ini_restore
posix_getpwuid
error_log
print_r
scandir
copy
phpinfo
ini_set

To disable these functions you can add following line to /usr/local/lib/php.ini

disable_functions = "dl,exec,shell_exec,system,passthru,popen,pclose,proc_open,proc_nice,proc_terminate,proc_get_status,proc_close,leak,
apache_child_terminate,posix_kill,posix_mkfifo,posix_setpgid,posix_setsid,posix_setuid,escapeshellcmd,escapeshellarg,shell-exec,fpassthru,crack_check,crack_closedict,crack_getlastmessage,crack_opendict,psockopen,php_uname,symlink,mkdir
,ini_restore,posix_getpwuid,error_log,print_r,scandir,copy,phpinfo,ini_set"

Then restart the apache server that is httpd service.

Please note: Doing this will break some of the php scripts on your clients. I would suggest you to block above functions first and then when you come to know which php scripts are breaking by this, at that time you can remove that particular function needed by the script. This way your disable function list will be perfect as required by your server

Hope this helps you all.

For further updates, Stay Tuned

[konrath]

Hello

thank you very much whwrobert

Konrath

[prashant_ohol]

Yep, good one.



Prashant

[himmler123]

awesome tutorial buddy
thanks

[Markspixel]

Very nice tutorial and very helpful

Also, This might be an obvious one but I didn't see it in your list

Make sure you remove the "Install" directory after you have installed a script like wordpress

[brianoz]

Thanks for sharing, seems like this is new information for many people.

Two points of feedback:

Firstly, allowing scripts to run from a mode 777 directory is the actual root problem. "Fixing" anything else is a waste of time as the underlying weakness is still there. Mod_Security in any of it's forms, will prevent this from happening - it will not allow a script to run if it is in a writeable directory. With this in place, the baddies can find upload weaknesses all they like and nothing will happen.

One of the key issues here is that you are running your Apache server in DSO mode - which means that all PHP scripts run as a common user (the user called "nobody"). This makes it absolutely trivial to hack user accounts in a myriad of ways, and your only way of mitigating this is to remove access to nearly all the PHP directives, as you have done.

The trick here is to turn the water off at the tap, rather than trying to patch the leaky hose - which is a never ending task!

Second major point - turning off all your PHP directives makes your server a LOT less usable. If I was a customer I would never use your server, as it would just be too locked down to be useful. For instance, directives such as passthru(), system() and phpinfo() are often used in real apps - and in phpinfo()'s case are absolutely essential (without it I can't see what features the server PHP has). And you've even locked down print_r()!! Why you would lock down a trivial debugging command I'm not sure. Apologies if this seems rude, that's not my intent - I guess the real problem is that you have to lock the server down so tight because you are running in DSO mode.

This brings me back to a key point - if you are running a shared webserver with real users on it, if you are serious about your business and providing acceptable service to your customers, you'll get your server security hardened by a professional who knows all this stuff, rather than trying to guess your way into it one step at a time from threads like this. One very good such company is ConfigServer Services (Chirpy has been a well loved moderator on this forum for years, and we've used his services for 6 years); platinumservers is also very good, as are others. The problem with doing it yourself is that you can just never know as much as a professional, and you need to consider how much it could cost you if your whole server got hacked through a user account. Good security is multi-faceted - many different layers.

Not to question the usefulness of threads like this, at all, great stuff, and thanks again for sharing, and keep the good thoughts coming.

[brianoz]

One more little tip - provide your users with a Cpanel integrated tool like Softaculous, Installatron or Fantastico for script installation.

These cPanel menu options provide full installation of many common packages like Wordpress, and they get it right out of the box - removing the bits that are insecure if left there, etc.

Also, don't use the default username for the WordPress admin user - use something like manager, or control, or system, or sysmgr - anything other than the default. This can reduce your chances of being hacked by quite a lot.

Also, never use your cpanel (or other admin password) as your database password. This is because your DB password has to go in a config file, and if they hack their way into that file, they then have your control panel password!

The auto installers all make up random passwords for databases, I guess just one more reason to use them.