LinkBack URL
About LinkBacksPHPSuexec is on all servers including this one.
PHP Safe Mode is off...
PHPSuexec is on all servers including this one.
PHP Safe Mode is off...
So have you taken measures to counter the reduced security inherent in runnign PHP with Safe Mode Off?
Doesn't using phpsuexec defeat the need for PHP Safe Mode?
I also have other restrictions on (almost all security tweaks are on i.e. open_basedir, etc)
phpsuexec does not stop the exec() function for example (a dangerous function in the wrong hands), and even with Safe mode On you still have to disable functions etc in php.ini to be sure.
As I understand it open_basedir limits php so that it can only run in user's own directory tree (/home/username/<etc>) but thats all. Can still run a dangerous script from there, right?
True.
Still doesn't tell us how someone got in ftp easily without brute force or anything.
I even have mod_security to prevent a lot of attempts... recently added dm.cgi etc to block those from running.
Besides the user wouldn't be able to run root commands or get root passwd files would they?
So it brings us to square one.
There is nothing in logs that shows any attempt of any kind against any programs.
EVEN one site that had nothing in it but index.html was used to put dm.cgi and spamvertisement in so that has nothing to do with what we are talking about above.
Brenden
Well, as far as I'm concerned the answer is maybe, but not necessarily. Until the method of hacking is actually KNOWN how can you really rule anythng out?EVEN one site that had nothing in it but index.html was used to put dm.cgi and spamvertisement in so that has nothing to do with what we are talking about above
O.k. we just ran into our first experience with this today. The password on the three sites are not crackable and the servers where updated with mod security. The accounts are on different servers and there is probably more that we have not found yet.
My best attempt to find the method is to compare the accounts hacked to the ones not.
I did notice php was on each of the sites so far so my guess at this point is someone is scanning the servers users and checking each website for php insecurities.
Also some where php4 and some php5 so it's not that.
Lets hope more people being affected will kick cPanel in the arse to take a look at it.
Even if its not directly a cPanel issue, the number of people being affected that are running cPanel should mean cPanel have a duty to at least LOOK at the issue.
I won't be satisfied cPanel is not to blame until I know definitively what is to blame.
I think if anything is connected to cpanel it's how they are getting a list of the domains. There are effected domains on almost every shared server so they don't have accounts on the server. It's something with php that even mod security and being updated cannot protect.
I had a server where several sites were exploited. The hacker broke into a website that was running a very old version of WordPress. They installed something called zbrute on that account. They were able to get the password for the account because it was stored in a config.php file that was in the publiic_html directory. They uploaded a php shell script that allowed them to browse the server. There were some sites that had config files with username/password information that could be read by the shell script. There are numerous users who use the same password for their php/mysql apps that they use for cpanel access. Any directory that was chmod 777 they placed a hacked index file in. Any site that was running old, insecure versions of popular software applications was hacked and defaced. This had nothing to do with cpanel and had everything to do with websites that are still using the old xmlrpc.php files that had that huge security hole and website owners who won't update their software. One of the sites that was hacked belonged to a customer whom I had been telling for weeks to upgrade the software. He learned the hard way. I placed a rule in my modsecurity configuration that prevents http access to xmlrpc.php. I then went to every single website on the server and limited access to those sites running outdated software until they were updated. This had nothing to do with cpanel and they did not need root access to hack this server. All they need is a site running insecure php software.
Yes, but with phpSuExec and openbase_dir, safe mode on etc. you would not normally expect a list of nearly all FTP passwords to be accessible would you? I agree it definitely could be an little known hole in PHP itself, but I am less inclined to suppose that insecure scripts can allow this level of breach on a well secured box.
Perhaps we should be suspecting Perl scripts? Can they do more damage than PHP nowadays? Any comments from anyone on this specifically?
Well for sure they are adding the bad code through ftp, so how are they getting the passwords again?
I don;t think they could have accounts on every server so it must be a ftp exploit? Maybe pure-ftp is not secure?
Are any of the accounts/servers involved using MovableType? The kiddies got into one of my servers, and all it had on it was one site with MovableType. I suspected it might have been MT because they only got the files in that directory and subdirectories but not anything above it.
Well then whether or not Movable Type is installed seems irrelevant because the whole idea is that the hackers must somehow be getting into root-level directories, maybe even /etc/passwd and so on.
Does cpanel keep a database of users/pass of its own? What about pure-ftp, does it have any kind of separate user authentication list?
Nope, we don't even allow that.Originally Posted by casey
Some how they are getting the account password without even having a account on the server and not cracking them. But the only sites effected have php files.
I think they are using a php exploit to get the accounts password and ftping with it.
if they have a root access they would just do a find and replace for all index pages, and not waste time trying to ftp..
Reply With Quote