world-readable wp-config.php and configuration.php files (SuPHP)

[BigLebowski]

hi there

Fantastico appears to leave these files 644 on installation which allows any server user to obtain the database user password and plunder the application. Quite often the password is the Cpanel password which permits a full account rape. I don't know if these files have the universe read bits set following a standard Cpanel install using the "Software" section?

Anyone any ideas on how to change the install so it chmods these 600 or 700 ?

I am running Suphp so 600 or 700 work fine.

Best
Dude

[Infopro]

How does 'any server user' get to and read this files contents? The database password is auto generated by Fantastico, I've never noticed it being the same as the cPanel password.

I'm assuming you have the PHPsuexec option set to installed in Fantastico settings?

[cPanelJeff]

Fantastico appears to leave these files 644 on installation which allows any server user to obtain the database user password and plunder the application

The permissions on a user's public_html/ directory when using suphp should be 0750, user:nobody. This prevents any server user from wandering into other users' public_html/ directories and viewing world readable files. This is the default behavior when using suphp with cPanel. That's not to say that other attacks may not be possible, or that having a file world readable when it doesn't need to be is a good idea. I just wanted to clarify the permissions structure.

[BigLebowski]

Thanks Jeff. I initially thought it was a vulnerability due to finding folders on hacked accounts full of tens of thousands of these entries:

lrwxrwxrwx 1 simo5953 simo5953 43 Jul 9 10:37 zoec89994.txt -> /home/zoec8999/public_html/admin/config.php
lrwxrwxrwx 1 simo5953 simo5953 41 Jul 9 10:37 zoec89995.txt -> /home/zoec8999/public_html/admin/conf.php
lrwxrwxrwx 1 simo5953 simo5953 42 Jul 9 10:37 zoec89996.txt -> /home/zoec8999/public_html/conf_global.php
lrwxrwxrwx 1 simo5953 simo5953 41 Jul 9 10:37 zoec89997.txt -> /home/zoec8999/public_html/include/db.php
lrwxrwxrwx 1 simo5953 simo5953 38 Jul 9 10:37 zoec89998.txt -> /home/zoec8999/public_html/connect.php
lrwxrwxrwx 1 simo5953 simo5953 38 Jul 9 10:37 zoec89999.txt -> /home/zoec8999/public_html/mk_conf.php
lrwxrwxrwx 1 simo5953 simo5953 49 Jul 9 10:37 zoec8999.txt -> /home/zoec8999/public_html/vb/includes/config.php

As you can see, they are "guesses" at locations of config files. This is presumably a powerful attack on servers running without SuPHP, but I agree, the links don't seem to benefit a hacker on a SuPHP server.

I am still left with tens of Wordpress accounts hacked and only a handful of C99 type shells and mailers left in the hacker's wake. The Wordpress versions are 3.1.2 and 3.2 and the index pages modified tend to be in the themes folders. I don't think there's a general vulnerability in Wordpress or the themes, but we do run Fantastico and I note that vulnerabilites exist for that.

Once a hacker has accessed one account and has gleaned all the Cpanel usernames (a simple task), what's to stop a scripted brute force attack from localhost on pop3 or ftp?

Dude

[Infopro]

How does one glean all cPanel usernames from one account?

Wordpress on a non SuPHP server presumably has directories that are owned by nobody, correct? The wordpress owner uploads a theme or mod via the wp-admin and that php upload process changes the owner of the files and any directories the upload may create. We don't want nobody owning anything inside public_html.

Do you by chance use CXS? ConfigServer eXploit Scanner (cxs)

[BigLebowski]

I was using a shell the hackers left behind. There was a function called "list Cpanel users" or similar. I pressed the button and hey presto, a full list of users was presented.

The box is not rooted. However I have a strong suspicion it is vulnerable to the Fantastico LFI vulnerability. If you like, I can probably find the shell and post it somewhere for you.

Best
Dude

[Infopro]

No thanks, I've seen my share. I would not suggest you do something like that unless you're sure of what you're doing.

It sounds like you do of course, I just want to mention here that hidden in those sorts of scripts may be lines of code that contain an email address to send details to. You might not see it if it's encoded but it can happen I would think.

To check those sorts of scripts out closer should be done on a test server behind a firewall locked down tight.

[BigLebowski]

hi there, I should point out I'm just browsing the shells using a web browser without any escalated priviliges. The hacked accounts are riddled with them and the access logs show the hackers using them. Whatever I'm doing, they can do also.

Do you have any more info re. the Fantastico LFI vulnerability? I am looking for a clear script or method to check for it but the links so far provide a general concept. Specifically, when I visit http://test.com:2082/fantasticopath/.... etc I'm just presented with a Cpanel login. Does the file inclusion still operate despite not entering valid Cpanel credentials?

Also has Fantastico patched for this yet?

Best
Dude

[Infopro]

Are you speaking of this ?

You cannot get to the .fantastico directory from your browser, it's outside public_html.

[BigLebowski]

No, I have since determined the hack is via symbolic link.

All it takes is one account to be hacked, eg fred.com. Hacker then creates a symbolic link to "/" such as 1.txt --> "/"
He can then browse using a web browser http://test.com/1.txt/home/user/public_html/

where "user" is any Cpanel account. Usernames are easily obtainable via http://test.com/1.txt/home/ and also via /etc/passwd which is world-readable. Permissions are:

/ - 755 - root.root
/home - 755 - root.root
/home/user - 711 - user.user
/home/user/public_html - 750 - user.nobody

This would not be a problem if all users' sensitive files were chmod 600. But on this server, Fantastico creates new WP installs using 644. Therefore all Wordpress installs can be plundered.

I have scripted a chmod 600 on all wp-config.php which should help and am now doing Joomla (configuration.php)

This is a SuPHP server.

Best
Dude

[cPanelTristan]

Have you informed Fantastico about the issue? Their site is at https://netenberg.com/

[BigLebowski]

Tristan, this is not a Fantastico issue as far as I can see. It is a linux file system vulnerability (we use Centos; not sure about any other OS?). I am liaising with your Dave Lanning presently. The only workaround I can envisage is to put a wrapper around "ln" and chmod 600 all database config files in user areas on the server. Then perhaps put in a place a cron to fix any configs the user changes.

This is of concern for CPanel if any apps in the "Software" section set the universal read bit by default on database config files.

Best
Dude

[cPanelTristan]

You had mentioned the following:

But on this server, Fantastico creates new WP installs using 644.

Even if we do fix the Software installs we perform in that sections for such scripts, this will not fix how Fantastico installs scripts for that 3rd party application. It isn't just a cPanel issue. It is an issue for any software automated to install with the permissions you've mentioned. If you want it fixed in Fantastico, then makers of Fantastico would need to be informed of your concerns.

[abrakadabra]

No, I have since determined the hack is via symbolic link.

All it takes is one account to be hacked, eg fred.com. Hacker then creates a symbolic link to "/" such as 1.txt --> "/"
He can then browse using a web browser http://test.com/1.txt/home/user/public_html/

where "user" is any Cpanel account. Usernames are easily obtainable via http://test.com/1.txt/home/ and also via /etc/passwd which is world-readable. Permissions are:

/ - 755 - root.root
/home - 755 - root.root
/home/user - 711 - user.user
/home/user/public_html - 750 - user.nobody

This would not be a problem if all users' sensitive files were chmod 600. But on this server, Fantastico creates new WP installs using 644. Therefore all Wordpress installs can be plundered.

I have scripted a chmod 600 on all wp-config.php which should help and am now doing Joomla (configuration.php)

This is a SuPHP server.

Best
Dude

Even though files are accessible by httpd through symlink, you can't see contents of script files (.php, etc..) from httpd, as they would only execute. You would need to use your php or cgi scripts with some file reading code in order to read contents of these files, however if you are running suPHP and suEXEC, you won't be able to read others files, no matter what permissions they are, since you cannot go through others public_html directory (750 user:nobody), as you ain't "user" nor "nobody" when you execute your scripts from your account/directory with suPHP or suEXEC in case of cgi.

/home should be 711 root:root, if you are running suPHP.

So, i don't see how others wp-config.php even with permissions of 777 is exploitable when using suPHP and suExec.