security issue

[NNNils]

Help!

I got this e-mail from someone (it's in dutch):

-----------------------
Lo admin,

[my ip-address was here] -> /etc/evilfile
got r00t? :]
hehe, dat ging zeer makkelijk met ptrace.. Patch je kernel
misschien ook voorkomen dat "gebruikers" een shell kunnen spawnen via httpd?
en uh.. zelfs dingen als ls/cd 750 zetten en shellgebruikers toevoegen aan een groep
Read The Fine security howto/checklist

/JaD
-------------------------

He tells the following bad issues:

- he managed to get in /etc and place a file called evilfile (using ptrace???)
- he recommends patching kernel
- he says users can "spawn" a shell through httpd
- he tells ls/cd are 750, which is insecure according to him
- shell users are added to a group

He recommends reading The Fine security howto/checklist



Please help with this.

[jamesbond]

Hi, you need to upgrade your kernel, you can search on 'kernel' in this forum for more information.

Be careful doing this yourself though, because if something goes wrong you might not be able to get the server up again.

You should probably contact your NOC and ask them to do it for you.

[NNNils]

Hm... didn't got kernelcheck messages...

[jamesbond]

Originally posted by NNNils
Hm... didn't got kernelcheck messages...

You shouldn't rely on CPanel for these issues

Log on to your server and type : uname -a to see your kernel version.

[NNNils]

It is 2.4.18-26.7.x

What version(s) is okay?

Are all the issues this person tells me, solved in an other kernel or are their also issues result of the way cpanel works?

[jamesbond]

Originally posted by NNNils
It is 2.4.18-26.7.x

What version(s) is okay?

The latest version, 2.4.18-27.7.x I believe.

Are all the issues this person tells me, solved in an other kernel or are their also issues result of the way cpanel works?

The permissions you have set are the default permissions as far as i know.

Giving SSH access to users is something you have to be careful with.

[NNNils]

Originally posted by jamesbond
The latest version, 2.4.18-27.7.x I believe.

The permissions and adding to the wheel group is the default setup as far as i know.

Shouldn't something be done about that too then?

[jamesbond]

You can use the jailshell option, you can enable that to 'jail' the users in their own dir.

But even with jailshell you should still be careful who you give shell access to.

[NNNils]

On the whole server there is just 1 shell user...

I have now given him jailed shell.

[jamesbond]

That's good, by the way I was wrong with what I said that users are added to the wheel group by default, at least this doesn't happen on my server.

Maybe you accidently added him to the wheel group?
In WHM there is an option 'Add/Remove Users from the Wheel'

[NNNils]

Nope never used that option.

How can I see if a user is added to the wheel group?

BTW what is a wheel group :-S ?

[jamesbond]

Just log on to WHM and click on ' 'Add/Remove Users from the Wheel' , there you should see who is in the wheel group.

users in the wheel group are allowed to su to root (if they know the root pwd ofcourse)

users who are not in the wheel group can't su to root even if they know the root pwd.

[NNNils]

Only root is in wheel group

[jamesbond]

Well then I don't know what group he is talking about.

To see a list of the groups on your server you can do this in SSH : cat /etc/group

[LinuxFreaky]

Will upgrading to the newest kernel via up2date mess Cpanel up in any way?