/usr/local/apache/proxy ?

**Curto** · 05-21-2004 09:57 AM

Does anyone know what purpose /usr/local/apache/proxy is there to achieve?

I'm in the process of developing a procedure for hardening my servers, and I've found this path with is owned by nobody.nobody and as its on the main partition it does not have noexec set.

This path appears to be vulnerable to the same types of issues as /tmp (before hardening).

Would there be any side affect from removing this directory, or should I work around this (symlink to a path under /tmp which has noexec set)?

**AnthonyR** · 05-24-2004 02:41 AM

It is vulnerable and I found a DOS tool in there - and would love to know how to protect it (the server not the tool)

**Curto** · 05-24-2004 09:27 AM

Well...

after consulting with the cpanel developers I've been told that path is not needed unless you're actually running a apache proxy server (you don't by default).

So... there's two fixes

1) If you're not running a proxy server, simply remove the directory (rm -rf /usr/local/apache/proxy)

2) If you do need this path, then you can create a directory under tmp (mkdir /tmp/usr-local-apache-proxy; chown nobody.nobody /tmp/usr-local-apache-proxy; chmod 755 /tmp/usr-local-apache-proxy), remove the existing directory (rm -rf /usr/local/apache/proxy), and then create a symlink (ln -s /tmp/usr-local-apache-proxy /usr/local/apache/proxy).

Note, solution #2 will only work if you already have your /tmp directory hardened to include noexec. Otherwise it doesn't secure it at all

To harden I recommend (and use) these instructions: http://www.webhostgear.com/34.html

Regards,
Michael

BTW, I'm out of the office till Tuesday afternoon... running away with my wife for our anniversary

**AnthonyR** · 05-24-2004 04:35 PM

Happy anniversary!

Thanks for this - its great stuff

**tvcnet** · 06-22-2004 12:41 PM

Good notes.
Yes, I expect 7 in 10 cpanel hosts are being hacked "now" or are have been hacked through this directory recently.
/usr/local/apache/proxy

Script kiddies love to put their IRC wares in there as well as DOS stuff.

Also, Do Now:

cd /usr/local/apache/proxy
(should be no files in there.)

locate /iroffer
(oh my... do a google to see what it is)

cd /var/spool/mail
(look for "nobody" permissioned accounts)

Best Wishes,
Jim

LinkBack

Thread Tools

/usr/local/apache/proxy ?

Install Apache in different folder than: /usr/local/apache

APACHE: Using folder in /usr/local

/usr/local/apache/domlogs

Securing /usr/local/apache/proxy

Cannot load /usr/local/apache/libexec/mod_rewrite.so into server: /usr/local/ap$