1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How does Hacking take place on Cpanel server?

Discussion in 'Security' started by whwrobert, Nov 20, 2009.

  1. whwrobert

    whwrobert New Member

    Joined:
    Aug 21, 2009
    Messages:
    26
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    USA
    How does Hacking take place on Cpanel server?

    I am writing this post to explain how accounts on server get hacked. Many times it happens that cpanel accounts on server are hacked. Most common hacks are like index page is replaced with some other code thus defacing your website. Some times this types of hacks happen on all accounts including backup on server. Many times it is also an Iframe Hack where hacker puts an extra code to your website and whoever accesses that website, a virus enters their computer thus infecting it. We are not going deep in to the types of hacking but what I am going to explain here is how can we stop this from happening or at least prevent or avoid from happening. If you are facing issue of Iframe hack then one of our cpanel forum member have posted a good article which you can find it here:

    http://forums.cpanel.net/f5/solution-iframe-java-script-hack-78595.html#post363227

    Now one would ask “How does this hacking takes place?” Such defacing hacking takes place and we get victim of it because we are careless or we don’t have basic knowledge of keeping our site secure. It is us who give a way for any hacking to take place. Any hacking which is taking place by browser happens due to weak permissions. Many common php applications we use like a picture gallery, forum etc are start point of hacking if and only if they are insecure or are of older versions or some files or directories of that applications are having weak permissions like 777 or 755. For example I have a application which has option of uploading a file. Now if that uploaded file is going in directory for example “images” and “images” is having 777 permissions. Now if I upload any defacing script using that options to images directory say “deface.php” then I can easily access that script using link:

    http://domain.com/images/deface.php

    as the images directory is having 777 permissions I can easily execute that script and can deface that account or website. If the permissions on other directories of server are really weak then I can deface the files in other locations of server also. After uploading the script I find more accounts on server who are having weak permissions then I can run my script from its current location and can hack other accounts too. So in this way your account, some other accounts or even whole server is hacked due to weak permissions. To clear this point I have attached a small php script with this post. Just upload it to your account and access it from browser you will see that you can browse other files on server whose permissions are weak.

    THIS IS NOT A HACKING SCRIPT AT ALL, NOR I AM PROMOTING HACKING IN ANY WAY. THIS SCRIPT WILL HELP YOU TO FIND OUT WEAKNESS IN YOUR ACCOUNT SECURITY. THIS IS JUST FOR EDUCATIONAL PURPOSE. IF MODERATORS OF THIS FORUM THINK THIS POST IS AGAINST ANY OF THEIR RULES THEY ARE WELCOME TO DELETE THIS POST.

    This script is type of browser to browse files on the server or account, where file permissions are weak like 777 or 755 you can browse them though they don’t belong to your account. This script cannot be used to modify or execute any command so don’t worry :)

    So in order to stop all such hackings on the server or to your account always be alert on permissions. Many people use 755 or 777 permissions casually thus becoming victim of some hacking today or tomorrow. Secondly always keep your php applications upgraded to their latest versions so that if there is any code or bug in previous versions they will be cleared. This was very short information but if other forum members want to add more to this they are welcome.

    I will be adding more security tips in coming days so stay tuned :cool:
     

    Attached Files:

  2. votethehost.com

    votethehost.com New Member

    Joined:
    Oct 2, 2009
    Messages:
    26
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Chicago
    Great info, Thanks :)
     
  3. bigal

    bigal New Member

    Joined:
    Nov 10, 2009
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    If you try to upload deface.php to an image directory that has chmod 777, but gets denial by php script that says only .gif .png .jpg images are allowed, then should you just rename deface.php to deface.jpg before uploading.

    Because the directory is chmod 777, can the user from the same site run a php script to rename deface.jpg to deface.php in that chmod 777 directory?
     
  4. BianchiDude

    BianchiDude Member

    Joined:
    Jul 2, 2005
    Messages:
    624
    Likes Received:
    0
    Trophy Points:
    16
    Great post!
     
  5. whwrobert

    whwrobert New Member

    Joined:
    Aug 21, 2009
    Messages:
    26
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    USA
    Some Tips to Avoid Defacing of your site.

    Some Tips to Avoid Defacing of your site.


    As I always say, most of the defacing around 90% takes place on websites having:

    1) Wordpress
    2) PHP Forums (Any PHP Forum)
    3) Mambo
    4) Joomla


    and there are many names in list ........

    The most important question to ask yourself is, WHY only these types of applications are hacked ? Because they are really easy to hack. To do this actually there is no knowledge is need as you can do it from a simple browser.

    What you should do to avoid defacing of yor website.

    1) If your site is using any above applications then they should be always updated and runing in their latest version.

    2) THIS IS MOST IMPORTANT
    Many users use above applications and to do more customization they install different types of plugins and addons to their application. Now we never check that who has developed this addon, does this addon have any bug which is vulnerable to website. We never check upgraded version of the addon or plugin used by us and thats where we make mistake. Suppose we have upgraded version of any of the specified above applications and we are really relaxed thinking that I have upgraded the application of my website BUT WHAT ABOUT ADDONS AND PLUGINS ? :) Then later on your site is dafaced and you think "How can this happen when my application was of latest version". This happened because your application was hacked or defaced using the php files of the addon or plugin installed by you and not by using the files of the upgraded application under your site.

    So always verify the developer or code security of addon or plugin which you are thinking to install. Do some research before using any free addon or plugin.

    3) Last but not the least, Secure Permissions.
    Fore more information on permission scroll above for my first post.

    Hope you all find this information usefull. Feed Backs are welcome :)

    I will be soon back with more useful information, till then Good bye
     
  6. votethehost.com

    votethehost.com New Member

    Joined:
    Oct 2, 2009
    Messages:
    26
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Chicago
    Keep Posting the good work. Very Helpfull :)
     
  7. pjman

    pjman Member

    Joined:
    Mar 22, 2003
    Messages:
    101
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    New York
    I'm liking it too.

    I think if you make your living online, no matter what time of day, somewhere in our heads we are thinking "I wonder if my site got hacked." I only had a single deface done once to one of my server about 8 years ago. Ever since, I'm super paranoid. Thanks for the info.
     
  8. whwrobert

    whwrobert New Member

    Joined:
    Aug 21, 2009
    Messages:
    26
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    USA
    How To Make My Forums More Secure Eg: Vbulletin

    How To Make My Forums More Secure Eg: Vbulletin

    Here's some things you can do to increase the level of security for your forums:

    1. Always upgrade to the latest stable version.

    2. Do not install any unofficial hacks or plugins as they are not written or reviewed by our developers.

    3. Password protect your Administrator and Moderator Control Panels directories as well as the install and includes directories using .htaccess/.htpassword Comprehensive guide to .htaccess- password protection

    4. Make sure the tools.php (vB3) file is NOWHERE on your website.

    5. Remove the ImpEx files if you had used this import system.

    6. If you have phpMyAdmin make sure it's password protected.

    7. If you suspect a hacking attempt, ask your host to change the login password for your web account.

    8. Make sure all the Admin and Mod passwords are secure. Change them if you have any doubts. And use hard to guess passwords.

    9. NEVER allow HTML in posts, PMs or in sigs.

    10. Make absolutely sure there are no viruses, trojans or keylogger spyware on your PC. Any of these could steal your password and other personal info.

    11. Do NOT upload the directory called do_not_upload/

    12. Use a different password for each forum you sign up with. Use a
    different password for your forum as you do for the .htaccess directory password.

    13. Update the config.php file and set yourself as undeletable user so they can't touch your admin account.

    14. Do Not Upload config.php.new when upgrading your forums.
     
  9. whwrobert

    whwrobert New Member

    Joined:
    Aug 21, 2009
    Messages:
    26
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    USA
    How to find PHP Shell on your server


    In most of the hacking or defacing the most common tool used is PHP Shell. If you scan your server regularly for php shell and delete them you can avoid many hacking and defacing attempt on your server.

    The above script is a very simple shell script which will scan all public_html directories of all cpanel accounts for various php shell. Then the script will mail you the locations of PHP Shell. You can set cron for this script to run once a day. If you check the code I have added a cron for it which you can use which will execute the script on 6th hour daily.

    PHP Functions which help hackers to hack your server


    I am listing below some PHP Functions which you should keep disabled if you dont need them as they help hackers to deface your websites or hack the server:

    To disable these functions you can add following line to /usr/local/lib/php.ini

    Then restart the apache server that is httpd service.

    Please note: Doing this will break some of the php scripts on your clients. I would suggest you to block above functions first and then when you come to know which php scripts are breaking by this, at that time you can remove that particular function needed by the script. This way your disable function list will be perfect as required by your server

    Hope this helps you all.

    For further updates, Stay Tuned :)
     
  10. konrath

    konrath Member

    Joined:
    May 3, 2005
    Messages:
    372
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Brasil
    Hello

    thank you very much whwrobert

    Konrath
     
  11. prashant_ohol

    prashant_ohol Member

    Joined:
    Nov 22, 2004
    Messages:
    44
    Likes Received:
    0
    Trophy Points:
    6
    Yep, good one.



    Prashant
     
  12. himmler123

    himmler123 New Member

    Joined:
    Aug 10, 2010
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    awesome tutorial buddy
    thanks :)
     
  13. Markspixel

    Markspixel New Member

    Joined:
    Sep 8, 2010
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Houston, TX
    Very nice tutorial and very helpful

    Also, This might be an obvious one but I didn't see it in your list

    Make sure you remove the "Install" directory after you have installed a script like wordpress
     
  14. brianoz

    brianoz Active Member

    Joined:
    Mar 13, 2004
    Messages:
    1,152
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    Thanks for sharing, seems like this is new information for many people.

    Two points of feedback:

    Firstly, allowing scripts to run from a mode 777 directory is the actual root problem. "Fixing" anything else is a waste of time as the underlying weakness is still there. Mod_Security in any of it's forms, will prevent this from happening - it will not allow a script to run if it is in a writeable directory. With this in place, the baddies can find upload weaknesses all they like and nothing will happen.

    One of the key issues here is that you are running your Apache server in DSO mode - which means that all PHP scripts run as a common user (the user called "nobody"). This makes it absolutely trivial to hack user accounts in a myriad of ways, and your only way of mitigating this is to remove access to nearly all the PHP directives, as you have done.

    The trick here is to turn the water off at the tap, rather than trying to patch the leaky hose - which is a never ending task!

    Second major point - turning off all your PHP directives makes your server a LOT less usable. If I was a customer I would never use your server, as it would just be too locked down to be useful. For instance, directives such as passthru(), system() and phpinfo() are often used in real apps - and in phpinfo()'s case are absolutely essential (without it I can't see what features the server PHP has). And you've even locked down print_r()!! Why you would lock down a trivial debugging command I'm not sure. Apologies if this seems rude, that's not my intent - I guess the real problem is that you have to lock the server down so tight because you are running in DSO mode.

    This brings me back to a key point - if you are running a shared webserver with real users on it, if you are serious about your business and providing acceptable service to your customers, you'll get your server security hardened by a professional who knows all this stuff, rather than trying to guess your way into it one step at a time from threads like this. One very good such company is ConfigServer Services (Chirpy has been a well loved moderator on this forum for years, and we've used his services for 6 years); platinumservers is also very good, as are others. The problem with doing it yourself is that you can just never know as much as a professional, and you need to consider how much it could cost you if your whole server got hacked through a user account. Good security is multi-faceted - many different layers.

    Not to question the usefulness of threads like this, at all, great stuff, and thanks again for sharing, and keep the good thoughts coming.
     
  15. brianoz

    brianoz Active Member

    Joined:
    Mar 13, 2004
    Messages:
    1,152
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    One more little tip - provide your users with a Cpanel integrated tool like Softaculous, Installatron or Fantastico for script installation.

    These cPanel menu options provide full installation of many common packages like Wordpress, and they get it right out of the box - removing the bits that are insecure if left there, etc.

    Also, don't use the default username for the WordPress admin user - use something like manager, or control, or system, or sysmgr - anything other than the default. This can reduce your chances of being hacked by quite a lot.

    Also, never use your cpanel (or other admin password) as your database password. This is because your DB password has to go in a config file, and if they hack their way into that file, they then have your control panel password!

    The auto installers all make up random passwords for databases, I guess just one more reason to use them.
     
  16. LAZer

    LAZer Member

    Joined:
    Jan 18, 2010
    Messages:
    68
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    at net :D
    thank you for the post . keep up the good work :X
     
  17. brianoz

    brianoz Active Member

    Joined:
    Mar 13, 2004
    Messages:
    1,152
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    Critical error on my behalf - sorry folks - should have been:


    Suphp/phpsuexec in any of it's forms ...​
     
  18. Yogeshk

    Yogeshk New Member

    Joined:
    Oct 26, 2007
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    Hello,

    If we disable following functions on server. How come the latest sites which need following functions to be enabled on server?

    dl
    exec
    shell_exec
    system
    passthru
    popen
    pclose
    proc_open
    proc_nice
    proc_terminate
    proc_get_status
    proc_close
    leak
    apache_child_terminate
    posix_kill
    posix_mkfifo
    posix_setpgid
    posix_setsid
    posix_setuid
    escapeshellcmd
    escapeshellarg
    shell-exec
    fpassthru
    crack_check
    crack_closedict
    crack_getlastmessage
    crack_opendict
    psockopen
    php_uname
    symlink
    mkdir
    ini_restore
    posix_getpwuid
    error_log
    print_r
    scandir
    copy
    phpinfo
    ini_set


    Yogesh K
     
  19. LAZer

    LAZer Member

    Joined:
    Jan 18, 2010
    Messages:
    68
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    at net :D
    hi , you must have a per user ini system , there are lots of tutorials on the net on how to do so . i mean you must have a very restricted ini on the whole server for not being hacked by the scripts which are not secure on every host you sale and then every host that needs a special function you can enable it for that one host/customer thay you may trust in its specified php.ini file.

    search for setting php.ini per user in suphp.
    there are so many other restriction that can be applied together with this limitations to have a secure and stable web server.

    here is my disble function which is a complete and good one and my server uptime is good too . the most things that most forums or cms scripts may need is ini_set and ini_alter and file uploads, which can really cause hangs to the servers with low resources. for example you donot set ini_set in disabled function . and every host can set its process memory for example as high as 256mb , and having a high traffic , that simple host will eat all your vps/server memory causing high load or apache crashes.

    anyway i`m not an expert , i`m just an advanced in this field and others may correct my words... ( which i`ll be thankful from them if they correct me )

    disable_functions = "shell,shell_exec,exec,shell-exec,dl,symlink,system,ini_set,ini_restore,passthru,copy,error_log,scandir,leak,popen,pclose,proc_close,proc_get_status,proc_nice,proc_open,proc_terminate,escapeshellcmd,escapeshellarg,crack_check,crack_closedict,crack_getlastmessage,crack_opendict,psockopen,php_uname,mkdir,posix_getpwuid,apache_child_terminate,posix_kill,posix_mkfifo,posix_setpgid,posix_setsid,posix_setuid,imap_body,imap_list,imap_open,mysql_list_dbs,stream_select,socket_select,socket_create,socket_create_listen,socket_create_pair,socket_listen,socket_accept,socket_bind,socket_strerror,readlink,link,pfsockopen,ini_alter,openlog,syslog,putenv,pcntl_exec,pcntl_fork,pcntl_signal,pcntl_waitpid,pcntl_wexitstatus,pcntl_wifexited,pcntl_wifsignaled,pcntl_wifstopped,pcntl_wstopsig,pcntl_wtermsig,fpassthru,detcwd"
     
  20. claudio

    claudio Member

    Joined:
    Jul 31, 2004
    Messages:
    212
    Likes Received:
    0
    Trophy Points:
    16
    Also this commands are used by hackers:

    mod_include(SSI)
    fopen
    curl

    recently an insecure OSCOMMERCE on a customer of mine, lead to a mass defacement at my server

    uploading at /images (that had 777 permission) this hacker saved a script at /tmp partition

    using passthru he could chmod 777 this script and execute it

    as this server was an exception among many others it had /tmp allowing scripts to be executed there

    the script entered there with the suexec identity of this customer for instance:

    username:username /tmp/evilscript

    i realize that if you try to read /etc/passwd or /etc/valiases that can be done from a insecure web site

    but if you want to issue a "ls -lh /home" you will not be able

    however, during my tests, i still could issue a

    echo "ps - aux > /home/final_test" > /tmp/test

    and then

    /tmp/./test

    and guess what ...

    a /home/final_test was generated under /home with the "ps -aux" result

    this single file was under

    root:root /home/final_test

    as you can see, although i could not "ls -lh /home" and even with my "/tmp/test" script owned by a non root user , i can save files at /home/etc under root identity and mass deface a server with TMP allowing execution of scripts

    after running a

    /scripts/securetmp or something similar

    you cannot issue /tmp/./test will result in

    permission denied.

    some servers of my running /scripts/./securetmp gave me the

    *** Notice *** No loop module detected

    but after that they are deniyng execution of scripts from /tmp



    cat /etc/fstab must show:

    /tmp /var/tmp ext3 defaults,bind,noauto

    best regards
    Claudio
     

Share This Page