1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

[Resolved] Solutions for handling symlink attacks

Discussion in 'Security' started by HostingH, Apr 8, 2011.

Thread Status:
Not open for further replies.
  1. Arvand

    Arvand Member

    Joined:
    Jul 26, 2003
    Messages:
    130
    Likes Received:
    1
    Trophy Points:
    18
    This does work for us. Thank you.

    What is however unfortunate is that by having this public, it may further re-enforce the false notion that this has nothing to do with cpanel and that they should not be concerned about this. (I hope this isn't the case)

    At this point in time, tens of thousands of servers are currently vulnerable. cPanel is getting paid a monthly premium to provide a secure management experience for the administrators of those servers. And in this case, greatly failing to do so.

    To cPanel - Here is a simple analogy which may better describe why I feel you should at least be notifying your customers. If you were a grocery store and you sold meat, then a customer came in and said that meat over there killed my son because it has E coli. Would you sit there and say, well, that's not our meat - it comes from the so and so farm. We just package it and sell it. Go talk to the farm?!?

    This sort of behavior, when this issue has been repeatedly brought up to Cpanel, is exactly whats expected of Parallels not cPanel...
     
  2. StevenC

    StevenC Member

    Joined:
    Jan 1, 2004
    Messages:
    254
    Likes Received:
    0
    Trophy Points:
    16
    You run the wget command, and then run easyapache choosing apache 2.2. There is nothing more.
     
  3. StevenC

    StevenC Member

    Joined:
    Jan 1, 2004
    Messages:
    254
    Likes Received:
    0
    Trophy Points:
    16
    Out of the few hundred servers we have this on, we noticed minimal load increase.
     
  4. brianoz

    brianoz Active Member

    Joined:
    Mar 13, 2004
    Messages:
    1,152
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    So you'd rather have a fast server that doesn't work because it got hacked?? Really?? And you don't care about your customers getting hacked?

    I guess the question is - how much does this really compromise server performance? Boiled down, as far as I can see, it's simply using an extra stat every time there's a symlink - do you have symlinks everywhere? If not, then you wouldn't notice the difference.

    The impact of an extra stat is almost (not quite, but almost) negligible. But I guess it's a trade-off between having a secure and supportable server and not. This is already starting to happen in the wild, so it's of real concern.


    Sorry - do you mean it is working or not working? If not working, what is happening, exactly? It compiles here, and works as far as I can see? Details would be useful.
     
  5. DomineauX

    DomineauX Member

    Joined:
    Apr 12, 2003
    Messages:
    404
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Houston, TX
    Sorry but I cannot agree with your blaming cPanel on this. The fact is that Apache includes two options and allows the insecure one by default. cPanel has included the ability to disable it in the Global Apache Configuration options via WHM. This is as much as they should be asked to do in my opinion.
    This is also enough to ensure security, unless your users enable the insecure option whether on purpose or accident such as by installing a script that enables "FollowSymLinks" in the .htaccess file.

    The solutions posted by StevenC and myself are simply extra measures to prevent the enabling of "FollowSymLinks" by users and script installations.
     
  6. ethix

    ethix Member

    Joined:
    Dec 21, 2004
    Messages:
    42
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Australia
    Thank you for sharing this. It is appreciated :)

    Brendan
     
  7. hostnex

    hostnex Member

    Joined:
    May 2, 2008
    Messages:
    74
    Likes Received:
    1
    Trophy Points:
    8
    Location:
    Islamabad, Pakistan, Pakistan
    Below are the steps which any typical hacker can use to hack your website even after applying the patch.


    1- The first thing any hacker need to access your server is to upload its roothsell through some vulnerable website.

    2- Once he is successful to upload root shell he will try to disable safe mode from different ways one way is to place php.ini in root of user account.

    3- Now he will make a new folder under public_html assume folder name is helo.

    4- In helo folder he will upload or make a new .htaccess file and put the following code in it

    Options Indexes FollowSymLinks

    DirectoryIndex ssssss.htm

    AddType txt .php

    AddHandler txt .php

    5- Now from root shell he will symlink with / which will give him access to browse whole server through rootshell

    ln -s / root

    6- Now he will browse website http://domain.com/helo/ which will show him the following contents

    /Parent Directory
    /root

    Clicking root will let him browse whole server.

    -8 Now he will get accounts list running on the server. There are different ways to get it. One way is to edit /etc/passwd file.

    -9 But still hacker cant access users folders within /home/account to gain access of accounts root folder he will run the following command

    ls -la /etc/valiases/helo.com

    8- now he will go to the path /home/helo/public_html and can browse any file within it through rootshell


    Even after running your patch this method can be used to access any website through command line and all contents of website will be browseable. Below are the recommendation to secure server.

    -1 do not allow users to change php settings through php.ini or .htaccess file

    2- Enable Apache mod_userdir Tweak but do not exclude any of the hostname as through http://domain.com/~username php.ini global settings can be overridden.

    -2 Disable symlink for all users.

    -3 disable following functions globally in php.ini

    show_source,system,shell_exec,passthru,exec,proc_open,allow_url_fopen,symlink,exec,proc_close,dl,escap,eshellarg,escapeshellcmd,popen

    4- Enable safe_mode

    5-run maldet a malware detection tool which is very effective to catch most of roothsell.
     
    #67 hostnex, Nov 9, 2011
    Last edited: Nov 9, 2011
    postcd likes this.
  8. k-planethost

    k-planethost Member

    Joined:
    Sep 22, 2009
    Messages:
    199
    Likes Received:
    1
    Trophy Points:
    16
    Location:
    Athens Greece
    the patch doesnt work on your servers?
     
  9. Estiny

    Estiny New Member

    Joined:
    Nov 9, 2011
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    We have a bunch of servers that we would want to roll your patch out on. Rather then doing the following:

    wget http://layer1.rack911.com/before_apache_make -O /scripts/before_apache_make
    chmod 700 /scripts/before_apache_make
    /scripts/easyapache --build


    Could we do this on one server and then copy over X files to Y server to avoid running easyapache on each and every server? It would save us a bunch of issues I think. Do you know what files are changed by easyapache to incorporate your patch so we could say, copy over X files or X binaries to make it work on server Y.
     
  10. StevenC

    StevenC Member

    Joined:
    Jan 1, 2004
    Messages:
    254
    Likes Received:
    0
    Trophy Points:
    16
    In your method you mention:

    'Options Indexes FollowSymLinks'

    FollowSymLinks does not work as FollowSymLinks with my patch.

    The hack you described is the same exact hack we see every day. The exact way you described it is blocked by the the patch. It sounds like the patch is not installed correctly on your server.

    It sounds like you did NOT compile apache after running the wget command.
     
    #70 StevenC, Nov 10, 2011
    Last edited: Nov 10, 2011
  11. StevenC

    StevenC Member

    Joined:
    Jan 1, 2004
    Messages:
    254
    Likes Received:
    0
    Trophy Points:
    16
    I believe you just need to copy /usr/local/apache/bin/httpd, but I have not confirmed it.
     
  12. StevenC

    StevenC Member

    Joined:
    Jan 1, 2004
    Messages:
    254
    Likes Received:
    0
    Trophy Points:
    16
    It is impossible to disable symlink for all users, Its a kernel based function. A perl script or even a compiled C binary that is uploaded can still access symlink.

    In case you are not aware, you can execute C binaries as cgi scripts.
     
  13. Mitio

    Mitio New Member

    Joined:
    Jan 11, 2010
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Hello,

    Solutions for this issue:

    Symlink Protect cPanel EasyApache modul:

    1. First download this files /http://spasov.us/patch/Apache.zip

    Login as root and go to /var/cpanel/easy/apache/custom_opt_mods/Cpanel/Easy/Apache

    upload SymlinkProtection.pm and SymlinkProtection.pm.tar.gz on this directory:

    /var/cpanel/easy/apache/custom_opt_mods/Cpanel/Easy/Apache

    2. Run /scripts/easyapache, and select SymlinkProtection from the "Exhaustive Options" list .

    Note: I found that many servers have this problem.

    Do not hesitate to contact us again for any further questions or need of assistance.

    Best Regards,
    Dimitar Spasov,
     
  14. hostnex

    hostnex Member

    Joined:
    May 2, 2008
    Messages:
    74
    Likes Received:
    1
    Trophy Points:
    8
    Location:
    Islamabad, Pakistan, Pakistan

    Currently we have included following code in Apache include files to avoid symlink. When someone try to use following symlink option in .htaccess he got an Internal server error.

    <Directory "/">
    Options -ExecCGI -FollowSymLinks Includes IncludesNOEXEC Indexes -MultiViews SymLinksIfOwnerMatch
    AllowOverride All
    </Directory>

    <Directory "/usr/local/apache/htdocs">
    Options IncludesNOEXEC Indexes -FollowSymLinks +SymLinksIfOwnerMatch -ExecCGI
    AllowOverride None
    Order allow,deny
    Allow from all

    </Directory>


    <Directory "/home">
    Options All -ExecCGI -Indexes -FollowSymLinks -Includes +IncludesNOEXEC -MultiViews +SymLinksIfOwnerMatch
    AllowOverride AuthConfig Indexes Limit Fileinfo options=Indexes,MultiViews

    </Directory>



    Are you saying its not effective ?. Also after using your patch do we still need to include above code in Apache ? It has broken most of our websites which are using followsymlink option in .htaccess.

    We will try your patch on separate server and update you .
     
  15. Mitio

    Mitio New Member

    Joined:
    Jan 11, 2010
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Hello,

    Solutions for this issue:

    Symlink Protect cPanel EasyApache module:

    1. /http://spasov.us/patch/Apache.zip

    Login as root go to /var/cpanel/easy/apache/custom_opt_mods/Cpanel/Easy/Apache

    upload this files SymlinkProtection.pm SymlinkProtection.pm.tar.gz on this directory /var/cpanel/easy/apache/custom_opt_mods/Cpanel/Easy/Apache

    2. Run /scripts/easyapache, and select SymlinkProtection from the "Exhaustive Options" list

    Do not hesitate to contact us again for any further questions or need of assistance.

    Best Regards,
    Dimitar Spasov,
     
    #75 Mitio, Nov 10, 2011
    Last edited: Nov 10, 2011
  16. hostnex

    hostnex Member

    Joined:
    May 2, 2008
    Messages:
    74
    Likes Received:
    1
    Trophy Points:
    8
    Location:
    Islamabad, Pakistan, Pakistan

    May I know who are you as I could not find any kind of information about you in your profile. So nice of you that you made a new forum account just to inform us that how to fix it :)
     
  17. Mitio

    Mitio New Member

    Joined:
    Jan 11, 2010
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Dear hostnex,

    Thank you. My name is Dimitar Spasov from Bulgaria this is my email address dvspasovATgmail.com and my facebook:

    /http://www.facebook.com/profile.php?id=100000681319307&sk=info

    Skype name: nasanet

    I administer a few linux servers. I'm just trying to help

    Best Regards,
    Dimitar Spasov,
     
  18. StevenC

    StevenC Member

    Joined:
    Jan 1, 2004
    Messages:
    254
    Likes Received:
    0
    Trophy Points:
    16

    If with my patch your having issues, then it did not compile correctly. My patch is intended to allow it to remain secure AND not give a internal server message if someone uses FollowSymLinks. It makes FollowSymLinks perform like SymLinksIfOwnerMatch. I have it running on several hundred servers. On a daily basis we see people attempting to perform this hack and fail (through our modified suhosin extension we use, we are able to monitor this).
     
    #78 StevenC, Nov 12, 2011
    Last edited: Nov 12, 2011
  19. StevenC

    StevenC Member

    Joined:
    Jan 1, 2004
    Messages:
    254
    Likes Received:
    0
    Trophy Points:
    16
    Nice patch Mitio.
     
    #79 StevenC, Nov 12, 2011
    Last edited: Nov 12, 2011
  20. hostnex

    hostnex Member

    Joined:
    May 2, 2008
    Messages:
    74
    Likes Received:
    1
    Trophy Points:
    8
    Location:
    Islamabad, Pakistan, Pakistan
    So which patch we should use yours or Mitio
     
Thread Status:
Not open for further replies.

Share This Page