The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

About the r57shell script

Discussion in 'General Discussion' started by SACHIN, Feb 12, 2007.

  1. SACHIN

    SACHIN Guest

    Hello,

    There is one use on the server who has the famous r57shell (php) script . Using this script that user can access any file on the linux server. Also using this script the client can read the /etc files.

    client is executing this r57shell script by keeping this php file in his home directory.

    we have enabled open_basedir on the server. But still user execute the files from his home directory and can access to /etc . How to stop this


    Sachin
     
  2. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    Remove the r57shell file, and then if it is re-uploaded, disable the user account for a breach of terms of service (hacking).

    Also, run phpsuexec. Add a mod_security rule to block r57shell.php from being run just as icing on the cake.
     
  3. procam

    procam Well-Known Member

    Joined:
    Nov 24, 2003
    Messages:
    123
    Likes Received:
    0
    Trophy Points:
    16
    That sec rule dont work sorry edited removed
     
    #3 procam, Feb 12, 2007
    Last edited: Feb 12, 2007
  4. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    667
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    You'll need to do a bunch of things to stop this from affecting your servers:

    1) Disable php functions like exec,shell_exec and others
    2) Install a firewall to drop inbound/outbound ports
    3) Install mod_security with a good ruleset that works.
    4) Disable all system compilers
    5) Disable common binaries like wget

    Let me know if you need assistance, I deal with these scripts all the time.
     
  5. jugo

    jugo Active Member

    Joined:
    Nov 23, 2005
    Messages:
    44
    Likes Received:
    0
    Trophy Points:
    6
    All this works very well on our box.

    Someone on our box uploaded a Shell type file called "kol.php" and somehow was able to chanegt he cpanel account to unlimited.

    We change our root passwords every 2 weeks, and use SSL-AUTH keys for login.

    Is there a way to quickly determine if the file has been uploaded or run and immediately fire off an email?
     
  6. SixtyClear

    SixtyClear Registered

    Joined:
    Feb 10, 2007
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Hampshire, UK
    Hi ramprage.

    I'd be interested in a simple script to enable/disable functions such as wget to customers, although i don't specifically allow SSH, i have also been affected by a r57shell script a few months ago.

    Since then i have tightened up the security, which in turn lost a handful of clients, as their applications ceased to work, but it's the price to pay for a secure server environment.

    I do use multiple applications such as CSF from Chirpy, and modsecurity etc... But could you recommend a better equiped ruleset for modsecurity than the default ruleset which is bundled with CPanel Addon installation?

    Very grateful for any information you can provide.

    Chris
     
  7. SACHIN

    SACHIN Guest

    Thank You for all your reply. But still i have following Questions.

    - I can't suspend the website in the name of hacking as there are over 900 accounts on server. And everyone knows about r57shell.php
    . So any user can upload this php script

    - We have following function diable in php.ini/

    disable_functions = dl, system, popen, pclose, proc_open, proc_nice, proc_terminate, proc_get_status, proc_close, pfsockopen
    , leak, apache_child_terminate, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_six_setuid, passthru, shell_exec
    , proc_terminate, exec, ocilogon, mssql_connect, ini_get_all,
    error_log, ini_alter ,system, error_log, ini_alter, openlog, syslog, readlink, symlink, link, popen, escapeshellcmd, escapes
    hellarg, pcntl_exec

    - we have installed APF firewall on the server. Please tell me which port you want use to block/unblock

    - We have mod_security on server. So in mod_security what rules/entries we have to make for r57shell.php?? As the client
    can change the file name for r57shell.php to anything like 1.php or index.php. So what to do ??

    - Which system compiler you want us to disable and where??

    - we have diabled wget on the server.

    - Can we install or run the anti trojan on the CentOS linux server. Or it is dangerous to run anti-trojan as it can delete any files(configuration files too).

    waiting for the reply. Thanks in advance.

    Sachin
     
  8. bryanabhay

    bryanabhay Active Member

    Joined:
    Aug 14, 2006
    Messages:
    30
    Likes Received:
    0
    Trophy Points:
    6
    Hello,

    We have made all necessory security changes on our server

    1> have diabled following functions

    disable_functions = dl, system, popen, pclose, proc_open, proc_nice, proc_terminate, proc_get_status, proc_close, pfsockopen
    , leak, apache_child_terminate, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_six_setuid, passthru, shell_exec
    , proc_terminate, exec, ocilogon, mssql_connect, ini_get_all,
    error_log, ini_alter ,system, error_log, ini_alter, openlog, syslog, readlink, symlink, link, popen, escapeshellcmd, escapes
    hellarg, pcntl_exec

    2> disableing exec function can stop all image gallaries. so didnt do that
    3> Enabled open base dir security
    4> enabled mod dir security
    5> all files & folder have 755 permissions

    Even though the script is able to read other users files form public_html folder.

    Is there any thing left behind ?

    Bryan
     
  9. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    Yes, but it would be simpler to find the account that had uploaded r57shell and just disable it, not the whole 900 accounts.
    What you've disabled makes php almost useless. You've not done the most important thing yet - switch to phpsuexec or suphp. Without it, your server is fundamentally insecure and you will continue to have problems.
    Uninstall apf, it's old now and isn't being maintained. Install http://www.configserver.com/cp/csf.html instead - it's much smarter, has a WHM interface, can upgrade itself, and detects/prevents (and warns of) many hacking attempts.
    Correct; as the name may change, there's no way you can block it with mod_security. Instead you install phpsuexec so they can't write/read other people's files.
    The system C compiler - usually /bin/cc and related files - gcc, g++ or similar. Set them to mode 700.
    Which anti trojan? Anyway, as far as I know none of them delete files as they tend to produce false positives.
     
  10. its_joe

    its_joe Well-Known Member

    Joined:
    Feb 15, 2007
    Messages:
    134
    Likes Received:
    0
    Trophy Points:
    0
    Hello,

    I am continuing this thread for my friend Sachin.

    As per the last reply We have done following steps:

    - We have new firewall set on the server. that is CSF firewall. We have removed apf on the server.

    - We have disabled the gcc and c compilers on the server.

    - someone suggested that we have to enable the phpsuexec on the server. We cannot enable phpsuexec as any admin understand that it will disbale many function of php on the sever and many users on the sever will get affected due to this.


    So please suggest us more about this.

    Thanks
     
  11. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    Joe, I'm sorry to say that without updating to phpsuexec or similar you will continue to have problems, and nothing else can prevent them, it's as simple as that.

    This is completely untrue; you need to do some more research. Phpsuexec will cause few, if any, problems with the majority of accounts. Very occasionally you find people with php directives in their .htaccess files - these will need to be moved to php.ini files.

    You need to understand just how unprotected a server is without phpsuexec. Every user on the server can read every other user on the server's sql usernames and passwords, and by that probably predict the passwords for cpanel accounts. Your server is completely wide open until you convert to phpsuexec. Granted, they do need a user account, but if they compromise a script somewhere on the server they don't even need that. There are some good posts elsewhere in this forum describing how people have found phpsuexec to cause few if any problems.

    I'll see if I can find any articles/good threads on this on here for you - there are definitely some.
     
  12. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    Once r57shell is downloaded on your server, no firewall can stop it.

    That won't help either.

    There are good and not very good things about PhpSuExec. This postings explains the pros and cons: http://forums.cpanel.net/showpost.php?p=290017&postcount=6

    You need to scan your server and locate these scripts with r57shell. On one of our client's servers, r57shell was embedded in a HTML file. It is amazing what these hackers can do to hide these destructive scripts.
     
    #12 AndyReed, Feb 22, 2007
    Last edited: Feb 22, 2007
  13. procam

    procam Well-Known Member

    Joined:
    Nov 24, 2003
    Messages:
    123
    Likes Received:
    0
    Trophy Points:
    16
    Uhmm yea the cons

    Performance:
    Since Php is running via a CGI interpreter which adds a little overhead to your CPU.

    ****Php running as a cgi well this sorta defeats the entire purpose of having php doesnt it!*

    Php Scripts:
    Some scripts do not like the Phpsuexec CGI environment as it changes certain Php internal system variables causing them to fail.

    ****Some scripts is an UNDERSTATEMENT**** Again see above answer to running php as a cgi**

    .htaccess:
    Manipulating some Php settings is not possible (use a local Php.ini instead)

    Security:
    Files / Directory permissions given a world read+write+execute 777 will not work, instead these files will need to be changed to 755

    Php eAccelerator:
    ZendOptimizer works, however other popular Accelerators such as eAccelerator won't.

    ****Not a great loss ****

    URLs:
    Variables in URL not encoded as regular variables that is variables inside the URL path, not expressed like view.Php?=view will not work.

    ****Major pain in the backside in many cases****

    While reading that guys post yea he posted a lot of cons allright~ but minimal pros which was exactly my feeling about it ! :eek:
     
  14. jack01

    jack01 Well-Known Member

    Joined:
    Jul 21, 2004
    Messages:
    200
    Likes Received:
    0
    Trophy Points:
    16
    phpSuExec runs on 5 of our servers and it has not 'broken' any scripts; it's always settings such as safe_mode On and register_globals etc that causes more issues by far.
     
  15. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    Has it ever occurred to you that the entire purpose of having PHP is defeated by allowing every other user on the machine to look through all the databases on the system? And collect and use passwords, credit card information and who knows what? This is absolutely the case without phpsuexec. Yes, there is a little overhead; it's minimal and unavoidable if you want a secure server. If you have a site that uses sufficient load to be affected by this it probably merits special treatment (dedicated server, or shared server with only a small number of high-trust high-volume sites running mod_php).
    This is ridiculous. Only very few scripts have a problem - like 1 in 100. As just one example, all 50 of the Fantastico scripts work unchanged, for instance. The truth of the situation is that most scripts are easier to install and dont require 777 permissions to be set.
    How is this a problem? 1 in 100 accounts (roughly) will need you to move a php_flag or php_value from their .htaccess file to their php.ini. Given that very few accounts require this, it shouldn't be an issue. And as for mode 777 - if you don't see the problem with that, you may need to think a little!! (try this: "any user on the server can write to any file or directory with mode 777" -- Hacker response: "great, let's make a copy of credit card numbers on their way past").

    I have no idea what this means, but I can confirm that I've never seen this problem in nearly 2 years with phpsuexec and hundreds of accounts. As far as I know all URLs work, perhaps this information was wrong, or is just dated.
    He did post a lot of cons, agreed, but unless you're in a position of experience with phpsuexec, which clearly you're not, you shouldn't comment as you're just confusing people! The pros far outweigh the cons for most people. Again, this isn't a simple situation - lots of professionals are running fairly secure servers without phpsuexec, it's just a lot harder to do, and in my opinion based on teaching Unix and programming and being a sysadmin over the last 25 years or so, running each user as their own user is a logical and simple solution.
     
Loading...

Share This Page