The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

can anyone decipher this ?

Discussion in 'Security' started by keat63, Dec 14, 2014.

  1. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    can anyone decipher this ?
    Code:
    [Sat Dec 13 23:47:26 2014] [error] [client 69.174.245.163] File does not exist: /usr/local/apache/htdocs/w00tw00t.at.blackhats.romanian.anti-sec:)
    [Sat Dec 13 23:47:27 2014] [error] [client 69.174.245.163] File does not exist: /usr/local/apache/htdocs/phpMyAdmin
    [Sat Dec 13 23:47:27 2014] [error] [client 69.174.245.163] File does not exist: /usr/local/apache/htdocs/phpmyadmin
    [Sat Dec 13 23:47:27 2014] [error] [client 69.174.245.163] File does not exist: /usr/local/apache/htdocs/pma
    [Sat Dec 13 23:47:27 2014] [error] [client 69.174.245.163] File does not exist: /usr/local/apache/htdocs/w00tw00t.at.blackhats.romanian.anti-sec:)
    [Sat Dec 13 23:47:28 2014] [error] [client 69.174.245.163] File does not exist: /usr/local/apache/htdocs/myadmin
    [Sat Dec 13 23:47:28 2014] [error] [client 69.174.245.163] File does not exist: /usr/local/apache/htdocs/phpMyAdmin
    [Sat Dec 13 23:47:28 2014] [error] [client 69.174.245.163] File does not exist: /usr/local/apache/htdocs/MyAdmin
    [Sat Dec 13 23:47:28 2014] [error] [client 69.174.245.163] File does not exist: /usr/local/apache/htdocs/phpmyadmin
    [Sat Dec 13 23:47:29 2014] [error] [client 69.174.245.163] File does not exist: /usr/local/apache/htdocs/pma
    [Sat Dec 13 23:47:29 2014] [error] [client 69.174.245.163] File does not exist: /usr/local/apache/htdocs/myadmin
    [Sat Dec 13 23:47:29 2014] [error] [client 69.174.245.163] File does not exist: /usr/local/apache/htdocs/MyAdmin
     
    #1 keat63, Dec 14, 2014
    Last edited by a moderator: Dec 14, 2014
  2. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,279
    Likes Received:
    36
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    Does that really need to be deciphered? Somebody is using a vulnerability scanner to scan a site on your server for the existence of specific vulnerabilities. My guess is that the log is longer than that, and that you kept it short on purpose. Either way, it's a typical vulnerability scan. If a site is accessible via the internet, you can bet that it sees similar traffic often.

    And no, Romanians in particular are not out to get you.

    Nothing there would indicate that you have anything to worry about. Of course, that statement is only true if you have up to date operating system software, up to date cpanel, up to date web applications, and are using additional security practices [like modsecurity with a good ruleset].

    Bottom line -- if you look in the logs for any website, you'll see similar types of scans.

    M


     
  3. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    WHM and Cpanel are configured to update automatically, so I guess it's up to date.
    However, I'm still learning.
    As for ModSecurity, I see some mention of it in WHM, but don't ask me what it all means.
     
  4. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    This. 100 times, this.
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    654
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    A good place to start when attempting to ensure your server is using good security practices is the "Security Advisor" option in WHM:

    Security Advisor

    Thank you.
     
  6. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Security advisor fails me on:

    No symlink protection detected
    SSH password authentication is enabled.
    SSH direct root logins are permitted.

    And CSF gives me a score of 126/136
     
  7. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Not sure if you recall, but I had Mod_ruid 2 installed and was using suPHP, but my site stopped working inside a shell.
    I read somewhere that Mod_Ruid2 and suPHP don't work together, it's either one or the other, so i removed MOD_Ruid2.

    SymlinkRace Protection appears to require MOD_Ruid2, so I'm a little confused as to which are the best options to use.
     
  8. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    654
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    There are alternative options listed as the documented referenced in my last post:

    Symlink Race Condition Protection

    Ideally, you should use CageFS or mod_ruid + jailshell, but the additional options are still more secure than no protections at all.

    Thank you.
     
  9. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    I reinstalled Mod_Ruid last night.
    So PHP is now running DSO with Mod_Ruid and Disabled shell.

    This fixed the Symlink error.
     
  10. PCZero

    PCZero Well-Known Member

    Joined:
    Dec 13, 2003
    Messages:
    526
    Likes Received:
    33
    Trophy Points:
    28
    Location:
    Earth
    Isn't it even better to just not give shell access to ANY accounts? None of my accounts have shell enabled at all and I get this SymLink warning in Security Advisor. If I open up shell to all users, jailed the alert goes away. Seems to me jailed is less secure than no shell... Am I missing something?
     
  11. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    As far as in general, no shell or jailed shell are both decent options. If your customers don't need shell access then no shell is fine.

    However, as far as the symlink hacks go, the accounts shell access is irrelevant. It's all done using the site itself with php code once access is gained via a vulnerable plugin or compromised password.
     
  12. PCZero

    PCZero Well-Known Member

    Joined:
    Dec 13, 2003
    Messages:
    526
    Likes Received:
    33
    Trophy Points:
    28
    Location:
    Earth
    Thanks for the heads up. I was not following that line of thought from the description of the issue. I have rerun EA adding ruid and enable the protection in tweak. It took me for a loop shortly when doing so caused 500 errors on pages of all web sites on the server in question until I recalled seeing something about having to use dso. Once I switched that over all was well again and the sever gets 100% green lights in Security Advisor.
     
Loading...

Share This Page