disable viewing/exutting 755 perm files

arabgenius

Member
Jun 25, 2011
19
0
51
Hello
I got hacked many times by cgi-telnet which I was stoping it by mod_sec and httpd.conf folder options like this

Code:
<Directory "/">
    Options +ExecCGI -FollowSymLinks -Includes +IncludesNOEXEC -Indexes -MultiViews +SymLinksIfOwnerMatch
    AllowOverride All
</Directory>

<Directory "/usr/local/apache/htdocs">
    Options -ExecCGI Includes -Indexes -FollowSymLinks +IncludesNOEXEC  -MultiViews +SymLinksIfOwnerMatch
    AllowOverride AuthConfig Indexes Limit FileInfo Options=IncludesNOEXEC,-Indexes,Includes,-MultiViews,SymLinksIfOwnerMatch,-FollowSymLinks
    Order allow,deny
    Allow from all
</Directory>

<Directory "/home">
    Options -ExecCGI Includes -Indexes -FollowSymLinks +IncludesNOEXEC  -MultiViews +SymLinksIfOwnerMatch
    AllowOverride AuthConfig Indexes Limit FileInfo Options=IncludesNOEXEC,-Indexes,Includes,-MultiViews,SymLinksIfOwnerMatch,-FollowSymLinks
    Order allow,deny
    Allow from all
</Directory>
unfortuonitly ,, now days apache do not accept "Options=IncludesNOEXEC,-Indexes,Includes,-MultiViews,SymLinksIfOwnerMatch,-FollowSymLinks"

and mod_sec rules are not charm enough as hacker can put any other name like xxxx.zy or uuuu.sym

so I noticed one common factors needed to run this cgi which is file perm 755
so how can I forbidden 755 files from being open directly
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,201
363
Hello :)

Restricting any file that utilizes 0755 permissions is not recommended. You can modify the "Directory “/” Options" configuration for Apache via:

"WHM Home » Service Configuration » Apache Configuration » Global Configuration"

Thank you.
 

arabgenius

Member
Jun 25, 2011
19
0
51
Hello :)

Restricting any file that utilizes 0755 permissions is not recommended. You can modify the "Directory “/” Options" configuration for Apache via:

"WHM Home » Service Configuration » Apache Configuration » Global Configuration"

Thank you.
sorry but I am speaking about directory home & /usr/local/apache/htdocs
how to set this
Options=IncludesNOEXEC,-Indexes,Includes,-MultiViews,SymLinksIfOwnerMatch,-FollowSymLinks
or how to disable viewing any 755 perm file inside home
 
Last edited:

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
ModSecurity, PHP settings, and Apache settings can only do so much.

You need to find out HOW the cgi-telnet is getting there. most of the time, it is because of old wordpress plugins or joomla components being exploited. You should keep the apache access logs for your site(s) by enabling the archiving in each cpanel ("Raw Access logs"). When cgi-telnet script(s) appear, you can use the time stamps of the files to see how they were uploaded. Your best defense is making sure all installed web applications get updated on a regular basis, and have strong passwords.
 

arabgenius

Member
Jun 25, 2011
19
0
51
ModSecurity, PHP settings, and Apache settings can only do so much.

You need to find out HOW the cgi-telnet is getting there. most of the time, it is because of old wordpress plugins or joomla components being exploited. You should keep the apache access logs for your site(s) by enabling the archiving in each cpanel ("Raw Access logs"). When cgi-telnet script(s) appear, you can use the time stamps of the files to see how they were uploaded. Your best defense is making sure all installed web applications get updated on a regular basis, and have strong passwords.
thank you quizknows
but your advise is good when we speack about 2-15 website but if you have shared hosting and you have more thant 150 account
how do you think you will manage ?
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
I manage many shared servers with that many accounts. I highly recommend using cloudlinux with CageFS and SecureLinks. This way if one site is hacked, they cannot affect your other customers. Customers who are hacked because of their own out-of-date software are responsible for their own cleanup, though I often do clean it up for them as a courtesy.

One other thing; the execute permissions of a malicious CGI or PHP script really don't matter - it just has to be readable. PHP itself is the executable. You can "execute" a php file even if it is 444 since PHP itself is being executed and the script [name] itself is just an argument.
 
Last edited: