The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

disable viewing/exutting 755 perm files

Discussion in 'Security' started by arabgenius, Sep 2, 2013.

  1. arabgenius

    arabgenius Member

    Joined:
    Jun 25, 2011
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    1
    Hello
    I got hacked many times by cgi-telnet which I was stoping it by mod_sec and httpd.conf folder options like this

    Code:
    <Directory "/">
        Options +ExecCGI -FollowSymLinks -Includes +IncludesNOEXEC -Indexes -MultiViews +SymLinksIfOwnerMatch
        AllowOverride All
    </Directory>
    
    <Directory "/usr/local/apache/htdocs">
        Options -ExecCGI Includes -Indexes -FollowSymLinks +IncludesNOEXEC  -MultiViews +SymLinksIfOwnerMatch
        AllowOverride AuthConfig Indexes Limit FileInfo Options=IncludesNOEXEC,-Indexes,Includes,-MultiViews,SymLinksIfOwnerMatch,-FollowSymLinks
        Order allow,deny
        Allow from all
    </Directory>
    
    <Directory "/home">
        Options -ExecCGI Includes -Indexes -FollowSymLinks +IncludesNOEXEC  -MultiViews +SymLinksIfOwnerMatch
        AllowOverride AuthConfig Indexes Limit FileInfo Options=IncludesNOEXEC,-Indexes,Includes,-MultiViews,SymLinksIfOwnerMatch,-FollowSymLinks
        Order allow,deny
        Allow from all
    </Directory>
    
    unfortuonitly ,, now days apache do not accept "Options=IncludesNOEXEC,-Indexes,Includes,-MultiViews,SymLinksIfOwnerMatch,-FollowSymLinks"

    and mod_sec rules are not charm enough as hacker can put any other name like xxxx.zy or uuuu.sym

    so I noticed one common factors needed to run this cgi which is file perm 755
    so how can I forbidden 755 files from being open directly
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,723
    Likes Received:
    660
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Restricting any file that utilizes 0755 permissions is not recommended. You can modify the "Directory “/” Options" configuration for Apache via:

    "WHM Home » Service Configuration » Apache Configuration » Global Configuration"

    Thank you.
     
  3. arabgenius

    arabgenius Member

    Joined:
    Jun 25, 2011
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    1
    sorry but I am speaking about directory home & /usr/local/apache/htdocs
    how to set this
    Options=IncludesNOEXEC,-Indexes,Includes,-MultiViews,SymLinksIfOwnerMatch,-FollowSymLinks
    or how to disable viewing any 755 perm file inside home
     
    #3 arabgenius, Sep 2, 2013
    Last edited: Sep 2, 2013
  4. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    ModSecurity, PHP settings, and Apache settings can only do so much.

    You need to find out HOW the cgi-telnet is getting there. most of the time, it is because of old wordpress plugins or joomla components being exploited. You should keep the apache access logs for your site(s) by enabling the archiving in each cpanel ("Raw Access logs"). When cgi-telnet script(s) appear, you can use the time stamps of the files to see how they were uploaded. Your best defense is making sure all installed web applications get updated on a regular basis, and have strong passwords.
     
  5. arabgenius

    arabgenius Member

    Joined:
    Jun 25, 2011
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    1
    thank you quizknows
    but your advise is good when we speack about 2-15 website but if you have shared hosting and you have more thant 150 account
    how do you think you will manage ?
     
  6. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    I manage many shared servers with that many accounts. I highly recommend using cloudlinux with CageFS and SecureLinks. This way if one site is hacked, they cannot affect your other customers. Customers who are hacked because of their own out-of-date software are responsible for their own cleanup, though I often do clean it up for them as a courtesy.

    One other thing; the execute permissions of a malicious CGI or PHP script really don't matter - it just has to be readable. PHP itself is the executable. You can "execute" a php file even if it is 444 since PHP itself is being executed and the script [name] itself is just an argument.
     
    #6 quizknows, Sep 3, 2013
    Last edited: Sep 3, 2013
Loading...

Share This Page