The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Exploited Servers

Discussion in 'General Discussion' started by nxds, Mar 10, 2006.

  1. nxds

    nxds Well-Known Member

    Joined:
    Jan 6, 2006
    Messages:
    53
    Likes Received:
    0
    Trophy Points:
    6
    Hi,

    Several of our CPanel servers were recently exploited such that index.html files were added to several websites and index.htm files were modified with an iframe line containing the string mlm-norway and uppercase characters changed to lower case in index.htm.

    The modified and new files were owned by the account hosting the website. Only a subset of the websites hosted on the servers were modified.

    The exploited servers were running CentOS 4.2 and the latest Cpanel. Rkhunter and chkroot come back negative.

    Does anyone recognise this attack and can anyone tell me what vulnerability has been exploited to do this?

    I have installed apf, bfd and mod-security on all the servers and restricted ssh access to certain addresses and users. What else can I do to prevent these attacks succeeding?

    Thanks.
     
  2. dalem

    dalem Well-Known Member
    PartnerNOC

    Joined:
    Oct 24, 2003
    Messages:
    2,577
    Likes Received:
    40
    Trophy Points:
    48
    Location:
    SLC
    cPanel Access Level:
    DataCenter Provider
    you have a php exploit i would check the domlogs of the affected account(s) if its the same hacker then the "several websites" may be running the same eploitable scripts or its just a coincidence find the exploit and add to you mod_sec rules


    and make sure you check & clean your tmp files


    can't really tell you if we recognize it when we dont know what was exploited
     
    #2 dalem, Mar 10, 2006
    Last edited: Mar 10, 2006
  3. rs-freddo

    rs-freddo Well-Known Member

    Joined:
    May 13, 2003
    Messages:
    832
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Australia
    cPanel Access Level:
    Root Administrator
    More than likely it's the WysiwygPro exploit. Check if the account had WysiwygPro folder.
     
  4. Dattatec

    Dattatec Active Member
    PartnerNOC

    Joined:
    Mar 12, 2003
    Messages:
    43
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Argentina

    Add this in yor php.ini:

    disable_functions = shell, shell_exec, exec,allow_url_fopen,system_exec, proc_open, proc_close,proc_nice,
    proc_terminate,proc_get_status,escapeshellarg,passthru, escapeshellcmd,popen ,system, mkfifo, pcntl_exec

    More easy than install firewalls :P
     
  5. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    Might be "more easy than install firewalls" but it makes PHP largely useless. Be careful with this one. Mod_security is probably a better way of safeguarding your server.
     
  6. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    That's true. Do NOT add these directives in php.ini. Remove APF and BFD as they don't have as great of value of security as many people might think. Clean up this mess and secure your server.
     
  7. dreamwiz

    dreamwiz Well-Known Member

    Joined:
    Aug 28, 2003
    Messages:
    93
    Likes Received:
    0
    Trophy Points:
    6
    Would you mind explaining how removing APF and BFD would increase security? IMHO they are valuable part of securing server.
     
  8. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Indeed. What a load of rubbish. BFD and APF add massively to server security and to say otherwise is ridicuous unless you are proposing replacing them with something different, which is fine, but you need to give better advice than simply recommending people remove their iptables firewall scripts :rolleyes:
     
  9. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    Let's be respectful of each other, Mr. moderator. This is very inappropriate and you wouldn't like it if I say the same thing about any of your postings. It is my opinion and if you don't like it, ignore my posting. I don't think I offended you or any body with my suggestion. Thank you, sir :rolleyes:
     
  10. dave9000

    dave9000 Well-Known Member

    Joined:
    Apr 7, 2003
    Messages:
    891
    Likes Received:
    1
    Trophy Points:
    16
    Location:
    arkansas
    cPanel Access Level:
    Root Administrator
    To some extent I agree with Andy on the value of APF and BFD

    %99 of the server exploits come in on a valid port usually port 80

    This said mod_security, snort intrusion protection offer a lot more protection for your server than a firewall.

    If you modify your ssh port to something besides 22 BFD is rendered mostly useless due to the fact %99 of the brute force attacks come in on port 22 at the hands of script kiddies

    the APF and BFD have their uses but they are not going to secure your server. They help but you need intrusion protection worse than firewall
     
    #10 dave9000, Mar 12, 2006
    Last edited: Mar 12, 2006
  11. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    No. Sorry, but recommending people disable their firewalls is downright irresponsible. If you want to disable yours, go ahead, but don't go around recommending other people open themselves up to attacks that I would be very happy to list in detail. I sincerely hope everybody ignores your post, not just me.
     
    #11 chirpy, Mar 12, 2006
    Last edited: Mar 12, 2006
  12. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    In one of the threads, you agreed that APF and BFD were not as good. One day you say something, the next day you say the opposite. That's weird. Read your own words: http://forums.cpanel.net/showthread.php?t=50745 :rolleyes:

    Why did you attack my posts, and me personally? Have you ever heard of net-etiquettes? Just in case, there are commonsense net-etiquettes every body should observer:

    "- Avoid criticism and sarcasm.
    - No flaming.
    - Be POLITE in your email message or other postings; apply the same general rule of politeness you would if you were talking to a person on his or her face."
    (this was taken from AACC Web site where you can read more about net-etiquettes at: http://ola.aacc.cc.md.us/csi147/NetEtiquettes.htm)
     
    #12 AndyReed, Mar 12, 2006
    Last edited: Mar 12, 2006
  13. Lyttek

    Lyttek Well-Known Member

    Joined:
    Jan 2, 2004
    Messages:
    770
    Likes Received:
    3
    Trophy Points:
    18
    I read the post you mentioned. First, there's a difference between an exploit and a DOS/DDOS. For the latter, having it blocked via hardware by the upstream router IS better than having to deal with it on your server. For the former, you have to fix it/work around it on your server, so trying to block it via hardware isn't going to work.

    Different tools for different problems. So, either you're trying to start some "totally combustible" war, don't know how to read context, or are mis-informed. In any case, given the arguments you've put forth, Chirpy didn't contradict himself, and removing APF/BFD is still a bad idea.
     
  14. gorilla

    gorilla Well-Known Member

    Joined:
    Feb 3, 2004
    Messages:
    699
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Sydney / Australia
    I second that objective statement ! ;)
     
  15. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    I've actually found APF a help, it does make it a lot easier to block sites, and for a completely naive user it is great for that.

    Be careful with BFD though - it can block legitimate users, for instance, if they leave their FTP client running retrying the wrong password their whole IP will be blocked by BFD, not nice, and something that adds to admin work. If you add /etc/relayhosts to BFD's exclude.files that will prevent that happening. On my system that looked like:
    Code:
    echo /etc/relayhosts >>  /usr/local/bfd/exclude.files
    One important point here. People often think that a firewall is a magic cure-all, perhaps because of the name. A firewall is only one tool in your toolkit - if you could just block everything you'd be as safe as houses, but obviously you can't!!
     
  16. XPerties

    XPerties Well-Known Member

    Joined:
    Apr 10, 2003
    Messages:
    401
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    New Jersey, USA

    I didn't see chirpy attacking your post at all. In a more direct comment to your post what I did see is a server management company make a ridiculous statement and tell others to remove their firewall protection. That is an ignorant statement and in kinder words chirpy was only making that exact point.

    Continuing to defend such a statement in this thread is not making you look at better.

     
  17. paulius

    paulius Member

    Joined:
    Apr 3, 2005
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    There are some things that money can't buy, for everything else, there's cPanel.

    I think that a firewall is not 100% required but it does add an extra layer of security. I would personnaly never put a unprotected server out on the Internet.

    PHP hardening is also important but also it's important to instruct users to update their scripts!
     
  18. dave9000

    dave9000 Well-Known Member

    Joined:
    Apr 7, 2003
    Messages:
    891
    Likes Received:
    1
    Trophy Points:
    16
    Location:
    arkansas
    cPanel Access Level:
    Root Administrator
    Note to my previous post.

    I myself did not say no firewall I just said do not depend on it as a catch all security device

    We run cisco access lists , hardware firewall, active intrusion protection, hosts.deny and hosts.allow lists , mod_security, phpsuexec, suexec, secured tmp, compilers disabled, wget disabled except for root, all updates maintained and we are subscribed to several security maillists that send us the latest exploits.

    and we still have had some php exploits get through on occasion.

    but luckly with all the layers of security we have we have been able to limit damage to the individual user.
     
  19. twhiting9275

    twhiting9275 Well-Known Member

    Joined:
    Sep 26, 2002
    Messages:
    538
    Likes Received:
    15
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Twitter:
    And while you're at it, set all your passwords to test123 and make a public list of the accounts on those. C'mon now, that's just riiiiiiidiculous.

    APF and BFD have a great value in security. They're not the only things that should be used, but still, come on now, removing them, is ridiculous.

    APF/BFD won't , however, stop this type of thing from happening. That's not their job. Properly securing your server and keeping it secure, however, will.

    This isn't as much a "server security" thing, however, as a "script security" thing. Sure, server security might be able to handle this, but at what extent? The server would be virtually useless. At some point, it becomes the responsibility of the user to secure their code.

    A firewall is, indeed a 100% necessity. Keep in mind though, that APF isn't a "firewall" in and of itself, it's a frontend to iptables, the actual firewall.
     
  20. mctDarren

    mctDarren Well-Known Member

    Joined:
    Jan 6, 2004
    Messages:
    664
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    New Jersey
    cPanel Access Level:
    Root Administrator
    Really hate to jump on this bandwagon, but ... in defense of Mr Reed, APF isn't really a firewall. It's a front-end to iptables. Now, having said that - security is all about layers of protection. The more you have, the better off you are. He's right in that they might give some folks a false sense of protection. He's wrong that because of that you should remove it.
     
Loading...

Share This Page