The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Hacked - all index.xxx files changed

Discussion in 'Security' started by jeroman8, Oct 11, 2010.

  1. jeroman8

    jeroman8 Well-Known Member

    Joined:
    Mar 14, 2003
    Messages:
    410
    Likes Received:
    0
    Trophy Points:
    16
    We run suphp and open_basedir and have "normal" security, also run csf.

    We just had the "replace index.xxx" files hack.
    Alla accounts (all /home/xxx) index.xx files was changed.

    Probably uploaded a script somewhere (found some scripts under one account) and run it but what I don't understand is how can someones
    script change other accounts php files when running suphp and not "php as nobody" (if index files was owned by nobody).

    Any ideas ?
    How to secure it ?

    Thanks!
     
  2. AL-Kateb

    AL-Kateb Active Member

    Joined:
    Feb 27, 2010
    Messages:
    27
    Likes Received:
    0
    Trophy Points:
    1
    first of all i want to note here I'm not specialist and I'm not an expert I'm just giving you little advice you probably should wait for some of the staff to reply

    suphp does not support open_basedir unless you are using custom php.ini for each of your account which means open_basedir will work as you set it up in the main php.ini which means users will have access to the other webroots if the permissions is set to allow that.

    means if somebody has his index file writable to anybody the hacker can do this.
    but those index files should not have such permissions which means maybe the script was execute with root access.

    you can search the forums for the word suphp_configPath and you should get somewhere regarding enabling open_basdir but you will have to use custom php.ini for each account.


    you could check to see whether the changed files have write permissions to everybody and if yes then it's the user's fault having his files permissions wide open

    and if not then i suspect the script was run with root access.

    you might want to upgrade your kernel cos if your kernel has some exploit that will allow users to gain root access you don't want this to happen again.
     
Loading...

Share This Page