The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

heavy attacks - cagefs didnt help

Discussion in 'CloudLinux' started by nadav@expimltd, Jun 9, 2014.

  1. nadav@expimltd

    nadav@expimltd Registered
    PartnerNOC

    Joined:
    Jun 9, 2014
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    DataCenter Provider
    Hi everyone
    hope i can find some things i didn't try here
    i have a customer who rents a vps with cloudlinux and cpanel
    cagefs is on
    modsecurity is on with owasp rulesets manually installed
    execcgi + indexes are off
    maldet is scanning
    rkhunter is scanning
    free nginxcp latest version 4.8 is installed
    the server suffers from:
    sql injections (usernames in wp_users being changed)
    script injections (base64)
    symlinks
    and worst of all a sub-domain was added to an account
    including dns and http settings -
    this subdomain held a phishing paypal site
    and we have found out about via abuse team on our collocation

    my first question is -
    what good does cagefs does if symlinks are done on the servers?
    how can i prevent running of any base64 scripts?

    thanks in advance
    :mad: i'm desperate and most of all disappointed of cloudlinux and their so called "cagefs"
     
  2. bejbi

    bejbi Well-Known Member

    Joined:
    Jan 20, 2006
    Messages:
    75
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Czestochowa, Poland
    cPanel Access Level:
    DataCenter Provider
    The things You are writing about have nothing to do with CageFS.
    The same "security" You'll have when You put Your root password on Facebook ...

    SQL injection is customers problem (not weak system, but weak programmers).
    Base64 scripts are injected common by stealing password from TotalCommander - this is customers security problem too. Not CageFS or CloudLinux.
     
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    One of the best things you can do is to ensure the applications that your customers install onto their websites are up to date. Most attacks are on outdated scripts where known exploits are available.

    Thank you.
     
  4. psytanium

    psytanium Well-Known Member

    Joined:
    Jun 6, 2014
    Messages:
    58
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    He is absolutely right, CageFS is useless.
    I have more than 40 accounts on a shared server, they started falling under phishing whatever one after one.

    now all of them are infected.

    KNOWING that, 13 accounts have no files, no databases, no email accounts, just empty for later use.

    I'm 99% sure that the fraud files are spreading on accounts.

    this is happening to me since January, I have done every possible things, passwords change use pass generator, formatted my pc, latest kaspersky antivirus, I don't save any password in the browser, etc... for over 5 months I'm suffering from this.
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Keep in mind that you may need to consult with a qualified system administrator or security specialist if you are concerned about the security of your system and are unable to pinpoint any particular source for the attack.

    Thank you.
     
  6. 365support

    365support Registered

    Joined:
    May 17, 2014
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I am using and handled lots of cagefs enabled server and the problem mentioned by psytanium is more related to the website and programming related which allow hacker to manipulate with your database and files, still you can stop symbolic links by select Symlink Race Condition Protection from the Exhaustive Options list during the EasyApache build process.

    also when you use cagefs you should know how to configure it more stronger according to your needs
    To change GID of processes that cannot follow symlink, edit file /etc/sysctl.conf, add line:

    fs.symlinkown_gid = XX

    more on open /etc/sysctl.conf and look for /add below line
    fs.enforce_symlinksifowner = 1

    And execute
    $ sysctl -p


    365hostingsupport
     
  7. Wabun

    Wabun Well-Known Member

    Joined:
    Oct 6, 2012
    Messages:
    56
    Likes Received:
    2
    Trophy Points:
    8
    Location:
    Antwerpen
    cPanel Access Level:
    Root Administrator
    @ Nadav.. see: CloudLinux Documentation

    Article describes that Apache runs with id 99 so this is 'standard' added at the end of the file: /etc/sysctl.conf

    fs.symlinkown_gid = 99
    # CageFS
    fs.proc_can_see_other_uid=0
    fs.suid_dumpable=1

    Same for symlinksif owner, a default install of CL will make sure it is enabled.

    See thread below for command to check if enabled: $ sysctl -a|grep symlink

    http://forums.cpanel.net/f391/how-enable-securelinks-368172.html

    Please, if you run with CL contact their support, it is very good.
     

Share This Page