Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

heavy attacks - cagefs didnt help

Discussion in 'CloudLinux' started by nadav@expimltd, Jun 9, 2014.

  1. nadav@expimltd

    nadav@expimltd Registered
    PartnerNOC

    Joined:
    Jun 9, 2014
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    DataCenter Provider
    Hi everyone
    hope i can find some things i didn't try here
    i have a customer who rents a vps with cloudlinux and cpanel
    cagefs is on
    modsecurity is on with owasp rulesets manually installed
    execcgi + indexes are off
    maldet is scanning
    rkhunter is scanning
    free nginxcp latest version 4.8 is installed
    the server suffers from:
    sql injections (usernames in wp_users being changed)
    script injections (base64)
    symlinks
    and worst of all a sub-domain was added to an account
    including dns and http settings -
    this subdomain held a phishing paypal site
    and we have found out about via abuse team on our collocation

    my first question is -
    what good does cagefs does if symlinks are done on the servers?
    how can i prevent running of any base64 scripts?

    thanks in advance
    :mad: i'm desperate and most of all disappointed of cloudlinux and their so called "cagefs"
     
    #1 nadav@expimltd, Jun 9, 2014
  2. bejbi

    bejbi Well-Known Member

    Joined:
    Jan 20, 2006
    Messages:
    98
    Likes Received:
    1
    Trophy Points:
    158
    Location:
    Poland
    cPanel Access Level:
    DataCenter Provider
    The things You are writing about have nothing to do with CageFS.
    The same "security" You'll have when You put Your root password on Facebook ...

    SQL injection is customers problem (not weak system, but weak programmers).
    Base64 scripts are injected common by stealing password from TotalCommander - this is customers security problem too. Not CageFS or CloudLinux.
     
    #2 bejbi, Jun 10, 2014
  3. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,749
    Likes Received:
    1,885
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello :)

    One of the best things you can do is to ensure the applications that your customers install onto their websites are up to date. Most attacks are on outdated scripts where known exploits are available.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #3 cPanelMichael, Jun 10, 2014
  4. psytanium

    psytanium Well-Known Member

    Joined:
    Jun 6, 2014
    Messages:
    103
    Likes Received:
    1
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    He is absolutely right, CageFS is useless.
    I have more than 40 accounts on a shared server, they started falling under phishing whatever one after one.

    now all of them are infected.

    KNOWING that, 13 accounts have no files, no databases, no email accounts, just empty for later use.

    I'm 99% sure that the fraud files are spreading on accounts.

    this is happening to me since January, I have done every possible things, passwords change use pass generator, formatted my pc, latest kaspersky antivirus, I don't save any password in the browser, etc... for over 5 months I'm suffering from this.
     
    #4 psytanium, Jun 12, 2014
  5. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,749
    Likes Received:
    1,885
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Keep in mind that you may need to consult with a qualified system administrator or security specialist if you are concerned about the security of your system and are unable to pinpoint any particular source for the attack.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #5 cPanelMichael, Jun 12, 2014
  6. 365support

    365support Registered

    Joined:
    May 17, 2014
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I am using and handled lots of cagefs enabled server and the problem mentioned by psytanium is more related to the website and programming related which allow hacker to manipulate with your database and files, still you can stop symbolic links by select Symlink Race Condition Protection from the Exhaustive Options list during the EasyApache build process.

    also when you use cagefs you should know how to configure it more stronger according to your needs
    To change GID of processes that cannot follow symlink, edit file /etc/sysctl.conf, add line:

    fs.symlinkown_gid = XX

    more on open /etc/sysctl.conf and look for /add below line
    fs.enforce_symlinksifowner = 1

    And execute
    $ sysctl -p


    365hostingsupport
     
    #6 365support, Jul 1, 2014
  7. Wabun

    Wabun Well-Known Member

    Joined:
    Oct 6, 2012
    Messages:
    68
    Likes Received:
    3
    Trophy Points:
    8
    Location:
    Antwerpen
    cPanel Access Level:
    Root Administrator
    @ Nadav.. see: CloudLinux Documentation

    Article describes that Apache runs with id 99 so this is 'standard' added at the end of the file: /etc/sysctl.conf

    fs.symlinkown_gid = 99
    # CageFS
    fs.proc_can_see_other_uid=0
    fs.suid_dumpable=1

    Same for symlinksif owner, a default install of CL will make sure it is enabled.

    See thread below for command to check if enabled: $ sysctl -a|grep symlink

    http://forums.cpanel.net/f391/how-enable-securelinks-368172.html

    Please, if you run with CL contact their support, it is very good.
     
    #7 Wabun, Jul 14, 2014
(You must log in or sign up to post here.)
Loading...
Similar Threads - heavy attacks cagefs
  1. Ianw5555

    Security Advisor warning about symlink ownership attacks

    Ianw5555, Sep 19, 2018 at 5:52 AM, in forum: Security
    Replies:
    2
    Views:
    46
    cPanelLauren
    Sep 19, 2018 at 1:55 PM
  2. Damlhen

    Increase in perl script attacks

    Damlhen, Jul 29, 2018, in forum: Security
    Replies:
    1
    Views:
    89
    cPanelMichael
    Aug 1, 2018
  3. Lillike

    SOLVED Kernel does not support the prevention of symlink ownership attacks

    Lillike, Jun 20, 2018, in forum: Security
    Replies:
    11
    Views:
    251
    cPanelLauren
    Aug 3, 2018
  4. fwosty

    Kernel does not support the prevention of symlink ownership attacks.

    fwosty, Sep 8, 2017, in forum: Security
    Replies:
    4
    Views:
    701
    cPanelMichael
    Sep 12, 2017
  5. Mehrdad Tari

    Solutions for handling ddos attacks?

    Mehrdad Tari, Jul 9, 2017, in forum: Security
    Replies:
    3
    Views:
    1,454
    postcd
    Aug 19, 2017

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...
    Dismiss Notice