The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How the darn are they able to list my /home?

Discussion in 'Security' started by pixelstore, Aug 1, 2012.

  1. pixelstore

    pixelstore Member

    Joined:
    Jun 6, 2012
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    One site on my cPanel got hacked through the web. I've closed all ports except 80 and 443 on an external firewall so I'm pretty sure everything's executed through web and not ssh.

    The hacker(s) created a directory called "a" inside the public_html folder for the user. Inside this directory I found alot of automatically created aliases that matched other users from my /home/. I have mod_ruid2 so I don't understand how they managed to do this, I thought ruid2 locked the user to their /home?

    Also inside this folder I found three tools/scripts:

    • Python: /http://pastebin.com/Zqn6U4Vw
    • Perl: /http://pastebin.com/6dZtvdCr
    • PHP: /http://pastebin.com/gUajB35w

    The Perlscript is doing some symlinking so I guess this might be the script they used. But how are they able to list things outside the users home? Is the ruid2 only locking php and not perl perhaps?

    And if something here's good with Python and Perl, please have a look at the files and see if you can see what else they might have done.

    Thanks!
     
    #1 pixelstore, Aug 1, 2012
    Last edited: Aug 1, 2012
  2. Eric

    Eric Administrator
    Staff Member

    Joined:
    Nov 25, 2007
    Messages:
    746
    Likes Received:
    11
    Trophy Points:
    18
    Location:
    Texas
    cPanel Access Level:
    Root Administrator
    Howdy,

    What are your permissions on the user folder?

    It should look like this:

    grimlock home # ll|grep eric
    drwx--x--x 28 eric eric 4096 Jul 6 10:36 eric

    if you would like we can talk over a ticke too.

    Thanks!
     
  3. nibb

    nibb Well-Known Member

    Joined:
    Mar 22, 2008
    Messages:
    301
    Likes Received:
    1
    Trophy Points:
    18
    Well, they should be able to do this, but on the other side I see some dumb users setting their default permissions on "public_html" to 777.

    Why does cPanel let them change permission of default folders is something I don´t understand but I think it should be restricted. I had problems with users that just change permissions on default files or even delete them because think they don´t belong there.

    Its easy to explain a customer DO not touch any directory you did not created but then they give FTP to external users, a webmasters or someone else who really does not care, as the hosting company has then to fix everything.
     
  4. jerrybell

    jerrybell Well-Known Member

    Joined:
    Nov 27, 2006
    Messages:
    90
    Likes Received:
    0
    Trophy Points:
    6
    This is really more of a fundamental unix security model, not a cpanel problem. If you remove the ability for a person to make such changes, you remove their ability to make any changes, and that doesn't work, either. One thought I had would be a script that went around and reset things to "normal" periodically. chmod the users directories to the proper settings, recreate directories that are missing, etc. It could conceivably even send the account owner a reminder email about what was changed.
     
  5. pixelstore

    pixelstore Member

    Joined:
    Jun 6, 2012
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Howdy!

    I have permissions like that. I never use 777, but even if I did, this should not give the user any right to list things outside their home any way?

    Originally I posted a paid ticket (ID# 2958142) since I didn't want to spread the scripts online on forums since other hackers can use them. Although the guys couldn't help me "according to their policy". But if you can take a look I'll be very glad!

    However I'm not any good with Perl, but I can't list anything outside the home dir with PHP. So my guess is that ruid2 is only locking php and not Perl? Can that be the case?
     
  6. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Do you have SuExec on or off with mod_ruid2?

    Also, are you using RDocumentChRoot to chroot the users to their home directories with mod_ruid2?
     
  7. nibb

    nibb Well-Known Member

    Joined:
    Mar 22, 2008
    Messages:
    301
    Likes Received:
    1
    Trophy Points:
    18
    Yes of course this directly from the OS. If we go that route, cPanel does actually nothing and is just a GUI for services like the operating systems, services like Apache, Email, etc.

    I know this is how Linux works. But you can´t possible tell that to a customer. They want the service. They don´t care if the service is running in your microwave. All they know are 2 things.

    It works.
    It does not work.

    My point, is that cPanel is a tool. And since its a tool for administrators, and hosting companies, its normal that its job is sometimes to make your job easier into something. And its also a tool for your end clients. So the need to contact you as less as possible and do things by their own as much as they can.

    Your idea of resetting things is not that bad. Maybe it could run in a cron and detect it, or you could run it manually similar to how WHM has the mailboxes permissions fix tool.

    About the missing files or folders I actually just recover them from a backup and I don´t know if cPanel should recreate anything. Maybe it was delete on purpose, because a file needs to be gone in order for something to work. Or maybe it overwrites data already. Not sure if that is a good, idea and its probably better just to recover them from a normal backup.

    The permissions issue, is rather an easy fix and a script like that is very easy to write and execute. Why it was not done yet? Not sure. Maybe there is no need too. Or maybe im the only one where users change their permissions on this folders.
     
  8. qwerty

    qwerty Well-Known Member

    Joined:
    Jan 21, 2003
    Messages:
    213
    Likes Received:
    0
    Trophy Points:
    16
    I believe CloudLinux + CageFS will stop any compromised user account from being used to 'look around' and find out who other users are on the system, so it should prevent this symlinking nonsense and system wide compromises.
     
Loading...

Share This Page