The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How to protect my server so that hackers can not see the list of users of my server?

Discussion in 'Security' started by konrath, Oct 29, 2009.

  1. konrath

    konrath Well-Known Member

    Joined:
    May 3, 2005
    Messages:
    367
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Brasil
    Hello

    How to protect my server so that hackers can not see the list of users of my server?

    Thank you
    Konrath
     
  2. cPanelDon

    cPanelDon cPanel Quality Assurance Analyst
    Staff Member

    Joined:
    Nov 5, 2008
    Messages:
    2,557
    Likes Received:
    7
    Trophy Points:
    38
    Location:
    Houston, Texas, U.S.A.
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    Excluding cPanel/WHM and SSH, where are you currently seeing an accessible list of users for your server?
     
  3. konrath

    konrath Well-Known Member

    Joined:
    May 3, 2005
    Messages:
    367
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Brasil
    Hello cPanelDon

    Hackers can get a list of users in /var/cpanel/users/ using
    CAT command in a PHP script.

    After they can change all pages INDEX of all sites using a simple
    PERL script.

    The other method used by hackers is running the FIND command to find all index pages in home partition.

    I have isolated the FIND (I put the find command in another folder) that can not be executed by hackers.

    -----------------

    I want to protect the server so that hackers can not change all index of all sites.

    How to protect the list of users on the server?

    -----------------

    If the hacker can not run the command FIND (because I've isolated this file) and if the hacker can not obtain a list of users of the server, then the hacker can never change all index pages of all sites.

    Do you understand? Sorry for my bad English.



    Thank you
    Konrath
     
    #3 konrath, Oct 30, 2009
    Last edited: Oct 30, 2009
  4. konrath

    konrath Well-Known Member

    Joined:
    May 3, 2005
    Messages:
    367
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Brasil
    I also believe that using a PERL script, hackers can get a list of users of /var/cpanel/users/

    At the moment there is absolutely no security

    A malicious hacker can change all index files that are inside the home partition.

    Thank you
    Konrath
     
  5. konrath

    konrath Well-Known Member

    Joined:
    May 3, 2005
    Messages:
    367
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Brasil
    Hello

    any suggestion?

    Thank you
    Konrath
     
  6. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,458
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    What are your permissions on the /var/cpanel/users directory?
     
  7. konrath

    konrath Well-Known Member

    Joined:
    May 3, 2005
    Messages:
    367
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Brasil
    Hello

    default permission of CPANEL INSTALATION.

    drwx--x--x 2 0 0 69632 Nov 2 21:39 users/

    Recently my server was hacked and all index pages was modified. I found the script used by the hacker. The script can read my list of users in /var/cpanel/users/

    I have the php open base dir actived.

    Thank you
    Konrath
     
    #7 konrath, Nov 2, 2009
    Last edited: Nov 2, 2009
  8. cPanelDon

    cPanelDon cPanel Quality Assurance Analyst
    Staff Member

    Joined:
    Nov 5, 2008
    Messages:
    2,557
    Likes Received:
    7
    Trophy Points:
    38
    Location:
    Houston, Texas, U.S.A.
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    Via root SSH access, what is the output from the following command?
    Code:
    # /usr/local/cpanel/bin/rebuild_phpconf --current
     
  9. konrath

    konrath Well-Known Member

    Joined:
    May 3, 2005
    Messages:
    367
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Brasil

    -bash-3.00# /usr/local/cpanel/bin/rebuild_phpconf --current
    Available handlers: dso cgi none
    DEFAULT PHP: 5
    PHP4 SAPI: none
    PHP5 SAPI: dso
    SUEXEC: enabled

    I do not remember if Apache and PHP was recompiled after the last invasion. This type of invasion was made on 2 servers in my company. All index hackead in 2 servers.

    I know that the execution of the FIND command to search for all INDEX in home partition is done through a script in PERL.

    Thank you
    Konrath
     
  10. cPanelDon

    cPanelDon cPanel Quality Assurance Analyst
    Staff Member

    Joined:
    Nov 5, 2008
    Messages:
    2,557
    Likes Received:
    7
    Trophy Points:
    38
    Location:
    Houston, Texas, U.S.A.
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    To have better security, I would consider enabling SuPHP (and using this for the PHP handler instead of DSO). To make SuPHP available you would need to run EasyApache again and select SuPHP in the build options, then you could use WHM to switch from DSO to SuPHP.

    Without SuPHP, PHP scripts that are exploited will run malicious scripts as the Apache user/group "nobody" and this includes the potential for Perl scripts to be executed.

    With SuPHP, PHP scripts run as the user that owns the Virtual Host serving the request, so that if the user's PHP scripts are exploited and a malicious script attempts to run, it can only run as the regular user and not as the shared Apache user/group nobody, decreasing the potential for widespread damage.

    I recommend the following documentation for more verbose details comparing the different PHP handlers:
    ApachePHPRequestHandling < EasyApache3 < TWiki
     
  11. konrath

    konrath Well-Known Member

    Joined:
    May 3, 2005
    Messages:
    367
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Brasil


    Hello

    I will try your recomendation.

    Thank you
    Konrath
     
Loading...

Share This Page