Is the server hacked?

[niceboy]

Hi,

I just tried the following to check for symlink exploit..

# find /home*/*/public_html -type l
/home/myxxxxx/public_html/proxxxxxx

As you can see it shows a specific folder /home/myxxxxx/public_html/proxxxxxx

I just checked the entire folder with lmd..

# maldet --scan-all /home?/myxxxxx/
Linux Malware Detect v1.4.1
(C) 2002-2011, R-fx Networks <[email protected]>
(C) 2011, Ryan MacDonald <[email protected]>
inotifywait (C) 2007, Rohan McGovern <[email protected]>
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(28574): {scan} signatures loaded: 10661 (8793 MD5 / 1868 HEX)
maldet(28574): {scan} building file list for /home*/myxxxxx/, this might take awhile...
maldet(28574): {scan} file list completed, found 8403 files...
maldet(28574): {scan} 8403/8403 files scanned: 0 hits 0 cleaned
maldet(28574): {scan} scan completed on /home*/myxxxxx/: files 8403, malware hits 0, cleaned hits 0
maldet(28574): {scan} scan report saved, to view run: maldet --report 020513-2047.28574

what exactly I need to check further?

 

[niceboy]

Sorry /home/myxxxxx/public_html/proxxxxxx seems to be a symlink(i think).

lrwxrwxrwx 1 myxxxxx myxxxxx 36 Nov 26 10:00 proxxxxxx -> /home/myxxxxx/public_html/projxxxx/./

Could some one please advice if there is any thing to worry?

 

[quietFinn]

If the symbolic link is not pointing to another user's file/folder then no need to worry.

 

[niceboy]

thanks. it seems, the server is fine then.

 

[Jeff Shotnik]

niceboy,

If you do happen to see a symlink from one cpanel account to another, I highly recommend that you recompile Apache with rack911.com's symlink patch. It adjusts FollowSymLinks to be SymLinksIfOwnerMatch during Apache compilation and will prevent hackers from creating thousands of symlinks across your server. We've had a few boxes hit with cross account symlinks and that patches fixes it. All it takes is one exploited cms.

 

[niceboy]

thanks jeff. I already have the patch installed on the server.

 

[brianoz]

We've had a few boxes hit with cross account symlinks and that patches fixes it. All it takes is one exploited cms.

While that patch makes it very much harder to exploit, there is a race condition that allows it to be worked around and you should also look at changing the permissions of your site config files. I have links to both the Rack911 patch and the bluehost patch (that fixes it) as well as some cron scripts that fix permissions in my page at whmscripts.net if that helps:

Apache symlink security issue fix/patch - whmscripts

 

[niceboy]

Hi Brianoz,

I run this cron on my server :

find /home/*/public_html/ -name *config*.php -exec chmod 600 {} \;

It does the same thing as your script(changes all config php file perms to 600).

Is there any additional advantage in your script usage?

 

[brianoz]

Hi Brianoz,

I run this cron on my server :

find /home/*/public_html/ -name *config*.php -exec chmod 600 {} \;

It does the same thing as your script(changes all config php file perms to 600).

Is there any additional advantage in your script usage?

The "quick" script can be run every hour (or every 10 minutes even) as it is very fast, so that's one difference. Your script changes every file on the server and will eventually, as you get more accounts, present a big impact on server performance.

The other script is pretty much functionally identical to yours except that you can get a file to have it's permissions undisturbed if a special mode is set.

Your script as it is will eventually fail when you get enough accounts in /home, as the argument list will be too long. My script also works without failing if there are spaces or tabs in the filenames ("-print0"). Finally, one more little thing it does is that it avoids changing the permission on files that already have correct permissions ("-perm") - which has the main effect of making it faster.