The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Is the server hacked?

Discussion in 'Security' started by niceboy, Feb 5, 2013.

  1. niceboy

    niceboy Active Member

    Joined:
    Sep 29, 2011
    Messages:
    39
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Hi,

    I just tried the following to check for symlink exploit..

    As you can see it shows a specific folder /home/myxxxxx/public_html/proxxxxxx

    I just checked the entire folder with lmd..
    what exactly I need to check further?
     
    #1 niceboy, Feb 5, 2013
    Last edited: Feb 5, 2013
  2. niceboy

    niceboy Active Member

    Joined:
    Sep 29, 2011
    Messages:
    39
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Sorry /home/myxxxxx/public_html/proxxxxxx seems to be a symlink(i think).

    Could some one please advice if there is any thing to worry?
     
  3. quietFinn

    quietFinn Well-Known Member

    Joined:
    Feb 4, 2006
    Messages:
    998
    Likes Received:
    10
    Trophy Points:
    18
    Location:
    Finland
    cPanel Access Level:
    Root Administrator
    If the symbolic link is not pointing to another user's file/folder then no need to worry.
     
  4. niceboy

    niceboy Active Member

    Joined:
    Sep 29, 2011
    Messages:
    39
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    thanks. it seems, the server is fine then.
     
  5. Jeff Shotnik

    Jeff Shotnik Well-Known Member

    Joined:
    Oct 10, 2012
    Messages:
    61
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Denver, Colorado, United States
    cPanel Access Level:
    DataCenter Provider
    niceboy,

    If you do happen to see a symlink from one cpanel account to another, I highly recommend that you recompile Apache with rack911.com's symlink patch. It adjusts FollowSymLinks to be SymLinksIfOwnerMatch during Apache compilation and will prevent hackers from creating thousands of symlinks across your server. We've had a few boxes hit with cross account symlinks and that patches fixes it. All it takes is one exploited cms.
     
  6. niceboy

    niceboy Active Member

    Joined:
    Sep 29, 2011
    Messages:
    39
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    thanks jeff. I already have the patch installed on the server.
     
  7. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    While that patch makes it very much harder to exploit, there is a race condition that allows it to be worked around and you should also look at changing the permissions of your site config files. I have links to both the Rack911 patch and the bluehost patch (that fixes it) as well as some cron scripts that fix permissions in my page at whmscripts.net if that helps:

    Apache symlink security issue fix/patch - whmscripts
     
  8. niceboy

    niceboy Active Member

    Joined:
    Sep 29, 2011
    Messages:
    39
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Hi Brianoz,

    I run this cron on my server :
    Code:
    find /home/*/public_html/ -name *config*.php -exec chmod 600 {} \;
    It does the same thing as your script(changes all config php file perms to 600).

    Is there any additional advantage in your script usage?
     
  9. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    The "quick" script can be run every hour (or every 10 minutes even) as it is very fast, so that's one difference. Your script changes every file on the server and will eventually, as you get more accounts, present a big impact on server performance.

    The other script is pretty much functionally identical to yours except that you can get a file to have it's permissions undisturbed if a special mode is set.

    Your script as it is will eventually fail when you get enough accounts in /home, as the argument list will be too long. My script also works without failing if there are spaces or tabs in the filenames ("-print0"). Finally, one more little thing it does is that it avoids changing the permission on files that already have correct permissions ("-perm") - which has the main effect of making it faster.
     
Loading...

Share This Page