niceboy

Active Member
Sep 29, 2011
41
1
58
cPanel Access Level
Root Administrator
Hi,

I just tried the following to check for symlink exploit..

# find /home*/*/public_html -type l
/home/myxxxxx/public_html/proxxxxxx
As you can see it shows a specific folder /home/myxxxxx/public_html/proxxxxxx

I just checked the entire folder with lmd..
# maldet --scan-all /home?/myxxxxx/
Linux Malware Detect v1.4.1
(C) 2002-2011, R-fx Networks <[email protected]>
(C) 2011, Ryan MacDonald <[email protected]>
inotifywait (C) 2007, Rohan McGovern <[email protected]>
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(28574): {scan} signatures loaded: 10661 (8793 MD5 / 1868 HEX)
maldet(28574): {scan} building file list for /home*/myxxxxx/, this might take awhile...
maldet(28574): {scan} file list completed, found 8403 files...
maldet(28574): {scan} 8403/8403 files scanned: 0 hits 0 cleaned
maldet(28574): {scan} scan completed on /home*/myxxxxx/: files 8403, malware hits 0, cleaned hits 0
maldet(28574): {scan} scan report saved, to view run: maldet --report 020513-2047.28574
what exactly I need to check further?
 
Last edited:

niceboy

Active Member
Sep 29, 2011
41
1
58
cPanel Access Level
Root Administrator
Sorry /home/myxxxxx/public_html/proxxxxxx seems to be a symlink(i think).

lrwxrwxrwx 1 myxxxxx myxxxxx 36 Nov 26 10:00 proxxxxxx -> /home/myxxxxx/public_html/projxxxx/./
Could some one please advice if there is any thing to worry?
 

quietFinn

Well-Known Member
Feb 4, 2006
1,222
87
178
Finland
cPanel Access Level
Root Administrator
If the symbolic link is not pointing to another user's file/folder then no need to worry.
 

Jeff Shotnik

Well-Known Member
Oct 10, 2012
61
0
6
Denver, Colorado, United States
cPanel Access Level
DataCenter Provider
niceboy,

If you do happen to see a symlink from one cpanel account to another, I highly recommend that you recompile Apache with rack911.com's symlink patch. It adjusts FollowSymLinks to be SymLinksIfOwnerMatch during Apache compilation and will prevent hackers from creating thousands of symlinks across your server. We've had a few boxes hit with cross account symlinks and that patches fixes it. All it takes is one exploited cms.
 

brianoz

Well-Known Member
Mar 13, 2004
1,146
7
168
Melbourne, Australia
cPanel Access Level
Root Administrator
We've had a few boxes hit with cross account symlinks and that patches fixes it. All it takes is one exploited cms.
While that patch makes it very much harder to exploit, there is a race condition that allows it to be worked around and you should also look at changing the permissions of your site config files. I have links to both the Rack911 patch and the bluehost patch (that fixes it) as well as some cron scripts that fix permissions in my page at whmscripts.net if that helps:

Apache symlink security issue fix/patch - whmscripts
 

niceboy

Active Member
Sep 29, 2011
41
1
58
cPanel Access Level
Root Administrator
Hi Brianoz,

I run this cron on my server :
Code:
find /home/*/public_html/ -name *config*.php -exec chmod 600 {} \;
It does the same thing as your script(changes all config php file perms to 600).

Is there any additional advantage in your script usage?
 

brianoz

Well-Known Member
Mar 13, 2004
1,146
7
168
Melbourne, Australia
cPanel Access Level
Root Administrator
Hi Brianoz,

I run this cron on my server :
Code:
find /home/*/public_html/ -name *config*.php -exec chmod 600 {} \;
It does the same thing as your script(changes all config php file perms to 600).

Is there any additional advantage in your script usage?
The "quick" script can be run every hour (or every 10 minutes even) as it is very fast, so that's one difference. Your script changes every file on the server and will eventually, as you get more accounts, present a big impact on server performance.

The other script is pretty much functionally identical to yours except that you can get a file to have it's permissions undisturbed if a special mode is set.

Your script as it is will eventually fail when you get enough accounts in /home, as the argument list will be too long. My script also works without failing if there are spaces or tabs in the filenames ("-print0"). Finally, one more little thing it does is that it avoids changing the permission on files that already have correct permissions ("-perm") - which has the main effect of making it faster.