The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Locakhost got hacked

Discussion in 'General Discussion' started by vietkool, Oct 13, 2004.

  1. vietkool

    vietkool Active Member

    Joined:
    May 17, 2004
    Messages:
    34
    Likes Received:
    0
    Trophy Points:
    6
    is there anyway to protect or NOT allowed account user run Shell Command from localhost ? My user account got hacked from localhost so many time cuz they using the Shell Command to look up for User name and admin config. file
    here is some typical command hacker using :
    cat /etc/passwd;
    cat /etc/userdomains;
    cat /home/username/public_html/filename.ext;
    ect...

    please help
     
  2. vietkool

    vietkool Active Member

    Joined:
    May 17, 2004
    Messages:
    34
    Likes Received:
    0
    Trophy Points:
    6
    anyone knows???? please help
     
  3. Sheldon

    Sheldon Well-Known Member

    Joined:
    Jun 7, 2004
    Messages:
    378
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    what are you trying to do?

    please try to be more clear in what you want.

    Sheldon
     
  4. vietkool

    vietkool Active Member

    Joined:
    May 17, 2004
    Messages:
    34
    Likes Received:
    0
    Trophy Points:
    6
    okie here what happend to my server, one of my account user he register for a webhosting and he upload to his account a php file called Shell.php . He using this file and run the shell command such as :

    cat /etc/passwd;
    cat /etc/userdomains;
    cat /home/username/public_html/filename.ext;
    ect...

    then run the query on each local forum . with this shell.php file he be able to view all the configuration of the board even database name userpassword and more ...
    So my question is there anyway in Cpanel setup Not to allow user run querry of other users on their own account ?
     
  5. Sheldon

    Sheldon Well-Known Member

    Joined:
    Jun 7, 2004
    Messages:
    378
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    without having php safe mode on.. no.

    you can activate php_openbasedir tweak in WHM --> Tweak Security

    that might help...

    but I know there are other ways around this sorta thing.

    Sheldon
     
  6. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA
    screen your clients prior to setting them up. Ask them tons of questions BEFORE you let them in your box. Explain to them it's for everyone's security benifit including the new customer. Watch him for a couple weeks .if you can't then hire someone to do this. Tripwire, apf mod_userdir, phphsafe mode and all these other basic things are a bare minimum. But you can't stop everything. There is always a way ..you have to basically trust your users. It's never fool proof but I have found the ones that don't answer back the screening questions or they answer back in a mean way ..those are the ones you should turn away. Let them hack you the old fashioned way without a user account first.

    Another thing I like to do is try to hide my forums and db config files. I tell my users to setup forums in weird folders not /forum .. and one time I even did a search and replace all include vars in a forum script so we could name the config file something weird like hd76sh.php . Good luck!!
     
  7. Ben

    Ben Well-Known Member

    Joined:
    Aug 19, 2002
    Messages:
    77
    Likes Received:
    0
    Trophy Points:
    6
    It's not perfect by any means, but we've found that phpSuExec + mounting /tmp/ noexec + an iptables firewall to be a good basis for security that doesn't impact on the customers performance to much.
     
  8. vietkool

    vietkool Active Member

    Joined:
    May 17, 2004
    Messages:
    34
    Likes Received:
    0
    Trophy Points:
    6
    tried the php_openbasedir teak in WHM >>>> Did not work, I still query info from other accounts.

    How do I turn php Safe mod OFF ?
     
  9. nurseryboy

    nurseryboy Well-Known Member

    Joined:
    Mar 3, 2003
    Messages:
    78
    Likes Received:
    0
    Trophy Points:
    6
    Anyone have an answer as to how to disable commands such as:

    PHP:
    $p=`cat /etc/passwd`;
    This can be run through PHP, and if I echo out $p, I get a long list of all the accounts in that file, which I don't think is very good ;)

    I would think there would be a way to disable this somehow..

    Thanks,

    Matt
     
  10. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    There isn't. The user needs to be able to access the file when they login, that's why the secured shadow solution was developed to keep the encrypted passwords hidden.
     
  11. nurseryboy

    nurseryboy Well-Known Member

    Joined:
    Mar 3, 2003
    Messages:
    78
    Likes Received:
    0
    Trophy Points:
    6
    Ok. Great. Just as long as I know I've done all I can ;)

    Thanks.
     
  12. ZapX.net

    ZapX.net Well-Known Member

    Joined:
    Feb 24, 2005
    Messages:
    52
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Sidman, PA
    If I could suggest one more thing; there's an option in whm I think to disallow users from browsing other user's home directories. I just did a test on my server with the following code:

    PHP:
    echo `ls /home/zftp`;
    And I got:

    The reason is, home is set to 711 (rwx--x--x) owned by root, in the group root; and each user directory under home is set to 711 also, and is owned by the user. This prevents anyone, even the user nobody it appears, from running commands when it involves another user's directory.
     
  13. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Strictly speaking, that option only hides the directories in /home from other users, it doesn't actually secure it. If you know the directory name, you'll find that you can still browse it using, e.g. ls: /home/zftp/public_html/

    It's a good idea to enable it, though. You can do so from shell using:

    /scripts/enablefileprotect
     
  14. webignition

    webignition Well-Known Member

    Joined:
    Jan 22, 2005
    Messages:
    1,880
    Likes Received:
    0
    Trophy Points:
    36
    Apologies if this is going off on a tangent a little, but what questions or types of questions do you ask rpmws?

    The accounts on my server are currently only for people I personally know or for websites that I have developed myself for clients who I know haven't a clue and so wouldn't even consider misbehaving.

    However I have my first reseller (early days still!) and so it would be very beneficial to know how to screen potential account holders correctly.

    I'm not asking for a step-by-step hold-my-hand list of how to go about it, but just some general guidelines regarding the types of questions that are asked would help greatly!
     
  15. Alexandre Duran

    Alexandre Duran Well-Known Member

    Joined:
    May 6, 2003
    Messages:
    61
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Rio de Janeiro - BRAZIL
    Edit our php.ini:

    pico /usr/lib/php.ini

    And change the line:

    disable_functions =

    to:

    disable_functions = exec, shell_exec, system, passthru
     
  16. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA
    In my 8 years of hosting I have never been able to get past the basic problem of NOT knowing my resellers clients well enough. In EVERY case where I have had a problem with security from a local standpoint ..it has been becuase a reseller let the wrong guy on. For this reason I put my resellers on different boxes than I put my shared clients. Watching logs and using the latest automated scripts to look for weird activity helps. As far as questions ..well I have a small questionaire that gets sent to the person that signs up. It's just a basic list of questions that ask things like "do you plan to run any common known scripts? any custom scripts? what kind? you know the basics. I also ask if the domain or the owner or admin have ever been kicked out of another host for email issues ..incoming or outgoing. What I have found is that most people apreachate these questions .. some however respond in a very negative way .. like.. "just set up my damn account and stop asking me all this". That's a dead giveaway man!!! spammers in general can get pretty impatient. The fact that these questions are being asked makes some think that real people might be researching and screening their application and it will turn them to easier hosts. I am not saying this is perfect but I can't begin to tell you how many of these I have had that refuse to answer the questions ..or respond in a negative way ..how many of these domains I have checked later on to find either a suspended page or a bandwidth error or even a week later I might find they went elsewhere ..and then I see a suspended account which tells me they didn't last long where they went. I get this often with those that never answer back. This isn't a perfect way by no means of knowing your clients ..but it's a start.
     
  17. webignition

    webignition Well-Known Member

    Joined:
    Jan 22, 2005
    Messages:
    1,880
    Likes Received:
    0
    Trophy Points:
    36
    Thanks for your comments, a great help indeed! Would it be too much to ask for you to go one step further and either post the questionnaire questions if you'd be happy to do so?

    I doubt I'm the only person who is relatively new to the realm of managing their own hosting server(s) and I'm sure the questionnaire would really help (if people can find this thread!).
     
Loading...

Share This Page