The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Major Security Issue In Cpanel

Discussion in 'Security' started by ukhost4u, Dec 7, 2003.

  1. ukhost4u

    ukhost4u Active Member
    PartnerNOC

    Joined:
    Apr 24, 2003
    Messages:
    42
    Likes Received:
    0
    Trophy Points:
    6
    Hello,

    I have been made aware by one of my customers that cPanel can be easily attacked by anyone using PhpShell Script. With this script installed your can view the source to any files within the /home/user directory. The customer in question had this forum corrupted by the hacker by only using this problem and accessing the content of a secure php file. He did it as follows:

    Typed the command:

    cat /home/paul0r/public_html/index.php 2>&1

    into the Php Shell program from his account and displayed the users full details. Even when the user changed his chmod this didn't stop the script.

    Is there a fix to this problem?

    Paul
     
  2. hiddenshadow

    hiddenshadow Registered

    Joined:
    Nov 24, 2003
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Won't open_basedir prevent other webroots from being read via PHP?
     
  3. TerraSpeed

    TerraSpeed Member

    Joined:
    Jul 21, 2003
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    1

    Right

    Also chmod your /home/

    You can stop php from being able to execute shell commands and open a shell very easy
     
  4. andyf

    andyf Well-Known Member

    Joined:
    Jan 7, 2002
    Messages:
    246
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    UK
    You had to be told this by one of your customers? Oh dear.
     
  5. haze

    haze Well-Known Member

    Joined:
    Dec 21, 2001
    Messages:
    1,550
    Likes Received:
    3
    Trophy Points:
    38
    LOL, well said :) As said above.. the open base dir restrictions should help, also, enablefileprotect in /scripts.
     
  6. casey

    casey Well-Known Member

    Joined:
    Jan 17, 2003
    Messages:
    2,303
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    If there is trouble, it will find me
    How did phpshell get on your box? Did your customer put it there, or did the cracker crack your box to get it in? If your customer put it in there, I'd say that's grounds for cancellation unless you allow shell access. If the cracker put it in there you need to find out how.
     
  7. ukhost4u

    ukhost4u Active Member
    PartnerNOC

    Joined:
    Apr 24, 2003
    Messages:
    42
    Likes Received:
    0
    Trophy Points:
    6
    Hello,

    First of all, what you have all said is already enabled. We have open_base restrictions set. Also we do allow Jail Shell to customers, but removing this does not stop the script working as its PHP based.
     
  8. andyf

    andyf Well-Known Member

    Joined:
    Jan 7, 2002
    Messages:
    246
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    UK
    if you have open_basedir enabled (and it's working) then:

    - it's actually not working, have your sysadmin check this
    - you have issues stretching beyond this
     
  9. casey

    casey Well-Known Member

    Joined:
    Jan 17, 2003
    Messages:
    2,303
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    If there is trouble, it will find me
    But how on earth did the script get on your server?
     
  10. ukhost4u

    ukhost4u Active Member
    PartnerNOC

    Joined:
    Apr 24, 2003
    Messages:
    42
    Likes Received:
    0
    Trophy Points:
    6
    We worked out at long last how the script got on the server. The hacker bought an account from us using a stolen credit card. His account has now been closed and suspended.

    Also open base is not working at all. I have updated apache, run cpanel update and tryed everything I can think off. Does anyone have any suggestions?
     
  11. casey

    casey Well-Known Member

    Joined:
    Jan 17, 2003
    Messages:
    2,303
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    If there is trouble, it will find me
    It doesn't work by recompiling php. The cpanel script modifies httpd.conf. What you have to do is turn it off and turn it back on through tweak security. You have to make it realize that it needs to do the modifications. I had the same problem when it was first released with the wrong line. When cPanel fixed it it was not automatically updated but had to be updated manually in the manner above.
     
  12. ukhost4u

    ukhost4u Active Member
    PartnerNOC

    Joined:
    Apr 24, 2003
    Messages:
    42
    Likes Received:
    0
    Trophy Points:
    6
    I have done that but it still did not work....
     
  13. casey

    casey Well-Known Member

    Joined:
    Jan 17, 2003
    Messages:
    2,303
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    If there is trouble, it will find me
    By the way, I'm not trying to hound you about how the script got on your server. It's just that the script makes me nervous, and I was honestly wondering how it got on your server. I tested it out one time on my server and was not able to do any damage with it, but I still don't like it.
     
  14. casey

    casey Well-Known Member

    Joined:
    Jan 17, 2003
    Messages:
    2,303
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    If there is trouble, it will find me
    You could always do the modifications by hand...
     
  15. ukhost4u

    ukhost4u Active Member
    PartnerNOC

    Joined:
    Apr 24, 2003
    Messages:
    42
    Likes Received:
    0
    Trophy Points:
    6
    If I wished to do this by hand exactly what would I be required to do?
     
  16. casey

    casey Well-Known Member

    Joined:
    Jan 17, 2003
    Messages:
    2,303
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    If there is trouble, it will find me
    Add some code so your httpd.conf entry looks like:

    Code:
    <VirtualHost 12.345.6.78>
    ServerAlias [url]www.domain.com[/url] domain.com
    ServerAdmin [email]webmaster@domain.com[/email]
    DocumentRoot /home/username/public_html
    BytesLog domlogs/domain.com-bytes_log
    <IfModule mod_php4.c>
    php_admin_value open_basedir "/home/username:/usr/lib/php:/usr/local/lib/php:/tmp"
    </IfModule>
    ServerName [url]www.domain.com[/url]
    <IfModule mod_userdir.c>
    Userdir disabled
    Userdir enabled username
    </IfModule>
    User username
    Group username
    CustomLog domlogs/domain.com combined
    ScriptAlias /cgi-bin/ /home/username/public_html/cgi-bin/
    
     
  17. mko

    mko Member

    Joined:
    Apr 23, 2003
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    I'm facing the same problem, open_base is enabled:

    <VirtualHost ++>
    ServerAlias www.++ ++
    ServerAdmin webmaster@++
    DocumentRoot /home/++/public_html
    BytesLog domlogs/++-bytes_log
    User ++
    Group ++
    <IfModule mod_userdir.c>
    Userdir disabled
    Userdir enabled ++
    </IfModule>
    <IfModule mod_php4.c>
    php_admin_value open_basedir "/home/++:/usr/lib/php:/usr/local/lib/php:/tmp"
    </IfModule>

    But still a 'cat /wtc/httpd/conf/httpd.conf' gives an output:

    Alias /bandwidth/ /usr/local/bandmin/htdocs/
    #-
    #Rlimit added by apachelimits.pl
    #-
    RLimitMEM 101213866
    RLimitCPU 120
    ##
    ## httpd.conf -- Apache HTTP server configuration file
    ##
    etc

    How can this be?

    Thanks!
     
  18. EMS

    EMS BANNED

    Joined:
    May 10, 2003
    Messages:
    250
    Likes Received:
    0
    Trophy Points:
    0
    Apologies for adding to an old thread but i think this is relevent to the discussion.

    Could someone advise on what the enablefileprotect script actually does ?
     
  19. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    It enforces stricter file permissions on the user directories in /home/ so that a user cannot simply browse the directory at the top level of /home and /home/public_html.

    However, it doesn't actually prevent a user from going deeper into the tree if they can establish the durectory names under /home which isn't actually difficult to do whatsoever. It's just another level of security that can deter someone who just feels curious but isn't aware how to establish the other account names directories.

    It is also good for resetting file ownership and permissions for the /home/user /home/user/public_html and if applicable, subdomain and frontpage ownerships
     
  20. DSNet

    DSNet Registered

    Joined:
    Oct 22, 2006
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Was this ever resolved?

    I happen to be a customer of UKHOST4U. My site, and also it seems, the entire UKHOST4U network, appears to have disappeared overnight. Hopefully it is a temporary glitch. I arrived here while looking for some info on my host and was somewhat concerned to find this thread.
    I know it's pretty old now but I'm worried about how secure my site is!
    So, Paul, if you read this, please post an update here. Did you find a resolution for the open_base issue and what has happened to www.ukhost4u.com ?
     
Loading...

Share This Page