First , Sorry fr my poor english 
I suggest below a script that will bring some protection against Perl and CGI attacks , please dont hesitate to provide opinions , comments ..
Prerequisities : SUPHP + SUEXEC
PHP risk can be minimised by SUHOSIN Disabled functions , but a tricky Hacker can override this by running Perl , python or CGI script .
This script can be added to crontab each 10 min , and will suspend any cpanel account that run any CGI , Python , bash or perl script within his account ( with his account owner) ,you will be also alerted by mail , so you can check what script has been launched before may be ususpending the account .
The script dont consume any CPU or RAM .
DATE=`date +"%Y-%m-%d"`
p=0
grep $DATE /etc/httpd/logs/suexec_log > dailySuexec
grep -v -E "suspendedpage.cgi|redirect.cgi|wredirect.cgi|defaultwebpage.cgi|templatepreview.cgi" dailySuexec > resHack
texteH=`cat resHack`
username=`awk -F "gid:" '{ print $2 }' resHack | awk -F "/" '{ print $2 }' | awk -F ")" '{ print $1 }'`
us=`echo $username | cut -d" " -f1`
p=`cat resHack|wc -l`
if [ $p -ne "0" ]
then
echo $texteH| mail -s "Alerte CGI" [email protected]
/scripts/suspendacct $us
fi
I suggest below a script that will bring some protection against Perl and CGI attacks , please dont hesitate to provide opinions , comments ..
Prerequisities : SUPHP + SUEXEC
PHP risk can be minimised by SUHOSIN Disabled functions , but a tricky Hacker can override this by running Perl , python or CGI script .
This script can be added to crontab each 10 min , and will suspend any cpanel account that run any CGI , Python , bash or perl script within his account ( with his account owner) ,you will be also alerted by mail , so you can check what script has been launched before may be ususpending the account .
The script dont consume any CPU or RAM .
DATE=`date +"%Y-%m-%d"`
p=0
grep $DATE /etc/httpd/logs/suexec_log > dailySuexec
grep -v -E "suspendedpage.cgi|redirect.cgi|wredirect.cgi|defaultwebpage.cgi|templatepreview.cgi" dailySuexec > resHack
texteH=`cat resHack`
username=`awk -F "gid:" '{ print $2 }' resHack | awk -F "/" '{ print $2 }' | awk -F ")" '{ print $1 }'`
us=`echo $username | cut -d" " -f1`
p=`cat resHack|wc -l`
if [ $p -ne "0" ]
then
echo $texteH| mail -s "Alerte CGI" [email protected]
/scripts/suspendacct $us
fi
Last edited: