The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Question about malware php shell

Discussion in 'Security' started by scottcris, Apr 7, 2014.

  1. scottcris

    scottcris Member

    Joined:
    Apr 7, 2014
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    DataCenter Provider
    Hello,
    Today I found a exploited account on my dedicated server, I then decided I was going to look at the php files in the webbrowser and found they were all webshells. While navigating around the directories on this I noticed I could see all of the users home directories, while I could not enter them it also displayed their domain name as well. My question is would there be any way to keep this type of information from being shown should something like this occur again, which I am guessing it will.

    Currently we are using suPHP, and php 5.3/5.4 on the server and have suexec disabled. I was reading on mod_ruid and that seems that may be the way to go to protect against symlink attacks and such but am not sure it will protect this data.

    Thanks
     
  2. scottcris

    scottcris Member

    Joined:
    Apr 7, 2014
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    DataCenter Provider
    additionally I guess my second question is how does this shell pull in the domain names? It looks like mod_ruid fixed it from see what the user directories are but still shows the domain names on the server which is odd, I'm guessing its pulling the info from somwhere I am just not sure where.

    Thanks again!
     
  3. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,482
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:

    Not a great idea to use this sort of script yourself when finding it. These scripts can phone home with details of it's use, and who used it.
     
  4. scottcris

    scottcris Member

    Joined:
    Apr 7, 2014
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    DataCenter Provider
    Well I did take some steps beforehand to make sure that a. the user account could not be accessed outside the network and b. the server would not let traffic go anywhere besides the network for that account. Its a no brainer that they can phone home if accessed, I guess I should have provided more details on how I secured the account before accessing it but didnt think it was really needed when Im just looking for an answer.
     
  5. scottcris

    scottcris Member

    Joined:
    Apr 7, 2014
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    DataCenter Provider
    well obviously. I did take some steps beforehand however I was looking for more an answer to my question than a quick you shouldnt do that quote.
     
  6. ThinIce

    ThinIce Well-Known Member

    Joined:
    Apr 27, 2006
    Messages:
    346
    Likes Received:
    7
    Trophy Points:
    18
    Location:
    Disillusioned in England
    cPanel Access Level:
    Root Administrator
  7. scottcris

    scottcris Member

    Joined:
    Apr 7, 2014
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    DataCenter Provider
    I Thank you for your answer and providing me with a step in the right direction, its much appreciated.
    :)
     
Loading...

Share This Page