The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Really important for security ..

Discussion in 'Security' started by zinehost, Jan 21, 2006.

  1. zinehost

    zinehost Member

    Joined:
    Jan 13, 2006
    Messages:
    24
    Likes Received:
    0
    Trophy Points:
    1
    Hi everybody.

    Now we got a problem. A hacking team name of "Captain Crunch Security TeaM" create a script. It likes to a phpshell but in this one most things is legal and script is working fine. users get httpd.conf, /etc/passwd etc. with this script. And many hosting companies are hacked in 1 week.

    Now can we do this ?

    i think every server root is know "[newmailcgi] Recently Uploaded CGI scripts that send email on" email. It sending by whm. it finds "mail();" functions in files. Now this hacking tool i saw some codes like below ;

    if (file_get_contents("/etc/userdomains")) {echo "<b><font color=\"green
    if (file_get_contents("/var/cpanel/accounting.log")) {echo "<b><font col
    if (file_get_contents("/usr/local/apache/conf/httpd.conf")) {echo "<b><f
    if (file_get_contents("/etc/httpd.conf")) {echo "<b><font color=\"green\
    and more..


    CAN WHM SENSE THIS LINES IN PHP FILES ? AND SUSPEND ACCOUNT AUTOMATICALLY ?
     
  2. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    18
    I think this is the script/program that does the scanning:

    /usr/local/cpanel/bin/scanfornewmail

    Unfortunately we can't customize it to add some extra things to search for.
     
  3. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    You can create and run your own script, seperately from the cPanel scripts. I also suggest you secure your server, upgrade programs and applications, clean up all hacking tools downloaded and installed on your server. This subject and/or issue have been discussed many times in these threads.
     
  4. dropby23

    dropby23 Well-Known Member

    Joined:
    Jan 16, 2005
    Messages:
    155
    Likes Received:
    0
    Trophy Points:
    16
    did you try to disable file_get_contest in php.ini
     
  5. Rave5

    Rave5 Member

    Joined:
    Nov 29, 2003
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    1
    Disabling file_get_contents() is stupid. Why bother when you have open_basedir to prevent them from accessing anything outside of /tmp and their home folders? It's set in httpd.conf or php.ini, but on my server httpd.conf for a per-user setting. If they try to access anything in /etc or anywhere not in their folder (or other allowed folders) PHP prevents them from doing so and sends back an error. Nobody but the users that need it should be able to even read the files in the first place.
     
    #5 Rave5, Jan 23, 2006
    Last edited: Jan 23, 2006
Loading...
Similar Threads - Really important security
  1. keat63
    Replies:
    6
    Views:
    467

Share This Page