The Community Forums

Interact with an entire community of cPanel & WHM users.
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Security Idea

Discussion in 'Security' started by GOT, Sep 7, 2004.

  1. GOT

    GOT Get Proactive!

    Joined:
    Apr 8, 2003
    Messages:
    900
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Norfolk, VA
    cPanel Access Level:
    DataCenter Provider
    I have been seeing a number of servers where clients manage to upload a php spam script. Here is what I think is happening.

    The upload the spam script using a normal method, either FTP, or, more likely through the cPanel file manager. Then they use CGI-Telnet to copy the file to an open directory. I've seen them in tmp, in /var/cpanel and a few other places. Then using the same CGI-Telnet, they launch the program using the command line php call. This launches their spam script. Then they clear out of CGI-Telnet and the script just keeps running.

    What I am wondering is, would there be any negative impact of chmodding the php binary to 700 to prevent the user nobody and/or a normal user from triggering php scripts this way.

    I can find no way to prevent people from running the evil CGI-Telnet, but perhaps this would stop them from launching theior php mail bombs.

    Anyone have any thoughts on this?
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    If they have FTP or File Manager access they can put the script anywhere within their own webspace anyway. I would ahve thought that enabling suexec+phpsuexec would highlight which account has been exploited/abused and you can shut it down or close the vulnerability.

    There's nothing evil, per se, with CGI-Telnet - it's completely trivial to write a few lines of perl that can do exactly what it does - but if you have customers using their accounts in this way, you have to start wondering about the type of customer you are attracting ;)
     
  3. GOT

    GOT Get Proactive!

    Joined:
    Apr 8, 2003
    Messages:
    900
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Norfolk, VA
    cPanel Access Level:
    DataCenter Provider
    Unfortunately, PHPSuexec is nto really an option for most of my clients. The number of roadblocks it puts into place on running PHP scripts ends up alienating many of their clients.

    Part of the issue is the obfuscation of who actually uploaded the script. If they put it somewhere not in their own webspace, its owned by the user nobody, and once the CGI-Telnet session is closed, there is no way to find out which client it is, unless they were stupid and left a copy of the same script in their home directory as well, but that has been rarely the case. They know to delete the original.

    I know what you mean about the clients too, but it could happen to any of us. I, personally, have bene fortunate and it has not happened on any of my hosting servers, but I get clients signing up every day that I do not know who they are.

    So, as I suggested, do you see any problems chmodding php to 700? I realize of course that any cron jobs written to call a php file using the php binary instead of using GET would not work, but beyond that, can you, or anyone else, think of something else that would break if I chmod the php binary? It would stop this particular hack from working.
     
  4. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    If phpsuexec isn't an option, it does make things more difficult. What you're suggesting may well work, but unfortunately I can't test it on my test server as it's running phpsuexec and chmod 700 on the php binary stops it working through the web server :p

    Why not give it a whirl, you'll soon know if it doesn't work ;)
     
  5. GOT

    GOT Get Proactive!

    Joined:
    Apr 8, 2003
    Messages:
    900
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Norfolk, VA
    cPanel Access Level:
    DataCenter Provider
    We'll see what happens. Still looking for other comments out there.... :D
     
Loading...

Share This Page