The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

security issue

Discussion in 'Security' started by NNNils, Apr 12, 2003.

  1. NNNils

    NNNils Well-Known Member

    Joined:
    Sep 17, 2002
    Messages:
    580
    Likes Received:
    0
    Trophy Points:
    16
    Help!

    I got this e-mail from someone (it's in dutch):

    -----------------------
    Lo admin,

    [my ip-address was here] -> /etc/evilfile
    got r00t? :]
    hehe, dat ging zeer makkelijk met ptrace.. Patch je kernel
    misschien ook voorkomen dat "gebruikers" een shell kunnen spawnen via httpd?
    en uh.. zelfs dingen als ls/cd 750 zetten en shellgebruikers toevoegen aan een groep
    Read The Fine security howto/checklist

    /JaD
    -------------------------

    He tells the following bad issues:

    - he managed to get in /etc and place a file called evilfile (using ptrace???)
    - he recommends patching kernel
    - he says users can "spawn" a shell through httpd
    - he tells ls/cd are 750, which is insecure according to him
    - shell users are added to a group

    He recommends reading The Fine security howto/checklist



    Please help with this.
     
  2. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    18
    Hi, you need to upgrade your kernel, you can search on 'kernel' in this forum for more information.

    Be careful doing this yourself though, because if something goes wrong you might not be able to get the server up again.

    You should probably contact your NOC and ask them to do it for you.
     
  3. NNNils

    NNNils Well-Known Member

    Joined:
    Sep 17, 2002
    Messages:
    580
    Likes Received:
    0
    Trophy Points:
    16
    Hm... didn't got kernelcheck messages...
     
  4. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    18
    You shouldn't rely on CPanel for these issues :)

    Log on to your server and type : uname -a to see your kernel version.
     
  5. NNNils

    NNNils Well-Known Member

    Joined:
    Sep 17, 2002
    Messages:
    580
    Likes Received:
    0
    Trophy Points:
    16
    It is 2.4.18-26.7.x

    What version(s) is okay?

    Are all the issues this person tells me, solved in an other kernel or are their also issues result of the way cpanel works?
     
  6. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    18


    The latest version, 2.4.18-27.7.x I believe.

    The permissions you have set are the default permissions as far as i know.

    Giving SSH access to users is something you have to be careful with.
     
    #6 jamesbond, Apr 12, 2003
    Last edited: Apr 12, 2003
  7. NNNils

    NNNils Well-Known Member

    Joined:
    Sep 17, 2002
    Messages:
    580
    Likes Received:
    0
    Trophy Points:
    16
    Shouldn't something be done about that too then?
     
  8. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    18
    You can use the jailshell option, you can enable that to 'jail' the users in their own dir.

    But even with jailshell you should still be careful who you give shell access to.
     
  9. NNNils

    NNNils Well-Known Member

    Joined:
    Sep 17, 2002
    Messages:
    580
    Likes Received:
    0
    Trophy Points:
    16
    On the whole server there is just 1 shell user...

    I have now given him jailed shell.
     
  10. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    18
    That's good, by the way I was wrong with what I said that users are added to the wheel group by default, at least this doesn't happen on my server.

    Maybe you accidently added him to the wheel group?
    In WHM there is an option 'Add/Remove Users from the Wheel'
     
  11. NNNils

    NNNils Well-Known Member

    Joined:
    Sep 17, 2002
    Messages:
    580
    Likes Received:
    0
    Trophy Points:
    16
    Nope never used that option.

    How can I see if a user is added to the wheel group?

    BTW what is a wheel group :-S ?
     
  12. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    18
    Just log on to WHM and click on ' 'Add/Remove Users from the Wheel' , there you should see who is in the wheel group.

    users in the wheel group are allowed to su to root (if they know the root pwd ofcourse)

    users who are not in the wheel group can't su to root even if they know the root pwd.
     
  13. NNNils

    NNNils Well-Known Member

    Joined:
    Sep 17, 2002
    Messages:
    580
    Likes Received:
    0
    Trophy Points:
    16
    Only root is in wheel group
     
  14. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    18
    Well then I don't know what group he is talking about.

    To see a list of the groups on your server you can do this in SSH : cat /etc/group
     
  15. LinuxFreaky

    LinuxFreaky Well-Known Member

    Joined:
    Sep 22, 2001
    Messages:
    87
    Likes Received:
    0
    Trophy Points:
    6
    Will upgrading to the newest kernel via up2date mess Cpanel up in any way?
     
  16. norm

    norm Well-Known Member

    Joined:
    Apr 23, 2002
    Messages:
    53
    Likes Received:
    0
    Trophy Points:
    6


    And you're still keeping him as a client why????????
     
  17. NNNils

    NNNils Well-Known Member

    Joined:
    Sep 17, 2002
    Messages:
    580
    Likes Received:
    0
    Trophy Points:
    16
    The hacker and the customer are not the same person!
     
Loading...

Share This Page