The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Server Compromised: Apache or PHP vulnerability

Discussion in 'EasyApache' started by stugster, Sep 6, 2006.

  1. stugster

    stugster Well-Known Member

    Joined:
    Apr 16, 2002
    Messages:
    75
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Edinburgh, UK
    cPanel Access Level:
    Root Administrator
    I am running the latest release of cPanel and WHM. THey are both set to automatically update.

    My server is continuously getting hit by a PHP problem:

    Apache or PHP vulnerability that allows files to be placed in and executed from the /tmp or /var/tmp directory

    '/var/tmp/. ' and '/var/tmp/bind' contained a numer of scanning programs that were active...


    Any ideas? Anyone experienced this sort of thing before?
     
  2. Apoc

    Apoc Active Member
    PartnerNOC

    Joined:
    Mar 4, 2003
    Messages:
    25
    Likes Received:
    1
    Trophy Points:
    3
    cPanel Access Level:
    DataCenter Provider
    That problem has nothing to do with Apache or PHP vulnerabilities, the problem has to do with exploitable scripts that are located on your server. You can try tracking it with this command:

    egrep <hack.name> /usr/local/apache/domlogs/*

    You'd have to replace <hack.name> with the name of the hack scripts you found in /tmp. Based on the output you should usually be able to find the exploited script(s).

    However, someone may just (accidentally or not) upload an exploitable script again in the future. You should probably look into installing mod_security for Apache. If you install it with a good ruleset, it'll deny requests for file execution in /tmp, which makes the exploitable scripts less dangerous to your server.
     
  3. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    IN addition to what Apoc said, hackers won't leave you alone and they'll keep coming back to use your server to launch attacks on other servers, or do other harmful things. Secure and harden your server before it is too late.
     
  4. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,384
    Likes Received:
    23
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    mod_security is good and I'm not trying to say that it is not a useful tool. But nothing compares to keeping your scripts up-to-date. If you keep your scripts up-to-date, then its likely you won't have these problems.

    Using mod_security for your security is like trying to think of every possible vulnerability that could exist and blocking it. Its much more feasible to fix the underlying problem by updating the script or perhaps the vulnerability has not been patched, then it needs to be brought to the attention of the developers.

    Using mod_security is good for finding these holes and to limit the number of exploits through the scripts. But it just should not be depended on as a complete security tool.
     
  5. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    Thing is, mod_security will block attempts to break into places you haven't found yet. You can't always fix every vulnerability on a server - mod_security set up intelligently will catch whole classes of attacks.

    Defence in depth applies here - use a good set of mod_security rules and ALSO update your scripts. Don't rely on one or the other!
     
  6. dv2support

    dv2support Member
    PartnerNOC

    Joined:
    Oct 9, 2002
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    For the newbie on cPanel, you can also run /scripts/securetmp on cPanel. I usually symlink /var/tmp to /tmp before doing this. It will help keep most scripts from executing in /tmp, unless it is called by some binary executable, such as perl.
     
  7. Modchips(Pablo)

    Joined:
    Jul 26, 2005
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
Loading...

Share This Page