The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

server hacked - thoughts?

Discussion in 'General Discussion' started by hmseas, May 15, 2005.

  1. hmseas

    hmseas Registered

    Joined:
    Jan 9, 2005
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    2 days ago a hacker was able to obtain root access and then run a script that replaced every index.php file on our server with this wonderful page:
    http://netphonereview.com/

    The account he got in through had phpBB running on it (a point of break-in in the past). the public_html folder in that account was changed to be owned by '507'. there also appears to be malicious binaries on dev/shm and /dev/shm/psybnc.

    The question is: we had the datacenter security team look into this and they claim that our 2.6.x kernel may be outdated, and that we should do an OS Reload. Our administrator says the kernel is fine, and that phpBB is the sole problem. Does anyone have any thoughts on this:

    Neil
     
    #1 hmseas, May 15, 2005
    Last edited: May 15, 2005
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Are you sure it was a root compromise? A root compromise is not necessary to achieve what you describe if you haven't protected yourself with phpsuexec (even with it enabled it's still possible). Outdated phpBB installations are quite likely to be the initial point of entry.

    If you have experienced a root compromise you will need to have an OS reload done and if the kernel is out of date, that will need upgrading. If not, have a read of this thread:
    http://forums.cpanel.net/showthread.php?t=30159

    Or consider hiring someone to do it for you.
     
  3. DogTags

    DogTags Active Member

    Joined:
    Mar 10, 2002
    Messages:
    33
    Likes Received:
    0
    Trophy Points:
    6
    Does installing phpsuexec wreck any already installed scripts or have any other issues?

    Or, is it just a matter of updating apache and away you go?

    Many thanks :)
     
  4. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    It can cause the following issues:

    1. php related .htaccess directives have to be moved to a local php.ini file instead

    2. The HTTP_AUTH access control method does not work (you usually need to replace it with htpasswd files)

    3. Stricter directory and file permissions are imposed, so you need to ensure directories that contain php files do not have 777 permissions enabled, for example.

    Other than that, it's usually fine. Generally, though, it's usually a good idea to enable it on a server before you put clients on, but you can firefight it once enabled on a loaded server.
     
  5. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    18
    I still don't quite understand how it's possible to replace the index files in all accounts without phpsuexec. How is that done if the index files are set to 644 ?

    I assume user nobody first needs to change file permissions on (index)files in the public_html directories to get write access to it? (haven't tried that myself)
     
  6. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Yup. With phpsuexec disabled, all php scripts on the server will run as nobody, since nobody has access to all the web files on all sites (it must have at least read access) then at the very least they can read php script files and easily get MySQL database passwords, for example, which are very often setup the same as users cPanel passwords. Or direct access to htpasswd protected areas.

    As you say, if people have their pages set to 666, anyone on the server can then modify them, if you set them to 644 you cannot do it so easily - you'd need to invoke a local root compromise or as above with password trawling of files.

    If you have phpsuexec enabled, you're restricted by normal file permissions and ownerships and so makes security much simpler. Also any files created are under your accounts username making tracking problems much simpler too.
     
  7. StevenC

    StevenC Well-Known Member

    Joined:
    Jan 1, 2004
    Messages:
    254
    Likes Received:
    0
    Trophy Points:
    16
    What is the kernel version you are using?
     
Loading...

Share This Page