The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

simulating hacked website questions

Discussion in 'Security' started by Clouseau, Jan 21, 2015.

  1. Clouseau

    Clouseau Active Member

    Joined:
    Jan 17, 2015
    Messages:
    28
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I'm simulating hacked website - I have uploaded one php script that calls shell function in one of my websites that I host on my server. I have shell in browser and I can list root directory / and I can surf and read various files. suPHP and suEXEC are enabled in cPanel.
    I can probably circumvent this by enabling open_basedir tweak BUT I don't think this is going to solve the problem in a case of hacked web ie. attacker can upload php.ini file with custom open_basedir variable in php.ini file so there is no point in that. Is there some kind of another solution for this?
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Could you elaborate on this? What files with sensitive data are you able to see? Are you sure it's not related to the question asked on this thread ?

    Thank you.
     
  3. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    He's talking about a PHP shell, where you can access anything world readable via apache.

    I recommend the "symlink race condition protection" in easy apache; it will stop processes running under PHP such as PHP shells from accessing files not owned by the same user.
     
  4. 24x7server

    24x7server Well-Known Member

    Joined:
    Apr 17, 2013
    Messages:
    1,146
    Likes Received:
    34
    Trophy Points:
    48
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Hello,

    I will also suggest you to install mod_sec on your server and scan your whole server through LMD (Maldet) and remove all infected files if you found in logs file.
     
  5. Clouseau

    Clouseau Active Member

    Joined:
    Jan 17, 2015
    Messages:
    28
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    OK, my web is not hacked, I have uploaded php shell script to see what can I access.
    I have suPHP enabled so I have copied php.ini file from /usr/local/lib/php.ini to /home/user/php.ini and I have added in it:
    open_basedir = "/home/user"

    Why can I still still access and read / through php script? It looks like suPHP doesn't read custom php.ini files which are in /home/user/ directory like is stated it will work in documentation:
    https://documentation.cpanel.net/di...ConfigurePHPandsuEXEC-Step4:PHPCustomizations

    And also can you finally add php-fpm to cPanel so we can all leave this behind?
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  7. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,481
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Did you read this whole thread, or just the title?
     
  8. Clouseau

    Clouseau Active Member

    Joined:
    Jan 17, 2015
    Messages:
    28
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I have disabled FlollowSymlinks and set SymLinksIfOwnerMatch so this is ok. But above problem is not related to that, above problem is: php script is called which lists all files in root, /etc, /var etc. and it gives output...

    P.S. pfp-fpm fixes all this problems, with custom php.ini and locking users to home directories etc. There is no need for cagefs, cloud linux and etc. So please add it :)
     
  9. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  10. Clouseau

    Clouseau Active Member

    Joined:
    Jan 17, 2015
    Messages:
    28
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Yes. But only directories with world readable flag can be accessed and also the ones with X flag

    Allready did :)
     
  11. Clouseau

    Clouseau Active Member

    Joined:
    Jan 17, 2015
    Messages:
    28
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Ok, I have managed to get working custom php.ini file with suPHP enabled
    1) suPHP is enabled
    2) add custom php.ini by copying it to /home/user/php.ini and in file /home/user/public_html/.htaccess add this:
    suPHP_ConfigPath /home/user - with this custom php.ini file is read
    3) php system function and exec_shell function circumvent this - you can add open_basedir in that custom php.ini file to /home/user/public_html/test and the website is not going to work but the php script which is in /home/user/public_html/test/hack.php is going to work and the shell is given in browser and hacker can surf the all files and dirs in system which are world readable.
    4) add those functions in disable_functions section in php.ini so that they cannot get executed

    Also this is all meaningless if the configuration on the server allows custom php.ini files because hacker can bypass all the options stated in global php.ini file by adding his custom php.ini file or editing current custom php.ini file in the web...

    Eh, php-fpm would fix all this...
     
  12. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    You may find this thread helpful:

    Methods to Increase Security on suPHP - Restricting who can use php.ini files

    Thank you.
     
  13. Clouseau

    Clouseau Active Member

    Joined:
    Jan 17, 2015
    Messages:
    28
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Thank you. So, If I have suPHP and none of the webisites has suPHP_ConfigPath in any of .htaccess files then I can use the above link to restrict who can use php.ini? I'm asking because if the webistes don't have "suPHP_ConfigPath" in any of .htaccess files but they have php.ini files in their public_html directories, they are ignored and not used.

    If I restrict them so they can only use global php.ini, is there an option in a later time to somehow allow only specific website to use custom php.ini with above restriction?
     
  14. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    1. No, suPHP_ConfigPath will not override the method listed to restrict accounts to a global php.ini file. A php.ini file within an account's public_html directory should not be ignored if the "suPHP_ConfigPath" entry is not utilized.

    2. Please ensure you read the section in that thread titled "If you have PHP 5.3+ and want to allow some accounts to have their own php.ini file".

    Thank you.
     
Loading...

Share This Page