The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Site Defacement problems, questions

Discussion in 'Database Discussions' started by rosewood, Aug 1, 2008.

  1. rosewood

    rosewood Member

    Joined:
    Aug 1, 2008
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    1
    Let me start by saying that I've been pulled in from another company to help this company out and webdev has not been my primary focus. So please excuse excessive ignorance on my part. Also, cPanel and WHM has been very easy to learn and use. I am very impressed with it. Now, on to the problem.

    Quite a few of our sites are being defaced on a regular basis. 5-6 sites a day. Some sites have been hit multiple times. From what I can tell, they are using an exploit in xinha, a WYSIWYG editor that every site that has been defaced was using. Once I found the security notice on xinha, I moved all instances of the editor out of the public_html directory. However, sites continue to be defaced.

    On each site, is normally the index.php that is being changed, but at most we have only seen two pages changed. I've compared all files on the hacked sites to the backups and I'm not finding any left over scripting files. Is there a way to see if any files have been recently removed to see if they are covering their tracks and deleting any scripts they are running from the server?

    What tools can I use in WHM and cPanel to track down where these defacements are coming from? Some of the sites they are hitting are VERY low traffic, so logging them should help.

    I have checked for cross site scripting vulnerabilities using both HP's tool and Acunetix Web Security Scanner (which is what helped find the xinha issues) and I'm not finding anything there. Nothing with the PHP configuration or with the mysql db looks bad. None of the original coders are with the company so for most of these sites, no one is familiar with the code and what possible problems could be lurking. However, most of these sites are stupid simple.

    I have used a few different rootkit checkers and the built in one as well. It found a few "possible" trojans, but nothing that looked out of place. I have attached the scans.

    PHP open_basedir Tweak and Apache mod_userdir Tweak and not been applied. I just applied these as I had not noticed them previous to doing some extra research for this post.

    The one security gaffe I have come across is that the apache default .htaccess allows for directory listing. I would like to turn that off for every site by default, with the option of turning it back on a per directory level.

    I would like to change the main passwords of ALL sites we have hosted. Is there a way to do a mass password change, short of going one by one in password change screen? Other than customers going to login to their site and not being able to, what problems could this cause? This wouldn't change the individual email account passwords, nor would it change any db accounts/passwords, correct? So all sites should be unaffected by this change.

    We are running
    WHM 11.23.2 cPanel 11.23.4-S26138
    CENTOS Enterprise 5.2 i686 on standard - WHM X v3.1.0

    Server Version: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8b mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6
    Server Built: May 23 2008 02:03:26

    Thank you
     

    Attached Files:

  2. Kent Brockman

    Kent Brockman Well-Known Member

    Joined:
    Jan 20, 2008
    Messages:
    1,130
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Buenos Aires, Argentina
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hi there. From but you say, I assume your passwords are strong enough and not easy to guess, right?

    Have you hardeed your Apache security? block unused ports? change default settings? or are you only relying on cpanel security center only?

    Have you installed mod_security? if not, go now and do it: it will keep out the most commonly seen intrusion methods. You can install it thru the addon manager at WHM.

    Have you installed Configserver firewall (CSF)? It's a very handy tool that will alert you if discover suspicious behaviour, and obviously will block that attempts too. CSF must be downloaded form its website and manually installed using your console.

    If something suspicious is running in websites with low traffic, you can easily check what have been executed using this command:
    Code:
    cat /usr/local/apache/logs/suphp_log | grep username
    Replace username with the actual username of that domain.

    Also, you are able to see the recorded historical errors for a given domain with the below command:
    Code:
    cat /usr/local/apache/logs/error_log | grep username
    Any scripts could be trojanized, but it is a difficult task to determine where it is located if you don't install some monitoring utils.

    Feel free to check it out and share your findings ;)
     
  3. rosewood

    rosewood Member

    Joined:
    Aug 1, 2008
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    1
    I'm relying on cPanel security center as I'm not sure what apache security tweaks I can apply and not break a bunch of sites.

    Unless I'm blind, I don't see anywhere to install mod_security. I did a quick search and found http://www.webhostingresourcekit.com/img/modseclarge.gif but I don't have Addon Modules under cPanel in WHM, and I'm logged in as root.

    I will look into CSF. We are going on 48 hours of no defacements after being hit at least 3-4 times a day for the last two weeks. So some of the changes I have made, I hope, are working.
     
  4. Kent Brockman

    Kent Brockman Well-Known Member

    Joined:
    Jan 20, 2008
    Messages:
    1,130
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Buenos Aires, Argentina
    cPanel Access Level:
    Root Administrator
    Twitter:
    ok, you'll find this posts interesting in order to secure your current box:
    http://forums.cpanel.net/showthread.php?t=30159
    http://www.webhostgear.com/cid_6.html
    http://www.webhostgear.com/cid_4.html


    It's true. My fault. The mod_security addon is deprecated.
    You install mod_security by recompiling Apache, selecting this mod when configuring the build in Easy Apache.


    CSF is a great free product. I've used APF and DDoS in the past and none of those two were as complete, stable and robust as csf is. Also, it has a great forum community giving support and very regular updates.
     
  5. rosewood

    rosewood Member

    Joined:
    Aug 1, 2008
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    1
    I did the rebuild of Apache. Do I just restart Apache and enjoy the benefits of mod_security or do I need to do anything else?
     
  6. Kent Brockman

    Kent Brockman Well-Known Member

    Joined:
    Jan 20, 2008
    Messages:
    1,130
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Buenos Aires, Argentina
    cPanel Access Level:
    Root Administrator
    Twitter:
    If you already recompiled Apache with mod_security (and preserved the same overall settings than before), you should have an extra item in WHM, under Plugins > Mod Security. You now will be able to set custom rules to block suspicious activities in your domains. I'm using the default rules and it is catching a good quantity of "routine" xss attempts and bot scanning in several sites.
     
  7. rosewood

    rosewood Member

    Joined:
    Aug 1, 2008
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    1
    Got it installed now and I edited the configuration and chose the default configuration. Thank you.

    We have one site that was defaced twice before I was brought in. The site no longer belongs to a paying customer. So, I want to use it as a honeypot of sorts.

    Any suggestions on any extra logging I can turn on to try to catch them in the act?
     
  8. Kent Brockman

    Kent Brockman Well-Known Member

    Joined:
    Jan 20, 2008
    Messages:
    1,130
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Buenos Aires, Argentina
    cPanel Access Level:
    Root Administrator
    Twitter:
    ok, mod_security will show you the blocked activity in that screen, so you can determine what's up and where.

    Next, Just install CSF, which provides a very good alerting system (if you set up a good threshold config) and it will keep you up to date with every strange activity that occurs, in real time.

    http://www.configserver.com/cp/csf.html
    http://www.configserver.com/free/csf/install.txt

    Be sure to uninstall APF if you had it running, before you install CSF, since they aren't compatible.


    Another interesting monitoring measure is install logwatch, since it will email you with a daily activity report telling you whoi logged in, how many times, their IP, etc, and that will help you to know who made what. this is the installation script:

    Code:
    wget http://www.stellarcore.net/downloads/logwatch.tar.gz
    tar zxf logwatch.tar.gz
    cd logwatch
    chmod 755 install_logwatch.sh
    ./install_logwatch.sh
    Pay close attention to its documentation in order to learn what's needed to be customized since this script don't use a whm panel.



    And don't forget to check activity logs to look for strange hits recorded, as stated in my first answer to this thread ;)


    And as for the defacement, the defaced index.php files are index files for any third party script? (joomla, wordpress, phpbb, etc...). Revisiting the source code of that files would be a great idea to track down any vulnerable bit of code that is not validating whatever the input may be. Other good prevention method is using mod_rewrite to visually customize that dynamic url's.
     
    #8 Kent Brockman, Aug 4, 2008
    Last edited: Aug 4, 2008
  9. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    Running a server without suphp basically provides pretty open access to all other accounts on the server and it's trivial to find database passwords (which may be the same as cPanel user passwords). Running suphp is a really good idea! A little slower perhaps, but the server will be secure, and the speed loss isn't noticeable unless the server is getting pounded into the carpet.
     
  10. rosewood

    rosewood Member

    Joined:
    Aug 1, 2008
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    1
    I will take secure over almost anything at this point.

    Can you tell me where I can check to see if we already have suphp installed, and where I would add it if not?

    Thank you.
     
Loading...

Share This Page