The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

So how would we stop this

Discussion in 'General Discussion' started by thehostinghut, Jul 11, 2005.

  1. thehostinghut

    thehostinghut Well-Known Member

    Joined:
    Jan 5, 2005
    Messages:
    232
    Likes Received:
    0
    Trophy Points:
    16
    I have a file that was shown to me today it is called PHPShell. It can be run in a browser window. I think you can google this and find it pretty easy.

    I don't know how to explain this other than giving you the file and letting you look at what it does.

    It is kinda like have shell access via this php script. What I would like to know is, out side of turnig php safemode on how else would you prevent this from being ran.

    If you want the file PM me and I will get it to you. But just don't leave it on your server. I will not post it here either.

    Tracy
     
  2. amal

    amal Well-Known Member

    Joined:
    Nov 22, 2003
    Messages:
    155
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    India
    cPanel Access Level:
    Root Administrator
    hmm, I have also seen this file..
    I block it with modsecurity, by giving the common filenames of the phpshell in the SecFilter entries of the modsecurity config..
    But that's not fool proof, as they can rename the file and use it.

    If there is any other method to prevent it, that would have been great.
     
  3. casey

    casey Well-Known Member

    Joined:
    Jan 17, 2003
    Messages:
    2,303
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    If there is trouble, it will find me
    You can disable most of the harmful commands with the disable function in php.ini.
    I've been using the following for several months:

    Code:
    disable_functions = passthru, system, popen, virtual, show_source, readfile, pclose
     
  4. amal

    amal Well-Known Member

    Joined:
    Nov 22, 2003
    Messages:
    155
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Hi,

    Thanks for that, Casey..

    I have already disabled the system function. Will disable the others as well.. :)
     
  5. thehostinghut

    thehostinghut Well-Known Member

    Joined:
    Jan 5, 2005
    Messages:
    232
    Likes Received:
    0
    Trophy Points:
    16
    Will I need to restart anything or will that just take effect. Stupid question I know

    Tracy
     
  6. neutro

    neutro Well-Known Member

    Joined:
    Apr 11, 2004
    Messages:
    70
    Likes Received:
    0
    Trophy Points:
    6
    restart Apache Webserver

    # service httpd restart
     
  7. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Just remember that this is only a single layer of security. It won't prevent someone uploading the exact same type of script in perl and running it.
     
  8. casey

    casey Well-Known Member

    Joined:
    Jan 17, 2003
    Messages:
    2,303
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    If there is trouble, it will find me
    Very true, indeed.
     
  9. thehostinghut

    thehostinghut Well-Known Member

    Joined:
    Jan 5, 2005
    Messages:
    232
    Likes Received:
    0
    Trophy Points:
    16
    I know... This is not on my server as I know of. I was just wondering how to stop this if there was a good way to.

    Thanks

    Tracy
     
  10. lloyd_tennison

    lloyd_tennison Well-Known Member

    Joined:
    Mar 12, 2004
    Messages:
    698
    Likes Received:
    1
    Trophy Points:
    18
    Is a perl one. Perlnet is the name. So if someone has ideas on blocking it also.
     
  11. amal

    amal Well-Known Member

    Joined:
    Nov 22, 2003
    Messages:
    155
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Dear Chirpy,

    Is there any way I can use ACLs to prevent 'only' the user - nobody from having execute permissions on perl binary. I have a 2.4.31 open wall patched kernel...

    Thanks for your help.. :)
     
  12. richy

    richy Well-Known Member

    Joined:
    Jun 30, 2003
    Messages:
    276
    Likes Received:
    1
    Trophy Points:
    16
    Yes, by creating a new group, adding the "nobody" user to that group and then chowning the perl binary to that group and making only executable to that group.

    However, if you are not running suExec, then any Perl scripts uploaded (either via FTP, Filemanager or via an insecure script) will run as Nobody. If you aren't running suExec, then all perl scripts on websites will stop.
     
  13. amal

    amal Well-Known Member

    Joined:
    Nov 22, 2003
    Messages:
    155
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Hi Richy,

    Thanks for the reply.. But I think, you misunderstood my question.. :)

    I need to PREVENT only the user - nobody from running perl scripts.. Other users should have access to it...user - nobody should not have access to it. I think, we can do this using ACLs .. But not sure how to do it..

    And I have 2.4.31-ow1 kernel.
     
  14. richy

    richy Well-Known Member

    Joined:
    Jun 30, 2003
    Messages:
    276
    Likes Received:
    1
    Trophy Points:
    16
    Hmm, might be slightly harder then. But again - you've got to take into consideration web sites which use Perl. If you block user nobody from running scripts and you ARE running suexec, then webscripts will continue to run - however, "upload hacks" will run as the user whose site was exploited (therefore the restriction won't make a difference). If you aren't running suexec, then all Perl driven webscripts will stop (as Apache runs as "nobody" and hence all the scripts will be run as "nobody"). If you are not running Perl scripts on any site on your serverand have no plans to, then you should be "safe" to implement any ACL produced by anyone else.
     
  15. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Indeed. It's almost impossible to guard against and really should approach the issue from the other way round and secure your server so that the running of such a script has little implication (i.e. study unix file and directory permissions). And, to an extent, understand that this sort of thing is completely inevitable in a shared hosting environment. That's why you should neve store any sensitive information on the actual server, especially unencrypted.
     
  16. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    Disabling that much is actually really annoying to application developers. For instance, readfile is commonly used in real code, and most of the others can get used in real code. I agree with Chirpy in his previous statement - make sure your server is secure, then this sort of thing will have little effect. Otherwise you're just playing "disable hopscotch" - as you discover new features that could be subverted, you disable them, until nothing useful is left to disable. :)
     
Loading...

Share This Page