Solutions for handling symlink attacks

Status
Not open for further replies.

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
I see them all the time on unpatched servers; a few times a week at a bare minimum.

Script kiddies have one-click scripts that will auto-own every joomla and Wordpress site on a cPanel server if it's not using the race condition protection (available in EA) or cloudlinux with securelinks on.
 
Last edited:

Venomous21

Well-Known Member
Jun 28, 2012
85
0
6
cPanel Access Level
Root Administrator
I'm running the latest version of apache 2.2 and php 5.3. In EA under exhaustive options list, if I enable "Symlink Race Condition Protection" will this protect me from these types of attacks?

Will this update impact my current sites i.e. require code updates or should there be minimal to no disruption on my current sites when enabling this protection?

Thank you!
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
I'm running the latest version of apache 2.2 and php 5.3. In EA under exhaustive options list, if I enable "Symlink Race Condition Protection" will this protect me from these types of attacks?

Will this update impact my current sites i.e. require code updates or should there be minimal to no disruption on my current sites when enabling this protection?

Thank you!
Yes, it will

As long as you are using SuPHP and the web content of your users is owned properly on the system (i.e. files to be served are owned by the cPanel account they are in) you should be fine. If you are -not- using SuPHP and you need to serve some files owned by other users (i.e. nobody, root) then I'd recommend the rack911 style patch for apache 2.2. Honestly though, SuPHP and the Race Condition protection option in EA are your best bet aside from kernel-level / OS level protections like CloudLinux / CageFS.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,245
463
But, I heard SuPHP will not be supporting future version of PHP.
I don't foresee any immediate problems with using suPHP. The idea of supporting a fork of mod_suphp is under evaluation, but plans are not definitive at this point (Internal case 68789).

Thank you.
 

Venomous21

Well-Known Member
Jun 28, 2012
85
0
6
cPanel Access Level
Root Administrator
What version of php is retiring suPHP and what's a good replacement?

When installing "symlink race condition protection" in EA, I got a warning message about it possibly causing a performance hit. How much of a concern is this performance hit and how much do you think it will impact a server percentage wise? Any info is appreciated so I can better understand it. Thank you!
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
There is a small amount of overhead created by Apache checking file ownership before serving files. While technically it does make things less efficient, I have not noticed any significant loss of server efficiency from using the "symlink race condition protection" in EA. I have now deployed that patch on numerous production servers.

Compared with having to restore countless accounts, the patch is a much better option ;)
 

mamxalid

Registered
May 27, 2014
1
0
1
cPanel Access Level
DataCenter Provider
Looks like this must be the latest and greatest hack out there because I just encountered the identical issue with one of my own server. I've been hard-pressed to find anything documented of how to prevent against this
 
Last edited by a moderator:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,245
463

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,245
463
You may want to contact Rack911 to report that issue, but note that the post referenced in my previous reply states that filesystem level solutions are better alternatives.

Thank you.
 

konrath

Well-Known Member
May 3, 2005
366
1
166
Brasil
You may want to contact Rack911 to report that issue, but note that the post referenced in my previous reply states that filesystem level solutions are better alternatives.

Thank you.

I have a much simpler solution without the need to change the architecture compilation of Apache, PHP and etc... :)

Change the permissions of the target files. This will make the hacker can not view the contents.

Use permissions 660 or 640

Create a file and put this lines bellow. Save the file and put permission 755.

After this, configure your cron to run the script 1 time per day, Overnight.

This is not 100% safe. Files that have not received new permissions may be viewed by the hacker.

This is a list of common files when an attack happens via symlink.

Thank you
Konrath

Code:
find /home/a*/public_html/ -type f -name "wp-config.php" -or -name "inc.php" -or -name "connect.php" -or -name "mk_conf.php" -or -name "Settings.php" -or -name "configure.php" -or -name "conf.php" -or -name "conf_global.php" -or -name "config.inc.php" -or -name "configuration.php" -or -name "dist-configure.php" | xargs chmod 0660 --
find /home/b*/public_html/ -type f -name "wp-config.php" -or -name "inc.php" -or -name "connect.php" -or -name "mk_conf.php" -or -name "Settings.php" -or -name "configure.php" -or -name "conf.php" -or -name "conf_global.php" -or -name "config.inc.php" -or -name "configuration.php" -or -name "dist-configure.php" | xargs chmod 0660 --
find /home/c*/public_html/ -type f -name "wp-config.php" -or -name "inc.php" -or -name "connect.php" -or -name "mk_conf.php" -or -name "Settings.php" -or -name "configure.php" -or -name "conf.php" -or -name "conf_global.php" -or -name "config.inc.php" -or -name "configuration.php" -or -name "dist-configure.php" | xargs chmod 0660 --
find /home/d*/public_html/ -type f -name "wp-config.php" -or -name "inc.php" -or -name "connect.php" -or -name "mk_conf.php" -or -name "Settings.php" -or -name "configure.php" -or -name "conf.php" -or -name "conf_global.php" -or -name "config.inc.php" -or -name "configuration.php" -or -name "dist-configure.php" | xargs chmod 0660 --
find /home/e*/public_html/ -type f -name "wp-config.php" -or -name "inc.php" -or -name "connect.php" -or -name "mk_conf.php" -or -name "Settings.php" -or -name "configure.php" -or -name "conf.php" -or -name "conf_global.php" -or -name "config.inc.php" -or -name "configuration.php" -or -name "dist-configure.php" | xargs chmod 0660 --
find /home/f*/public_html/ -type f -name "wp-config.php" -or -name "inc.php" -or -name "connect.php" -or -name "mk_conf.php" -or -name "Settings.php" -or -name "configure.php" -or -name "conf.php" -or -name "conf_global.php" -or -name "config.inc.php" -or -name "configuration.php" -or -name "dist-configure.php" | xargs chmod 0660 --
find /home/g*/public_html/ -type f -name "wp-config.php" -or -name "inc.php" -or -name "connect.php" -or -name "mk_conf.php" -or -name "Settings.php" -or -name "configure.php" -or -name "conf.php" -or -name "conf_global.php" -or -name "config.inc.php" -or -name "configuration.php" -or -name "dist-configure.php" | xargs chmod 0660 --
find /home/h*/public_html/ -type f -name "wp-config.php" -or -name "inc.php" -or -name "connect.php" -or -name "mk_conf.php" -or -name "Settings.php" -or -name "configure.php" -or -name "conf.php" -or -name "conf_global.php" -or -name "config.inc.php" -or -name "configuration.php" -or -name "dist-configure.php" | xargs chmod 0660 --
find /home/i*/public_html/ -type f -name "wp-config.php" -or -name "inc.php" -or -name "connect.php" -or -name "mk_conf.php" -or -name "Settings.php" -or -name "configure.php" -or -name "conf.php" -or -name "conf_global.php" -or -name "config.inc.php" -or -name "configuration.php" -or -name "dist-configure.php" | xargs chmod 0660 --
find /home/j*/public_html/ -type f -name "wp-config.php" -or -name "inc.php" -or -name "connect.php" -or -name "mk_conf.php" -or -name "Settings.php" -or -name "configure.php" -or -name "conf.php" -or -name "conf_global.php" -or -name "config.inc.php" -or -name "configuration.php" -or -name "dist-configure.php" | xargs chmod 0660 --
find /home/k*/public_html/ -type f -name "wp-config.php" -or -name "inc.php" -or -name "connect.php" -or -name "mk_conf.php" -or -name "Settings.php" -or -name "configure.php" -or -name "conf.php" -or -name "conf_global.php" -or -name "config.inc.php" -or -name "configuration.php" -or -name "dist-configure.php" | xargs chmod 0660 --
find /home/l*/public_html/ -type f -name "wp-config.php" -or -name "inc.php" -or -name "connect.php" -or -name "mk_conf.php" -or -name "Settings.php" -or -name "configure.php" -or -name "conf.php" -or -name "conf_global.php" -or -name "config.inc.php" -or -name "configuration.php" -or -name "dist-configure.php" | xargs chmod 0660 --
find /home/m*/public_html/ -type f -name "wp-config.php" -or -name "inc.php" -or -name "connect.php" -or -name "mk_conf.php" -or -name "Settings.php" -or -name "configure.php" -or -name "conf.php" -or -name "conf_global.php" -or -name "config.inc.php" -or -name "configuration.php" -or -name "dist-configure.php" | xargs chmod 0660 --
find /home/n*/public_html/ -type f -name "wp-config.php" -or -name "inc.php" -or -name "connect.php" -or -name "mk_conf.php" -or -name "Settings.php" -or -name "configure.php" -or -name "conf.php" -or -name "conf_global.php" -or -name "config.inc.php" -or -name "configuration.php" -or -name "dist-configure.php" | xargs chmod 0660 --
find /home/o*/public_html/ -type f -name "wp-config.php" -or -name "inc.php" -or -name "connect.php" -or -name "mk_conf.php" -or -name "Settings.php" -or -name "configure.php" -or -name "conf.php" -or -name "conf_global.php" -or -name "config.inc.php" -or -name "configuration.php" -or -name "dist-configure.php" | xargs chmod 0660 --
find /home/p*/public_html/ -type f -name "wp-config.php" -or -name "inc.php" -or -name "connect.php" -or -name "mk_conf.php" -or -name "Settings.php" -or -name "configure.php" -or -name "conf.php" -or -name "conf_global.php" -or -name "config.inc.php" -or -name "configuration.php" -or -name "dist-configure.php" | xargs chmod 0660 --
find /home/q*/public_html/ -type f -name "wp-config.php" -or -name "inc.php" -or -name "connect.php" -or -name "mk_conf.php" -or -name "Settings.php" -or -name "configure.php" -or -name "conf.php" -or -name "conf_global.php" -or -name "config.inc.php" -or -name "configuration.php" -or -name "dist-configure.php" | xargs chmod 0660 --
find /home/r*/public_html/ -type f -name "wp-config.php" -or -name "inc.php" -or -name "connect.php" -or -name "mk_conf.php" -or -name "Settings.php" -or -name "configure.php" -or -name "conf.php" -or -name "conf_global.php" -or -name "config.inc.php" -or -name "configuration.php" -or -name "dist-configure.php" | xargs chmod 0660 --
find /home/s*/public_html/ -type f -name "wp-config.php" -or -name "inc.php" -or -name "connect.php" -or -name "mk_conf.php" -or -name "Settings.php" -or -name "configure.php" -or -name "conf.php" -or -name "conf_global.php" -or -name "config.inc.php" -or -name "configuration.php" -or -name "dist-configure.php" | xargs chmod 0660 --
find /home/t*/public_html/ -type f -name "wp-config.php" -or -name "inc.php" -or -name "connect.php" -or -name "mk_conf.php" -or -name "Settings.php" -or -name "configure.php" -or -name "conf.php" -or -name "conf_global.php" -or -name "config.inc.php" -or -name "configuration.php" -or -name "dist-configure.php" | xargs chmod 0660 --
find /home/u*/public_html/ -type f -name "wp-config.php" -or -name "inc.php" -or -name "connect.php" -or -name "mk_conf.php" -or -name "Settings.php" -or -name "configure.php" -or -name "conf.php" -or -name "conf_global.php" -or -name "config.inc.php" -or -name "configuration.php" -or -name "dist-configure.php" | xargs chmod 0660 --
find /home/v*/public_html/ -type f -name "wp-config.php" -or -name "inc.php" -or -name "connect.php" -or -name "mk_conf.php" -or -name "Settings.php" -or -name "configure.php" -or -name "conf.php" -or -name "conf_global.php" -or -name "config.inc.php" -or -name "configuration.php" -or -name "dist-configure.php" | xargs chmod 0660 --
find /home/w*/public_html/ -type f -name "wp-config.php" -or -name "inc.php" -or -name "connect.php" -or -name "mk_conf.php" -or -name "Settings.php" -or -name "configure.php" -or -name "conf.php" -or -name "conf_global.php" -or -name "config.inc.php" -or -name "configuration.php" -or -name "dist-configure.php" | xargs chmod 0660 --
find /home/x*/public_html/ -type f -name "wp-config.php" -or -name "inc.php" -or -name "connect.php" -or -name "mk_conf.php" -or -name "Settings.php" -or -name "configure.php" -or -name "conf.php" -or -name "conf_global.php" -or -name "config.inc.php" -or -name "configuration.php" -or -name "dist-configure.php" | xargs chmod 0660 --
find /home/y*/public_html/ -type f -name "wp-config.php" -or -name "inc.php" -or -name "connect.php" -or -name "mk_conf.php" -or -name "Settings.php" -or -name "configure.php" -or -name "conf.php" -or -name "conf_global.php" -or -name "config.inc.php" -or -name "configuration.php" -or -name "dist-configure.php" | xargs chmod 0660 --
find /home/z*/public_html/ -type f -name "wp-config.php" -or -name "inc.php" -or -name "connect.php" -or -name "mk_conf.php" -or -name "Settings.php" -or -name "configure.php" -or -name "conf.php" -or -name "conf_global.php" -or -name "config.inc.php" -or -name "configuration.php" -or -name "dist-configure.php" | xargs chmod 0660 --
 
Last edited:

konrath

Well-Known Member
May 3, 2005
366
1
166
Brasil
Hello

Any comments regarding my suggestion? The first suggestion was that, you should change files permissions.

When there are 3 comments, I will teach you automatically suspend a hacked account to create symlinks. Your server will detect and suspend automatically the account hacked.

I will not write for ghosts.

I reaffirm. You do not need to change the structure of your server.

You just need to know how to defend. You can use your server even with the security flaw.

The tips will work for suPHP.

Thank you
Konrath
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
Hello

Any comments regarding my suggestion? The first suggestion was that, you should change files permissions.

When there are 3 comments, I will teach you automatically suspend a hacked account to create symlinks. Your server will detect and suspend automatically the account hacked.

I will not write for ghosts.

I reaffirm. You do not need to change the structure of your server.

You just need to know how to defend. You can use your server even with the security flaw.

The tips will work for suPHP.

Thank you
Konrath
There are plenty of solutions, if you have something you want to share with the community just share it.

It would not be hard to detect/suspend accounts with a script, I could probably do it in 10 lines or less of bash code if I really needed to.

As far as your solution, I'd still much rather rely on kernel / file system level protections than scripted permissions changes.
 

konrath

Well-Known Member
May 3, 2005
366
1
166
Brasil
There are plenty of solutions, if you have something you want to share with the community just share it.

It would not be hard to detect/suspend accounts with a script, I could probably do it in 10 lines or less of bash code if I really needed to.

As far as your solution, I'd still much rather rely on kernel / file system level protections than scripted permissions changes.


Hello Quizknows

mod_ruid + jailshell [RECOMMENDED]: ???
----------------------------------------
Downside: Requires cPanel 11.38 (RELEASE soon), doesn't scale well on CentOS5/RHEL5 (ok if < 256 users), requires mod_ruid2, marked EXPERIMENTAL

If you believe this is a good solution. Ok
I do not like. Tested and have terrible results as crashes in Apache Tomcat not working.
----------------------------------------



cagefs [RECOMMENDED]: ????
----------------------------------------
Downside: Nominal fee (requires CloudLinux), requires cagefsctl --update when changes are made

Is this ridiculous solution to a simple problem.
----------------------------------------


I will not comment other solutions. Are all ridiculous.
It is very simple to detect a site hacked with self suspension.




You said.
---------
It would not be hard to detect/suspend accounts with a script, I could probably do it in 10 lines or less of bash code if I really needed to.

Great. So if 10 lines solve the problem, whychoose one of the other patches?


I developed my own solution. Very simple. Does not require fees or rebuilds the architecture of the server.

Its TOMCAT will work. There will need to recompile kernel or fees to be paid.

It's as simple as detecting a source of spam.
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
You said.
---------
It would not be hard to detect/suspend accounts with a script, I could probably do it in 10 lines or less of bash code if I really needed to.

Great. So if 10 lines solve the problem, whychoose one of the other patches?
I choose the other patches because they are proactive not reactive solutions. Even the symlink race condition patch (free) in easyapache is fine, and I've had very good results with that.

It only takes moments for a hacker to create or extract symlinks if they compromise a CMS (which we all know happens all the time). I'd rather not cron something to suspend an account, when I can have a solution in place to be sure that account cannot affect other users.

Your solution only protects config files: it does not protect other users code, nor a simple symlink to / which gains the ability to read files such as /etc/passwd.

I do agree however that mod_ruid2 is not really production ready for a good percentage of people. Fixing the ModSecurity issues with it however was a great step.
 
Status
Not open for further replies.