- Status
I see them all the time on unpatched servers; a few times a week at a bare minimum.
Script kiddies have one-click scripts that will auto-own every joomla and Wordpress site on a cPanel server if it's not using the race condition protection (available in EA) or cloudlinux with securelinks on.
Script kiddies have one-click scripts that will auto-own every joomla and Wordpress site on a cPanel server if it's not using the race condition protection (available in EA) or cloudlinux with securelinks on.
Last edited:
I'm running the latest version of apache 2.2 and php 5.3. In EA under exhaustive options list, if I enable "Symlink Race Condition Protection" will this protect me from these types of attacks?
Will this update impact my current sites i.e. require code updates or should there be minimal to no disruption on my current sites when enabling this protection?
Thank you!
Will this update impact my current sites i.e. require code updates or should there be minimal to no disruption on my current sites when enabling this protection?
Thank you!
Yes, it will
As long as you are using SuPHP and the web content of your users is owned properly on the system (i.e. files to be served are owned by the cPanel account they are in) you should be fine. If you are -not- using SuPHP and you need to serve some files owned by other users (i.e. nobody, root) then I'd recommend the rack911 style patch for apache 2.2. Honestly though, SuPHP and the Race Condition protection option in EA are your best bet aside from kernel-level / OS level protections like CloudLinux / CageFS.
I don't foresee any immediate problems with using suPHP. The idea of supporting a fork of mod_suphp is under evaluation, but plans are not definitive at this point (Internal case 68789).
Thank you.
What version of php is retiring suPHP and what's a good replacement?
When installing "symlink race condition protection" in EA, I got a warning message about it possibly causing a performance hit. How much of a concern is this performance hit and how much do you think it will impact a server percentage wise? Any info is appreciated so I can better understand it. Thank you!
When installing "symlink race condition protection" in EA, I got a warning message about it possibly causing a performance hit. How much of a concern is this performance hit and how much do you think it will impact a server percentage wise? Any info is appreciated so I can better understand it. Thank you!
There is a small amount of overhead created by Apache checking file ownership before serving files. While technically it does make things less efficient, I have not noticed any significant loss of server efficiency from using the "symlink race condition protection" in EA. I have now deployed that patch on numerous production servers.
Compared with having to restore countless accounts, the patch is a much better option
Compared with having to restore countless accounts, the patch is a much better option
benito
Well-Known Member
I have a couple of questions.
1. Disabling shell for everyone does not solves this problem?
2. After enabling " Jail Apache Virtual Hosts using mod_ruid2 and cPanel® jailshell." i have to do anything else?
Thanks
1. Disabling shell for everyone does not solves this problem?
2. After enabling " Jail Apache Virtual Hosts using mod_ruid2 and cPanel® jailshell." i have to do anything else?
Thanks
benito
Well-Known Member
Looks like this must be the latest and greatest hack out there because I just encountered the identical issue with one of my own server. I've been hard-pressed to find anything documented of how to prevent against this
Last edited by a moderator:
Were you able to review the post at https://forums.cpanel.net/f185/solutions-handling-symlink-attacks-202242-p23.html#post1397221 ?
You may want to contact Rack911 to report that issue, but note that the post referenced in my previous reply states that filesystem level solutions are better alternatives.
Thank you.
Thank you.
I have a much simpler solution without the need to change the architecture compilation of Apache, PHP and etc...
Change the permissions of the target files. This will make the hacker can not view the contents.
Use permissions 660 or 640
Create a file and put this lines bellow. Save the file and put permission 755.
After this, configure your cron to run the script 1 time per day, Overnight.
This is not 100% safe. Files that have not received new permissions may be viewed by the hacker.
This is a list of common files when an attack happens via symlink.
Thank you
Konrath
Code:
find /home/a*/public_html/ -type f -name "wp-config.php" -or -name "inc.php" -or -name "connect.php" -or -name "mk_conf.php" -or -name "Settings.php" -or -name "configure.php" -or -name "conf.php" -or -name "conf_global.php" -or -name "config.inc.php" -or -name "configuration.php" -or -name "dist-configure.php" | xargs chmod 0660 --
find /home/b*/public_html/ -type f -name "wp-config.php" -or -name "inc.php" -or -name "connect.php" -or -name "mk_conf.php" -or -name "Settings.php" -or -name "configure.php" -or -name "conf.php" -or -name "conf_global.php" -or -name "config.inc.php" -or -name "configuration.php" -or -name "dist-configure.php" | xargs chmod 0660 --
find /home/c*/public_html/ -type f -name "wp-config.php" -or -name "inc.php" -or -name "connect.php" -or -name "mk_conf.php" -or -name "Settings.php" -or -name "configure.php" -or -name "conf.php" -or -name "conf_global.php" -or -name "config.inc.php" -or -name "configuration.php" -or -name "dist-configure.php" | xargs chmod 0660 --
find /home/d*/public_html/ -type f -name "wp-config.php" -or -name "inc.php" -or -name "connect.php" -or -name "mk_conf.php" -or -name "Settings.php" -or -name "configure.php" -or -name "conf.php" -or -name "conf_global.php" -or -name "config.inc.php" -or -name "configuration.php" -or -name "dist-configure.php" | xargs chmod 0660 --
find /home/e*/public_html/ -type f -name "wp-config.php" -or -name "inc.php" -or -name "connect.php" -or -name "mk_conf.php" -or -name "Settings.php" -or -name "configure.php" -or -name "conf.php" -or -name "conf_global.php" -or -name "config.inc.php" -or -name "configuration.php" -or -name "dist-configure.php" | xargs chmod 0660 --
find /home/f*/public_html/ -type f -name "wp-config.php" -or -name "inc.php" -or -name "connect.php" -or -name "mk_conf.php" -or -name "Settings.php" -or -name "configure.php" -or -name "conf.php" -or -name "conf_global.php" -or -name "config.inc.php" -or -name "configuration.php" -or -name "dist-configure.php" | xargs chmod 0660 --
find /home/g*/public_html/ -type f -name "wp-config.php" -or -name "inc.php" -or -name "connect.php" -or -name "mk_conf.php" -or -name "Settings.php" -or -name "configure.php" -or -name "conf.php" -or -name "conf_global.php" -or -name "config.inc.php" -or -name "configuration.php" -or -name "dist-configure.php" | xargs chmod 0660 --
find /home/h*/public_html/ -type f -name "wp-config.php" -or -name "inc.php" -or -name "connect.php" -or -name "mk_conf.php" -or -name "Settings.php" -or -name "configure.php" -or -name "conf.php" -or -name "conf_global.php" -or -name "config.inc.php" -or -name "configuration.php" -or -name "dist-configure.php" | xargs chmod 0660 --
find /home/i*/public_html/ -type f -name "wp-config.php" -or -name "inc.php" -or -name "connect.php" -or -name "mk_conf.php" -or -name "Settings.php" -or -name "configure.php" -or -name "conf.php" -or -name "conf_global.php" -or -name "config.inc.php" -or -name "configuration.php" -or -name "dist-configure.php" | xargs chmod 0660 --
find /home/j*/public_html/ -type f -name "wp-config.php" -or -name "inc.php" -or -name "connect.php" -or -name "mk_conf.php" -or -name "Settings.php" -or -name "configure.php" -or -name "conf.php" -or -name "conf_global.php" -or -name "config.inc.php" -or -name "configuration.php" -or -name "dist-configure.php" | xargs chmod 0660 --
find /home/k*/public_html/ -type f -name "wp-config.php" -or -name "inc.php" -or -name "connect.php" -or -name "mk_conf.php" -or -name "Settings.php" -or -name "configure.php" -or -name "conf.php" -or -name "conf_global.php" -or -name "config.inc.php" -or -name "configuration.php" -or -name "dist-configure.php" | xargs chmod 0660 --
find /home/l*/public_html/ -type f -name "wp-config.php" -or -name "inc.php" -or -name "connect.php" -or -name "mk_conf.php" -or -name "Settings.php" -or -name "configure.php" -or -name "conf.php" -or -name "conf_global.php" -or -name "config.inc.php" -or -name "configuration.php" -or -name "dist-configure.php" | xargs chmod 0660 --
find /home/m*/public_html/ -type f -name "wp-config.php" -or -name "inc.php" -or -name "connect.php" -or -name "mk_conf.php" -or -name "Settings.php" -or -name "configure.php" -or -name "conf.php" -or -name "conf_global.php" -or -name "config.inc.php" -or -name "configuration.php" -or -name "dist-configure.php" | xargs chmod 0660 --
find /home/n*/public_html/ -type f -name "wp-config.php" -or -name "inc.php" -or -name "connect.php" -or -name "mk_conf.php" -or -name "Settings.php" -or -name "configure.php" -or -name "conf.php" -or -name "conf_global.php" -or -name "config.inc.php" -or -name "configuration.php" -or -name "dist-configure.php" | xargs chmod 0660 --
find /home/o*/public_html/ -type f -name "wp-config.php" -or -name "inc.php" -or -name "connect.php" -or -name "mk_conf.php" -or -name "Settings.php" -or -name "configure.php" -or -name "conf.php" -or -name "conf_global.php" -or -name "config.inc.php" -or -name "configuration.php" -or -name "dist-configure.php" | xargs chmod 0660 --
find /home/p*/public_html/ -type f -name "wp-config.php" -or -name "inc.php" -or -name "connect.php" -or -name "mk_conf.php" -or -name "Settings.php" -or -name "configure.php" -or -name "conf.php" -or -name "conf_global.php" -or -name "config.inc.php" -or -name "configuration.php" -or -name "dist-configure.php" | xargs chmod 0660 --
find /home/q*/public_html/ -type f -name "wp-config.php" -or -name "inc.php" -or -name "connect.php" -or -name "mk_conf.php" -or -name "Settings.php" -or -name "configure.php" -or -name "conf.php" -or -name "conf_global.php" -or -name "config.inc.php" -or -name "configuration.php" -or -name "dist-configure.php" | xargs chmod 0660 --
find /home/r*/public_html/ -type f -name "wp-config.php" -or -name "inc.php" -or -name "connect.php" -or -name "mk_conf.php" -or -name "Settings.php" -or -name "configure.php" -or -name "conf.php" -or -name "conf_global.php" -or -name "config.inc.php" -or -name "configuration.php" -or -name "dist-configure.php" | xargs chmod 0660 --
find /home/s*/public_html/ -type f -name "wp-config.php" -or -name "inc.php" -or -name "connect.php" -or -name "mk_conf.php" -or -name "Settings.php" -or -name "configure.php" -or -name "conf.php" -or -name "conf_global.php" -or -name "config.inc.php" -or -name "configuration.php" -or -name "dist-configure.php" | xargs chmod 0660 --
find /home/t*/public_html/ -type f -name "wp-config.php" -or -name "inc.php" -or -name "connect.php" -or -name "mk_conf.php" -or -name "Settings.php" -or -name "configure.php" -or -name "conf.php" -or -name "conf_global.php" -or -name "config.inc.php" -or -name "configuration.php" -or -name "dist-configure.php" | xargs chmod 0660 --
find /home/u*/public_html/ -type f -name "wp-config.php" -or -name "inc.php" -or -name "connect.php" -or -name "mk_conf.php" -or -name "Settings.php" -or -name "configure.php" -or -name "conf.php" -or -name "conf_global.php" -or -name "config.inc.php" -or -name "configuration.php" -or -name "dist-configure.php" | xargs chmod 0660 --
find /home/v*/public_html/ -type f -name "wp-config.php" -or -name "inc.php" -or -name "connect.php" -or -name "mk_conf.php" -or -name "Settings.php" -or -name "configure.php" -or -name "conf.php" -or -name "conf_global.php" -or -name "config.inc.php" -or -name "configuration.php" -or -name "dist-configure.php" | xargs chmod 0660 --
find /home/w*/public_html/ -type f -name "wp-config.php" -or -name "inc.php" -or -name "connect.php" -or -name "mk_conf.php" -or -name "Settings.php" -or -name "configure.php" -or -name "conf.php" -or -name "conf_global.php" -or -name "config.inc.php" -or -name "configuration.php" -or -name "dist-configure.php" | xargs chmod 0660 --
find /home/x*/public_html/ -type f -name "wp-config.php" -or -name "inc.php" -or -name "connect.php" -or -name "mk_conf.php" -or -name "Settings.php" -or -name "configure.php" -or -name "conf.php" -or -name "conf_global.php" -or -name "config.inc.php" -or -name "configuration.php" -or -name "dist-configure.php" | xargs chmod 0660 --
find /home/y*/public_html/ -type f -name "wp-config.php" -or -name "inc.php" -or -name "connect.php" -or -name "mk_conf.php" -or -name "Settings.php" -or -name "configure.php" -or -name "conf.php" -or -name "conf_global.php" -or -name "config.inc.php" -or -name "configuration.php" -or -name "dist-configure.php" | xargs chmod 0660 --
find /home/z*/public_html/ -type f -name "wp-config.php" -or -name "inc.php" -or -name "connect.php" -or -name "mk_conf.php" -or -name "Settings.php" -or -name "configure.php" -or -name "conf.php" -or -name "conf_global.php" -or -name "config.inc.php" -or -name "configuration.php" -or -name "dist-configure.php" | xargs chmod 0660 --
Last edited:
Hello
Any comments regarding my suggestion? The first suggestion was that, you should change files permissions.
When there are 3 comments, I will teach you automatically suspend a hacked account to create symlinks. Your server will detect and suspend automatically the account hacked.
I will not write for ghosts.
I reaffirm. You do not need to change the structure of your server.
You just need to know how to defend. You can use your server even with the security flaw.
The tips will work for suPHP.
Thank you
Konrath
Any comments regarding my suggestion? The first suggestion was that, you should change files permissions.
When there are 3 comments, I will teach you automatically suspend a hacked account to create symlinks. Your server will detect and suspend automatically the account hacked.
I will not write for ghosts.
I reaffirm. You do not need to change the structure of your server.
You just need to know how to defend. You can use your server even with the security flaw.
The tips will work for suPHP.
Thank you
Konrath
There are plenty of solutions, if you have something you want to share with the community just share it.
It would not be hard to detect/suspend accounts with a script, I could probably do it in 10 lines or less of bash code if I really needed to.
As far as your solution, I'd still much rather rely on kernel / file system level protections than scripted permissions changes.
Hello Quizknows
mod_ruid + jailshell [RECOMMENDED]: ???
----------------------------------------
Downside: Requires cPanel 11.38 (RELEASE soon), doesn't scale well on CentOS5/RHEL5 (ok if < 256 users), requires mod_ruid2, marked EXPERIMENTAL
If you believe this is a good solution. Ok
I do not like. Tested and have terrible results as crashes in Apache Tomcat not working.
----------------------------------------
cagefs [RECOMMENDED]: ????
----------------------------------------
Downside: Nominal fee (requires CloudLinux), requires cagefsctl --update when changes are made
Is this ridiculous solution to a simple problem.
----------------------------------------
I will not comment other solutions. Are all ridiculous.
It is very simple to detect a site hacked with self suspension.
You said.
---------
It would not be hard to detect/suspend accounts with a script, I could probably do it in 10 lines or less of bash code if I really needed to.
Great. So if 10 lines solve the problem, whychoose one of the other patches?
I developed my own solution. Very simple. Does not require fees or rebuilds the architecture of the server.
Its TOMCAT will work. There will need to recompile kernel or fees to be paid.
It's as simple as detecting a source of spam.
I choose the other patches because they are proactive not reactive solutions. Even the symlink race condition patch (free) in easyapache is fine, and I've had very good results with that.
It only takes moments for a hacker to create or extract symlinks if they compromise a CMS (which we all know happens all the time). I'd rather not cron something to suspend an account, when I can have a solution in place to be sure that account cannot affect other users.
Your solution only protects config files: it does not protect other users code, nor a simple symlink to / which gains the ability to read files such as /etc/passwd.
I do agree however that mod_ruid2 is not really production ready for a good percentage of people. Fixing the ModSecurity issues with it however was a great step.
- Status
| Thread starter | Similar threads | Forum | Replies | Date |
|---|---|---|---|---|
| K | Security Policy Handling Failed | Security | 4 | |
|
Solutions for handling ddos attacks? | Security | 3 | |
| P | Security Handling [improving the error message is CPANEL-5713] | Security | 2 | |
| H | Not find any solutions after my port 2086/2087 Blocked :'( | Security | 1 | |
| O | What anti-virus solutions? | Security | 93 |