Solutions for handling symlink attacks

[konrath]

Anyone reading this and are having problems, know that you can create a script that detects and suspends the account hacked. You can run cron every 1 minute. It is the time required for the hacker can not do anything. The solution is extremely simple.

The Quizknows is correct. With less than 10 lines you can detect a hacked to create symlinks and automatically suspend account.

I'm not a programmer but I could make a script that detects and suspends the account in 1 minute.


Before applying any correction reported here, be careful. You will have problems choosing any alternative. The most practical way is the detection and automatic account suspension. Simple and functional.

It is also important to run a script to change the permissions of files common exploited by hackers.

Your only job after that is to inform your client that the site is vulnerable.

The solution suspending the account in 1 minute maximum. The hacker does not have time for anything.

All very simple.


Thank you
Konrath

 

[quizknows]

Running unnecessary cron jobs every minute on a production server? No thanks.

By the way, addon domains can be created in /home/user/ outside of public_html.

 

[konrath]

I choose the other patches because they are proactive not reactive solutions. Even the symlink race condition patch (free) in easyapache is fine, and I've had very good results with that.

It only takes moments for a hacker to create or extract symlinks if they compromise a CMS (which we all know happens all the time). I'd rather not cron something to suspend an account, when I can have a solution in place to be sure that account cannot affect other users.

Your solution only protects config files: it does not protect other users code, nor a simple symlink to / which gains the ability to read files such as /etc/passwd.

I do agree however that mod_ruid2 is not really production ready for a good percentage of people. Fixing the ModSecurity issues with it however was a great step.

As the hacker will compromise the accounts if he can not see the passwords (mysql password) due to change permission?

You know exactly what you're talking about?

If you run a script to change the permissions of the file wp-config.php and configuration.php etc., these accounts will not be compromised!

Do this every night. Only accounts created after running that could be hacked.

Moreover, the hacker will have 1 minute maximum to hack the new accounts (created after the execution of permission change).

- - - Updated - - -

Running unnecessary cron jobs every minute on a production server? No thanks.

By the way, addon domains can be created in /home/user/ outside of public_html.

You said knowing a solution of 10 lines!

I do look a cron file with only 20 lines! Absolutely no extra load!!

Extremely function. Not consumes 0.0001% CPU!

 

[quizknows]

I work an abuse desk 40+ hours a week for a cPanel host that has somewhere around 20,000 dedicated servers. My full time job is investigating, securing, and cleaning cPanel servers (and the occasional non-cpanel like plesk, bare centOS, and even some windows systems). So yes, I know exactly what I'm talking about.

What about wp-config.backup? what about other code comments? includes files? custom CMSes?

Your solution has many flaws. Sure it's effective for a lot of things but you cannot sit here and act like it's 100% effective because it is not.

 

[konrath]

Running unnecessary cron jobs every minute on a production server? No thanks.

By the way, addon domains can be created in /home/user/ outside of public_html.

Sorry Quizknows

The solution I created the cron runs every 1 minute. Not consumes 0.0001 CPU.

It is a check in a file with less than 30 lines. This file has the name of the site being hacked and to detect script suspends the account.

You could run 1 time per second that WILL NOT GENERATE HIGH LOAD.

 

[quizknows]

If the solution works for you, then great. I'm glad you found a solution you are happy with.

 

[konrath]

I work an abuse desk 40+ hours a week for a cPanel host that has somewhere around 20,000 dedicated servers. My full time job is investigating, securing, and cleaning cPanel servers (and the occasional non-cpanel like plesk, bare centOS, and even some windows systems). So yes, I know exactly what I'm talking about.

What about wp-config.backup? what about other code comments? includes files? custom CMSes?

Your solution has many flaws. Sure it's effective for a lot of things but you cannot sit here and act like it's 100% effective because it is not.

Have you read the source code of the script that makes the hack?

He just tries to look MYSQL passwords!

If you change the permissions of the configuration files, the hacker does not have access even if the symlink is created.

And detect the activity of the script is very simple. Adding that with the new file permissions and detection of malicious script in 1 minute, the hacker loses!

- - - Updated - - -

If the solution works for you, then great. I'm glad you found a solution you are happy with.

Yes, it works perfectly.

I'm talking about that in the universe of users of cPanel, these options presented are complex for most users.

Comes to border on the ridiculous!

Not much complexity is needed to solve the problem!

 

[quizknows]

Assuming you only deal with script kiddies, or the same hacker, sure. I have copies of many different symlink hack scripts (and plenty of other scripts too) so yes I have read it. I probably report 20 new undetected scripts to maldet every week.

I agree, your defense should work against the most common symlink hack scripts. I'm talking about dealing with a sophisticated hacker trying to gain information from your system, not just the average botnet scripted attack. While defending against the most common scripts is important, you also have to account for outside scenarios. Always assume different layers of your security may fail; account for security on as many levels as possible.

 

[konrath]

My English is terrible. I apologize for my mistakes in English.

I can guarantee that 80% of users of CPANEL are too laity to use the fixes presented here.

Furthermore, are problematic or paid.

Or your TOMCAT does not work
Or do you have to pay fees

Besides other problems after using the patches!

- - - Updated - - -

Assuming you only deal with script kiddies, or the same hacker, sure. I have copies of many different symlink hack scripts (and plenty of other scripts too) so yes I have read it. I probably report 20 new undetected scripts to maldet every week.

I agree, your defense should work against the most common symlink hack scripts. I'm talking about dealing with a sophisticated hacker trying to gain information from your system, not just the average botnet scripted attack. While defending against the most common scripts is important, you also have to account for outside scenarios. Always assume different layers of your security may fail; account for security on as many levels as possible.

This solution to suspend the account automatically solve ANY kind of problem with symlink hack

1) The hacker can not see the file because of new permission in the files

2) The hacker does not have time to develop the work. In 1 minute account is suspended.

Of course, your server must be running under suPHP.

Can you introduce me to ANY SCRIPT symlink attack. The solution that I will block. ANY!

 

[quizknows]

How do you detect the hacked account? Just the presence of a symlink within public_html?

Again you rely on one layer of protection; what if crond was stopped? It's rare, but it happens.

 

[konrath]

How do you detect the hacked account? Just the presence of a symlink within public_html?

Again you rely on one layer of protection; what if crond was stopped? It's rare, but it happens.

I'll just make a short introduction

It all starts by CSF.

You need to do a filter on incoming emails (LDF)

You get thousands of emails from the server, correct?

So doing a filter you separate the important delivered by LDF

i.e:

If email has subject with ( Suspicious ) and body has ( bash or perl /tmp )

Then in your filter, you separate the emails with important keywords.


Every server, you have 1 email per day, or 1 email per week, referring to a hacked site. I averaged 3000 websites hosted by server. The problem happens 1 time per week on average.

Your cron will only look at this email (the important email separated in the filter) and detect the flagged account as dangerous then simply suspend automatically.

- - - Updated - - -

Look. You will look 1 email filtered per day or per week. No more than 30 lines. This does not generate high load.

Your script will check the username and suspend the account hacked.

Amazingly Simple!

- - - Updated - - -

Moreover, this protection will beyond the symlink attack.

This will serve to protect any script in PERL or BASH running.

The protection is broader than the corrections presented here by cPanel.

 

[mpkapadia]

Hello

I had a question about this

Jail Apache Virtual Hosts using mod_ruid2 and cPanel® jailshell

When I Installed mod_ruid2 And after that under Tweak Settings if I put the above option to ON , then all my PHP files show internal server error.

What could be wrong. Mod su_php is also enabled on the server.

 

[quizknows]

Make sure any .php files are owned by the vhost owner (the user account). If that does not fix it, any internal server errors should be logged in the apache error log. Check there for an error message and post it if you need help.

 

[mpkapadia]

Ownership of files and folders is correct . They are owned by that particular user only.
Here is what I observed further . If under Manage Shell Access that user is granted NORMAL SHELL then the website works fine .
If its set to JAILED Shell or No Shell then I get the 500 Error.

 

[cPanelMichael]

Ownership of files and folders is correct . They are owned by that particular user only.
Here is what I observed further . If under Manage Shell Access that user is granted NORMAL SHELL then the website works fine .
If its set to JAILED Shell or No Shell then I get the 500 Error.

I suggest starting a separate thread and posting the output from the Apache error log regarding the "500 Internal Server Error" message so we can investigate further.

Thank you.

 

[asd_asd]

Hi konrath,
after i read all your reasons, i prefer your solution.
Can you send me or post a tutorial with all steps to set your solution?
Thanks.

 

[quizknows]

Hi konrath,
after i read all your reasons, i prefer your solution.
Can you send me or post a tutorial with all steps to set your solution?
Thanks.

As a security professional responsible for thousands of cPanel servers I recommend you use a real solution that does not reply on crontab or AV detection. If you use SuPHP, simply select the Symlink Race Condition protection option in EasyApache. Otherwise review the other options here https://forums.cpanel.net/f185/solutions-handling-symlink-attacks-202242-p23.html#post1397221

 

[asd_asd]

ok. i'm interested also in the use of cageFs but i not understand if i can use it with a centos distribution...
Than How much should I pay to use it? how i make the payment?


Sorry for my bad english.

 

[quizknows]

Cloudlinux can be installed as an addon to CentOS. Some hosting providers can help you with that.

CloudLinux OS

CloudLinux Documentation

 

[mywhm]

About: Symlink Race Condition Protection (EasyApache)

Warning:

The following options are not recommended, as they can be circumvented by experienced malicious users. You should only use one of these options as a last resort if you cannot implement any of the above options.


Downside

Protection from this patch is not as good as a kernel-level or a filesystem-level solution.
This patch may slow the performance of high-traffic servers.

I personally would use grsecurity with selinux in mode permissive (Send alert via email or suspend account)