Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Solutions for handling symlink attacks

Discussion in 'Security' started by HostingH, Apr 8, 2011.

Thread Status:
Not open for further replies.
  1. ThinIce

    ThinIce Well-Known Member

    Joined:
    Apr 27, 2006
    Messages:
    352
    Likes Received:
    7
    Trophy Points:
    168
    Location:
    Disillusioned in England
    cPanel Access Level:
    Root Administrator
    One of the attractive points of cloud linux is it removes the need for administrators without the requisite experience to get similar levels of protection without having to roll their own grsecurity kernel for CentOS.

    I'm saying that on the basis that I'm not aware of a trust-able repository or good set of documentation for producing a functioning cPanel compatible grsec kernel, there seems to be a rather bloody minded view going along the lines that if I've had to go through the pain and time of producing such, I won't share the goodies.

    I know that makes sense from a commercial point of view, perhaps I'm just getting crabby in my old age.
     
    #401 ThinIce, Jul 3, 2014
    Last edited: Jul 3, 2014
  2. asd_asd

    asd_asd Registered

    Joined:
    Jun 26, 2014
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner


    Hi konrath,
    i have seen the cagefs solution and i proposed it to my boss. But he is not agree to the payment of a monthly fee.
    It's possible to have a your solution tutorial. I need of the script i have to cron every minute to change permission and the script to send the mail to advice the suspension of account...
    Thanks a lot.
     
  3. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    983
    Likes Received:
    76
    Trophy Points:
    78
    cPanel Access Level:
    DataCenter Provider
    symlink race condition protection in EasyApache is free, and offers more comprehensive protection than Konrath's solution.

    While I have seen proof-of-concept to bypass the old rack911 patch, I never saw a hacker try to do it. I have not seen proof of concept to bypass the symlink race condition patch in EasyApache. I have seen it stop many symlink attack attempts.
     
  4. konrath

    konrath Well-Known Member

    Joined:
    May 3, 2005
    Messages:
    367
    Likes Received:
    0
    Trophy Points:
    166
    Location:
    Brasil
    Hello asd_asd


    Run this script in cron every 1 minute.

    I'm not a programmer but it helps me. It can be improved.

    1) You need to configure your server to receive all emails from CSF

    2) You need to create a second email account to receive filtred emails. This email account is checked every 1 minute to see if there are new emails. The script below will do this and suspend the account.


    Create a file called hack. Put in /usr/local/hack/ ( i.e. )
    and chmod 755 to this file.


    Put in cron

    */1 * * * * /usr/local/hack/hack

    Configure in this script

    1) USER ( user account ) ( line 1 and line 6 )
    2) WEBSITE ( website name ) ( line 1 and line 6 )
    3) USEREMAIL ( email user ) ( line 1 and line 6 )
    3) YOUREMAIL HERE ( put your email to receive notifications )





    grep Account /home/USER/mail/WEBSITE/USEREMAIL/new/* > userhack
    us=`cut -d ":" -f 2 userhack`
    /scripts/suspendacct $us "Website hacked" 1
    echo $us| mail -s "PERL HACK "$us" suspended " YOUREMAIL HERE
    rm userhack -rf
    rm -rf /home/USER/mail/WEBSITE/USEREMAIL/new/*

    Filter email received from csf and send to email destination

    hack_filter.png

    This second filter should be placed in the second email to avoid false positives.

    filter_in_second_email.png


    IMPORTANT !!!!!!

    This filter is more tuned to detect perl files running on TMP. You should and can create another filters.


    IMPORTANT !!!!!!

    Edit file called filealert.txt in /etc/csf/alerts and change word Owner: to Account:

    Final result ( i.e )

    From: root
    To: root
    Subject: lfd on [hostname]: Suspicious File Alert
    Time: [time]
    File: [file]
    Reason: [reason]
    Account: [owner]
    Action: [action]


    How it works:

    1) You need to have 2 emails.
    1.1) First email account that will receive all emails from CSF.
    1.2) Second email account that will receive filtered email

    The script will check every 1 minute and will suspend the account (user) that this email is filtered.


    --------------------------------------

    To finish. Another tip. I post this solution here too if you need.

    I have a script that blocks ANY site to run perl files via port 80. If a site run
    hxxp://www.sitename.com / hack.pl
    He will be suspended automatically.

    --------------------------------------
     
    #404 konrath, Jul 12, 2014
    Last edited: Jul 12, 2014
  5. konrath

    konrath Well-Known Member

    Joined:
    May 3, 2005
    Messages:
    367
    Likes Received:
    0
    Trophy Points:
    166
    Location:
    Brasil
    Sorry but you are wrong.

    Their logic is:

    If you are a professional in security then you should close all doors of your server. Preferably turn off your server.

    My recommendation works as a complement to the firewall.
    My suggestion protection is not 100% safe and nothing is 100% safe.

    My suggestion even protects other threats not just symlink attack

    If this verification system that I am proposing, was present at the firewall you would find beautiful and wonderful. I'm sure it would activate.
     
    #405 konrath, Jul 12, 2014
    Last edited: Jul 12, 2014
  6. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    983
    Likes Received:
    76
    Trophy Points:
    78
    cPanel Access Level:
    DataCenter Provider
    Your script is a work-around, not a patch. Simple as that. I'm not saying it's horrible, I'm saying there are safer, easier, and more effective alternatives for preventing symlink hacks.

    Your solution is effective for suspending a single compromised account, and I give it credit for that. However it should not be relied on as your only defence against cross-account symlink attacks.
     
  7. konrath

    konrath Well-Known Member

    Joined:
    May 3, 2005
    Messages:
    367
    Likes Received:
    0
    Trophy Points:
    166
    Location:
    Brasil
    Hello asd_asd

    I have a script that blocks ANY site to run perl files via port 80. If a site run
    hxxp://www.sitename.com / hack.pl
    He will be suspended automatically.

    This is another layer of protection. You want it?

    - - - Updated - - -

    If this solution is present in the firewall you use?

    The firewall has several bandaid. This could be one.

    Could be better written and put in future CSF versions

    Do not you agree?
     
  8. davidhan

    davidhan Member

    Joined:
    Sep 18, 2014
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    technewonline
    cPanel Access Level:
    Website Owner
    Hi!
    You cannot make all of your files to be 600 as that can break many web applications on the server.
    Also you can't control that users will not change the permissions of the files by themselves.
     
  9. konrath

    konrath Well-Known Member

    Joined:
    May 3, 2005
    Messages:
    367
    Likes Received:
    0
    Trophy Points:
    166
    Location:
    Brasil

    Please read completely what I wrote.

    Thank you.
     
  10. abdelhost77

    abdelhost77 Well-Known Member

    Joined:
    Apr 25, 2012
    Messages:
    89
    Likes Received:
    1
    Trophy Points:
    58
    cPanel Access Level:
    Root Administrator
    Hello , if you use apache with "symlink race condition protection" and suPHP , i advice that you also add this layer of security wich consist to suspend any user executing Perl , Python , CGI ... from apache .
    In fact you have just to create script that will check in
    /var/log/httpd/suexec_log
    i can provide script if you want .
    by doing that with a crontab of 1 min for example , a special hacker will not have any chance to bypass the "symlink race condition protection" because the account from which he have access will be suspended once he tried to launch any perl , python or cgi script even if if he change the ".pl" extension and execute a perl script such as : /home/xx/public_html/test.test .
     
    #410 abdelhost77, Nov 20, 2014
    Last edited: Nov 20, 2014
  11. mimran

    mimran Member

    Joined:
    Dec 16, 2007
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    51
    Hi please provide me with this script, some hacker installed sucrack python script on my server I don;t know how, I got to know this via lfd notifications. How can we stop this kind of installation ? How can a hacker install this without ssh access.

    Suspicious File Alert
    File: /tmp/xpl/64/2
    Reason: Linux Binary

    Also

    with File /tmp/find/sucrack
     
    #411 mimran, Nov 22, 2014
    Last edited: Nov 22, 2014
  12. abdelhost77

    abdelhost77 Well-Known Member

    Joined:
    Apr 25, 2012
    Messages:
    89
    Likes Received:
    1
    Trophy Points:
    58
    cPanel Access Level:
    Root Administrator
    Hello mimran ,

    for your case You should first secure your /tmp

    /scripts/securetmp
    chmod 1777 /tmp


    ############################
     
  13. mimran

    mimran Member

    Joined:
    Dec 16, 2007
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    51
    Thanks, I had to reload the Operating system, but I will keep use the above for securing /tmp.
    Is there a way to limit user access to /tmp like a particular user can access his own tmp folder which is usually in /home/username/tmp
    Thanks.
     
  14. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    168
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    No no no!

    You should never run ANYTHING every minute from cron, that's just insanely poor practice. Anytime you need to run something from cron you've made a basic design mistake. Why? For two excellent reasons:
    1. Running every minute loads up your server which will slow things down. The larger the server grows, the quicker things will slow down.
    2. if the jobs start to take more than one minute to run (eg server loaded), you're in trouble
    The real solution is to run a daemon which tails the log file, and that would be relatively low CPU. However, there is a much better way ...

    If you want to take an action on CSF blocking something, the CSF author has already included a nice mechanism for you to do that via the BLOCK_REPORT variable - check out /etc/csf/readme.txt for more info. Using this you can arrange for a script to run when a block is done and it can take actions based on the value of (in this case) $8. However:

    Use industry standard solutions wherever you can to leverage from the knowledge of experts

    And of course, anything apart from using the established industry standard here (ie CloudLinux, rack911, Easyapache patch) is really a waste of time. If you invent a home-brewed solution, you have to run it yourself and maintain it yourself and that just doesn't scale well, apart from the fact that it adds to your own stress levels. I just need to say this clearly as there will be people reading this thread without realizing how terrible some of the advice given here actually is. I notice I'm not the only one saying this, and it's for good reason that we're saying it.
     
  15. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    983
    Likes Received:
    76
    Trophy Points:
    78
    cPanel Access Level:
    DataCenter Provider
    THANK YOU.

    IMHO this thread is about due to be locked (left stickied, but locked). While defending against cross account symlinks is of critical importance, there's really nothing new to add here any more.
     
  16. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    15,679
    Likes Received:
    299
    Trophy Points:
    433
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Agreed. Closed.
     
Loading...
Thread Status:
Not open for further replies.

Share This Page