that depends from you which patch to use
how can we monitor our servers that patches are working properly.
how can we monitor our servers that patches are working properly.
- Status
It doesn't really matter; the nice thing about rack911's is that it's a one-line install (well, actually 4 lines, but one copy and paste into your shell).
Create a symlink pointing to the root filesystem or to another user and see if it works or gives an error.
i have tried to patch this my self but i have never succeded when they upload a shell into cpanel they norm have a small command line they can use my friend who is a hacker said to me he roots servers this way but with the new kernal he is unable to gain root access..
he did a quick run through of what he does
uploads the shell.php
mkdir /root
Upload .htaccess file
i will tyr get and realse the htaccess file he uploads next time he starts trying to hack my server
but thats basicly what he does and i havent found a patch yet
he did a quick run through of what he does
uploads the shell.php
mkdir /root
Upload .htaccess file
i will tyr get and realse the htaccess file he uploads next time he starts trying to hack my server
but thats basicly what he does and i havent found a patch yetInteresting.
I have contacted one of my VPS providers upon this issue, which by the way is supossed to be *managed* and their first reply was, and I quote:
When I insisted and mentioned again this thread, then I received this reply:
When I insisted again, telling them that this patch provided by StevenC is just a couple of weeks old, they said they would contact cPanel Support. And the reply they quote from cPanel Support is this one:
I'd appreciate your comments on this, specially from StevenC.
Thanks!
1.) The latest apache is indeed vulnerable to this 'exploit'.
2.) Yes you can disable the feature as mentioned by cpanel support, but you will encounter internal server messages if someone has 'FollowSymLinks' in their .htaccess. Furthermore, you have to go deeper (read the rest of the thread) to ensure that an end user cannot renable FollowSymLinks.
3.) The patch that I created along with the patch that Mitio created resolves this exploit without having to deal with htaccess files. It drops in and forces FollowSymLinks to act like SymLinksIfOwnerMatch.
The fact that they did not have a clue that its still a vulnerability, shows how 'managed' they are. They don't go outside the norm. Sadly if you want to remain safe you have to steer away from the norm (not just with this problem, but server security in general).
Last edited:
Thanks StevenC, I appreciate your reply.
I thought one or the other could be applied. You mean both patches should be applied?
Opps!
Yeah, either one will work separately. Both at the same time would be counter productive.
cPanel makes it very easy for the attacker. At first I wondered how they could come up with the random names under /home since /home is not readable (go+x only), but apparently if the server is running cPanel, the attacker accesses various world-readable files like /etc/trueuserowners which have the whole list of unix names of the system, so they can easily iterate them under /home.
Bad cPanel... !
Bad cPanel... !
One way or another, it's very easy to discover other users on the system, whether via running processes, ps, or guessing. The real issue is preventing them getting into those users' accounts, and that's what we've been discussing here.
The only true solution is to run users under a jail within a virtual set of directories, thus the /home will be empty and only contain their own directory. The user shouldn't see a real /etc or just about any other real system directory.
The current PHP implementation allows the user to create a whole remote management tool that can just about do anything to the web server (create symbolic links, act as a shell, read all world-readable files, etc).
The best solution, would be total isolation between users, including the applications that run on the server. Which unfortunately is not possible with the current Linux implementation.
Unless we create a VPS per domain
The current PHP implementation allows the user to create a whole remote management tool that can just about do anything to the web server (create symbolic links, act as a shell, read all world-readable files, etc).
The best solution, would be total isolation between users, including the applications that run on the server. Which unfortunately is not possible with the current Linux implementation.
Unless we create a VPS per domain
cPanel isn't necessary to obtain a list of usernames from a server. Using Linux as an example, /etc/passwd* or /etc/group* can be used instead. Additionally, they contain more information than /etc/trueuserowners.
Hi,
cPanelJeff is right. Hackers can put the various shell programs to compromise /etc/passwd and other necessary files. The plain servers without cPanel being installed on it can also be hacked.
It doesn't matter whether cPanel or any control panel is installed or not. The more important is server security.
It shouldn't be compromised.
cPanelJeff is right. Hackers can put the various shell programs to compromise /etc/passwd and other necessary files. The plain servers without cPanel being installed on it can also be hacked.
It doesn't matter whether cPanel or any control panel is installed or not. The more important is server security.
It shouldn't be compromised.
hi ,
what should we do with website is already hacked because of this venerability ? , i have read the whole posts and i can see how we can prevent this in feature.Do we need to shutdown the website , because some one get the info of config.php , they really knows about the database login details and all the info of the users in the database.How can we secure this particular website ?
what should we do with website is already hacked because of this venerability ? , i have read the whole posts and i can see how we can prevent this in feature.Do we need to shutdown the website , because some one get the info of config.php , they really knows about the database login details and all the info of the users in the database.How can we secure this particular website ?
Delete all passwords and force the users to reset/create new passwords. Same for any admin passwords. Of course that implies that your software supports empty/disabled passwords and will force the user to submit a new one by verifying it via his email address.
If not, then you could do it manually, reset all passwords to a new random value and send the new password to each user via email. It should be fairly easy to write a quick php script to do something like that.
If not, then you could do it manually, reset all passwords to a new random value and send the new password to each user via email. It should be fairly easy to write a quick php script to do something like that.
I would also suggest that you look for any symlinks and remove any that look suspicious.
You can search for symlinks with:
find /home/username/ -type l
You can search for symlinks with:
find /home/username/ -type l
hi,
thanks , i am looking in to this, in the mean time , if we are securing the website depends upon what CMS we are using like we said joomla and wordpress will also prevent this hacking ? . Like implement the encryption methods and deny the admin access to particular users only etc ...
thanks , i am looking in to this, in the mean time , if we are securing the website depends upon what CMS we are using like we said joomla and wordpress will also prevent this hacking ? . Like implement the encryption methods and deny the admin access to particular users only etc ...
Absolutely you need to ensure that the site applications like WordPress/Joomla are secured as that is the most likely point of entry. This symlink vulnerability is abused once access has been obtained so you must focus on the was access is obtained as well.
If you need further assistance with security of those applications you should check the forums and google for the applications specifically.
Hi,
One should pay attentions on addons like themes, plugins which comes with the third party applications.
They are also being updated while you update the third party software. Buggy addons are also caused security loopholes.
One should pay attentions on addons like themes, plugins which comes with the third party applications.
They are also being updated while you update the third party software. Buggy addons are also caused security loopholes.
- Status
| Thread starter | Similar threads | Forum | Replies | Date |
|---|---|---|---|---|
| K | Security Policy Handling Failed | Security | 4 | |
|
Solutions for handling ddos attacks? | Security | 3 | |
| P | Security Handling [improving the error message is CPANEL-5713] | Security | 2 | |
| H | Not find any solutions after my port 2086/2087 Blocked :'( | Security | 1 | |
| O | What anti-virus solutions? | Security | 93 |