Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Solutions for handling symlink attacks

Discussion in 'Security' started by HostingH, Apr 8, 2011.

Thread Status:
Not open for further replies.
  1. k-planethost

    k-planethost Well-Known Member

    Joined:
    Sep 22, 2009
    Messages:
    199
    Likes Received:
    5
    Trophy Points:
    68
    Location:
    Athens Greece
    that depends from you which patch to use
    how can we monitor our servers that patches are working properly.
     
  2. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    168
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    It doesn't really matter; the nice thing about rack911's is that it's a one-line install (well, actually 4 lines, but one copy and paste into your shell).
     
  3. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    168
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    Create a symlink pointing to the root filesystem or to another user and see if it works or gives an error.
     
  4. keaza

    keaza Member

    Joined:
    Nov 13, 2011
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    51
    Location:
    London, United Kingdom, United Kingdom
    cPanel Access Level:
    Root Administrator
    i have tried to patch this my self but i have never succeded when they upload a shell into cpanel they norm have a small command line they can use my friend who is a hacker said to me he roots servers this way but with the new kernal he is unable to gain root access..

    he did a quick run through of what he does

    uploads the shell.php
    mkdir /root
    Upload .htaccess file

    i will tyr get and realse the htaccess file he uploads next time he starts trying to hack my server :) but thats basicly what he does and i havent found a patch yet
     
  5. Eboy

    Eboy Member

    Joined:
    Aug 8, 2003
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    151
    Interesting.

    I have contacted one of my VPS providers upon this issue, which by the way is supossed to be *managed* and their first reply was, and I quote:

    When I insisted and mentioned again this thread, then I received this reply:

    When I insisted again, telling them that this patch provided by StevenC is just a couple of weeks old, they said they would contact cPanel Support. And the reply they quote from cPanel Support is this one:

    I'd appreciate your comments on this, specially from StevenC.

    Thanks!
     
  6. StevenC

    StevenC Well-Known Member

    Joined:
    Jan 1, 2004
    Messages:
    252
    Likes Received:
    0
    Trophy Points:
    166

    1.) The latest apache is indeed vulnerable to this 'exploit'.
    2.) Yes you can disable the feature as mentioned by cpanel support, but you will encounter internal server messages if someone has 'FollowSymLinks' in their .htaccess. Furthermore, you have to go deeper (read the rest of the thread) to ensure that an end user cannot renable FollowSymLinks.
    3.) The patch that I created along with the patch that Mitio created resolves this exploit without having to deal with htaccess files. It drops in and forces FollowSymLinks to act like SymLinksIfOwnerMatch.

    The fact that they did not have a clue that its still a vulnerability, shows how 'managed' they are. They don't go outside the norm. Sadly if you want to remain safe you have to steer away from the norm (not just with this problem, but server security in general).
     
    #86 StevenC, Nov 16, 2011
    Last edited: Nov 16, 2011
  7. Eboy

    Eboy Member

    Joined:
    Aug 8, 2003
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    151
    Thanks StevenC, I appreciate your reply.

    I thought one or the other could be applied. You mean both patches should be applied?
     
  8. StevenC

    StevenC Well-Known Member

    Joined:
    Jan 1, 2004
    Messages:
    252
    Likes Received:
    0
    Trophy Points:
    166
    Opps!

    Yeah, either one will work separately. Both at the same time would be counter productive.
     
  9. StevenC

    StevenC Well-Known Member

    Joined:
    Jan 1, 2004
    Messages:
    252
    Likes Received:
    0
    Trophy Points:
    166
    Just so you all know -- litespeedtech is vulnerable to this also. Follow the earlier symlink workarounds to resolve it (It will not throw internal server errors).
     
  10. sehh

    sehh Well-Known Member

    Joined:
    Feb 11, 2006
    Messages:
    579
    Likes Received:
    5
    Trophy Points:
    168
    Location:
    Europe
    cPanel makes it very easy for the attacker. At first I wondered how they could come up with the random names under /home since /home is not readable (go+x only), but apparently if the server is running cPanel, the attacker accesses various world-readable files like /etc/trueuserowners which have the whole list of unix names of the system, so they can easily iterate them under /home.

    Bad cPanel... !
     
  11. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    168
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    One way or another, it's very easy to discover other users on the system, whether via running processes, ps, or guessing. The real issue is preventing them getting into those users' accounts, and that's what we've been discussing here.
     
  12. sehh

    sehh Well-Known Member

    Joined:
    Feb 11, 2006
    Messages:
    579
    Likes Received:
    5
    Trophy Points:
    168
    Location:
    Europe
    The only true solution is to run users under a jail within a virtual set of directories, thus the /home will be empty and only contain their own directory. The user shouldn't see a real /etc or just about any other real system directory.

    The current PHP implementation allows the user to create a whole remote management tool that can just about do anything to the web server (create symbolic links, act as a shell, read all world-readable files, etc).

    The best solution, would be total isolation between users, including the applications that run on the server. Which unfortunately is not possible with the current Linux implementation.

    Unless we create a VPS per domain :(
     
  13. JeffP.

    JeffP. Well-Known Member

    Joined:
    Sep 28, 2010
    Messages:
    164
    Likes Received:
    13
    Trophy Points:
    68
    cPanel isn't necessary to obtain a list of usernames from a server. Using Linux as an example, /etc/passwd* or /etc/group* can be used instead. Additionally, they contain more information than /etc/trueuserowners.
     
  14. storminternet

    storminternet Well-Known Member

    Joined:
    Nov 2, 2011
    Messages:
    462
    Likes Received:
    0
    Trophy Points:
    66
    cPanel Access Level:
    Root Administrator
    Hi,

    cPanelJeff is right. Hackers can put the various shell programs to compromise /etc/passwd and other necessary files. The plain servers without cPanel being installed on it can also be hacked.

    It doesn't matter whether cPanel or any control panel is installed or not. The more important is server security.
    It shouldn't be compromised. :cool:
     
  15. minosjl

    minosjl Well-Known Member

    Joined:
    Jun 4, 2011
    Messages:
    168
    Likes Received:
    0
    Trophy Points:
    66
    Location:
    India
    cPanel Access Level:
    Root Administrator
    hi ,

    what should we do with website is already hacked because of this venerability ? , i have read the whole posts and i can see how we can prevent this in feature.Do we need to shutdown the website , because some one get the info of config.php , they really knows about the database login details and all the info of the users in the database.How can we secure this particular website ?
     
  16. sehh

    sehh Well-Known Member

    Joined:
    Feb 11, 2006
    Messages:
    579
    Likes Received:
    5
    Trophy Points:
    168
    Location:
    Europe
    Delete all passwords and force the users to reset/create new passwords. Same for any admin passwords. Of course that implies that your software supports empty/disabled passwords and will force the user to submit a new one by verifying it via his email address.

    If not, then you could do it manually, reset all passwords to a new random value and send the new password to each user via email. It should be fairly easy to write a quick php script to do something like that.
     
  17. DomineauX

    DomineauX Well-Known Member
    PartnerNOC

    Joined:
    Apr 12, 2003
    Messages:
    421
    Likes Received:
    6
    Trophy Points:
    168
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    I would also suggest that you look for any symlinks and remove any that look suspicious.
    You can search for symlinks with:
    find /home/username/ -type l
     
  18. minosjl

    minosjl Well-Known Member

    Joined:
    Jun 4, 2011
    Messages:
    168
    Likes Received:
    0
    Trophy Points:
    66
    Location:
    India
    cPanel Access Level:
    Root Administrator
    hi,

    thanks , i am looking in to this, in the mean time , if we are securing the website depends upon what CMS we are using like we said joomla and wordpress will also prevent this hacking ? . Like implement the encryption methods and deny the admin access to particular users only etc ...
     
  19. DomineauX

    DomineauX Well-Known Member
    PartnerNOC

    Joined:
    Apr 12, 2003
    Messages:
    421
    Likes Received:
    6
    Trophy Points:
    168
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    Absolutely you need to ensure that the site applications like WordPress/Joomla are secured as that is the most likely point of entry. This symlink vulnerability is abused once access has been obtained so you must focus on the was access is obtained as well.

    If you need further assistance with security of those applications you should check the forums and google for the applications specifically.
     
  20. storminternet

    storminternet Well-Known Member

    Joined:
    Nov 2, 2011
    Messages:
    462
    Likes Received:
    0
    Trophy Points:
    66
    cPanel Access Level:
    Root Administrator
    Hi,

    One should pay attentions on addons like themes, plugins which comes with the third party applications.
    They are also being updated while you update the third party software. Buggy addons are also caused security loopholes.
     
Loading...
Thread Status:
Not open for further replies.

Share This Page