The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

symlink attack?

Discussion in 'Security' started by Bashed, Aug 5, 2015.

  1. Bashed

    Bashed Well-Known Member

    Joined:
    Dec 18, 2013
    Messages:
    78
    Likes Received:
    1
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    I think there's a symlink attack here on my box as you can see below.

    How can I prevent this?

    My settings currently:

    disable_functions =
    Code:
    apache_child_terminate,apache_note,apache_setenv,define_syslog_variables,escapeshellarg,closelog,debugger_off,debugger_on,dl,escapeshellcmd,eval,exec,fp,fput,ftp_connect,ftp_exec,ftp_get,ftp_login,ftp_nb_fput,ftp_put,ftp_raw,ftp_rawlist,highlight_file,ini_alter,ini_get_all,ini_restore,inject_code,mysql_pconnect,openlog,passthru,php_uname,phpAds_remoteInfo,phpAds_XmlRpc,phpAds_xmlrpcDecode,phpAds_xmlrpcEncode,popen,posix_getpwuid,posix_kill,posix_mkfifo,posix_setpgid,posix_setsid,posix_setuid,posix_setuid,posix_uname,proc_close,proc_get_status,proc_nice,proc_open,proc_terminate,shell_exec,socket_accept,socket_bind,socket_clear_error,socket_close,socket_connect,socket_create_listen,socket_create_pair,socket_create,socket_get_option,socket_getpeername,socket_getsockname,socket_last_error,socket_listen,socket_read,socket_recv,socket_recvfrom,socket_select,socket_send,socket_sendto,socket_set_block,socket_set_nonblock,socket_set_option,socket_shutdown,socket_strerror,socket_write,stream_sock,symlink,syslog,system,xmlrpc_entity_decode
    PHP 5.5, Apache 2.4, suPHP + Suhosin, Symlink Protection enabled. Centos 6.6 + Cloudlinux (cagefs only enabled for certain users due to the extra disk space it uses).

    I also used this:

    Code:
    wget http://layer1.rack911.com/before_apache_make -O /scripts/before_apache_make
    chmod 700 /scripts/before_apache_make
    ## Rebuild apache (might want to do it thru WHM instead)
    /scripts/easyapache --build
    Code:
    root@server [/home/someuser/public_html/wp-content/themes/twentytwelve/rr/sym/root]# ls -lh
    total 4.4M
    dr-xr-xr-x.  23 root root 4.0K Jul 28 21:47 ./
    dr-xr-xr-x.  23 root root 4.0K Jul 28 21:47 ../
    -rw-r--r--    1 root root    0 Jun  1 09:21 .autofsck
    -rw-r--r--    1 root root    0 May 31 17:23 .autorelabel
    drwx--x--x    4 root root 4.0K Aug  5 08:56 backup/
    dr-xr-xr-x.   2 root root 4.0K Jul  1 21:33 bin/
    dr-xr-xr-x.   5 root root 3.0K Jun 16 20:36 boot/
    -rw-------    1 root root 328K Jun  1 09:16 core.21328
    -rw-------    1 root root 328K Jun  1 09:16 core.21626
    -rw-------    1 root root 328K Jun  1 09:16 core.21649
    -rw-------    1 root root 328K Jun  1 09:16 core.21698
    -rw-------    1 root root 328K Jun  1 09:16 core.21799
    drwxr-xr-x   18 root root 6.2K Jun  1 09:23 dev/
    -rw-r--r--    1 root root  82K Jul 28 21:47 error_log
    drwxr-xr-x.  92 root root  12K Aug  5 14:56 etc/
    drwx--x--x. 372 root root  12K Aug  5 14:56 home/
    dr-xr-xr-x.   8 root root 4.0K May 31 17:32 lib/
    dr-xr-xr-x.  10 root root  12K Jun 10 21:33 lib64/
    drwx------.   2 root root  16K May 31 14:27 lost+found/
    drwxr-xr-x.   2 root root 4.0K Sep 23  2011 media/
    drwxr-xr-x.   2 root root 4.0K Sep 23  2011 mnt/
    drwxr-xr-x.  12 root root 4.0K Jun 19 14:03 opt/
    dr-xr-xr-x  543 root root    0 Jun  1 09:21 proc/
    -rw-------    1 root root  31K Aug  5 15:00 quota.user
    -rw-r--r--    1 root root  109 May 31 18:12 razor-agent.log
    dr-xr-x---.  18 root root 4.0K Aug  5 14:56 root/
    dr-xr-xr-x.   2 root root  12K Jul 16 21:35 sbin/
    lrwxrwxrwx    1 root root   25 May 31 17:31 scripts -> /usr/local/cpanel/scripts/
    drwxr-xr-x.   2 root root 4.0K May 31 14:27 selinux/
    drwxr-xr-x.   2 root root 4.0K Sep 23  2011 srv/
    drwxr-xr-x   13 root root    0 Jun  1 09:21 sys/
    drwxrwxrwt.  78 root root 3.5M Aug  5 15:00 tmp/
    drwxr-xr-x.  13 root root 4.0K Jun 17 10:41 usr/
    drwxr-xr-x.  25 root root 4.0K Aug  5 09:34 var/
    
    root@server [/home/someuser/public_html/wp-content/themes/twentytwelve/rr/sym/root]# ls
    ./   .autofsck     backup/  boot/       core.21626  core.21698  dev/       etc/   lib/    lost+found/  mnt/  proc/       razor-agent.log  sbin/     selinux/  sys/  usr/
    ../  .autorelabel  bin/     core.21328  core.21649  core.21799  error_log  home/  lib64/  media/       opt/  quota.user  root/            scripts@  srv/      tmp/  var/
    
    root@server [/home/someuser/public_html/wp-content/themes/twentytwelve/rr/sym]# ls -lh
    total 12K
    drwxr-xr-x 2 someuser someuser 4.0K Jul 24 14:56 ./
    drwxr-xr-x 8 someuser someuser 4.0K Aug  3 21:15 ../
    -rw-r--r-- 1 someuser someuser  175 Jul 24 14:56 .htaccess
    lrwxrwxrwx 1 someuser someuser    1 Jul 24 14:56 root -> //
    
    root@server [/home/someuser/public_html/wp-content/themes/twentytwelve/rr]# ls -lh
    total 3.7M
    drwxr-xr-x  8 someuser someuser 4.0K Aug  3 21:15 ./
    drwxr-xr-x 12 someuser someuser 4.0K Jul 18 16:48 ../
    lrwxrwxrwx  1 someuser someuser   44 Jul 18 13:18 1.ini -> /home/wallpapercruiser/public_html/index.php
    -rw-r--r--  1 someuser someuser   31 Jul 18 13:21 a.shtml
    -rw-r--r--  1 someuser someuser  15K Jul 18 13:05 b374k\ mini\ shell\ for\ bypass\ shell.php
    drwxr-xr-x  2 someuser someuser 132K Jul 18 13:04 BSKH/
    -rw-r--r--  1 someuser someuser 8.6K Jul 18 13:04 bskh\ smylink\ bypass\ shell.php
    drwxr-xr-x  2 someuser someuser 4.0K Aug  2 10:15 bt/
    drwxr-xr-x  2 someuser someuser 108K Aug  2 10:15 BT/
    drwxr-xr-x  2 someuser someuser 4.0K Jul 18 13:16 c1/
    -rw-r--r--  1 someuser someuser 162K Jul 18 12:33 c100.php
    -rw-r--r--  1 someuser someuser  260 Jul 18 12:19 c1.tar.gz
    -rwxrwxrwx  1 someuser someuser  19K Jul 18 13:28 cat*
    -rw-r--r--  1 someuser someuser  18K Jul 24 15:00 cpf.php
    -rw-r--r--  1 someuser someuser  61K Jul 24 14:57 cp.php
    -rw-r--r--  1 someuser someuser  26K Aug  2 10:18 flitwso.php
    lrwxrwxrwx  1 someuser someuser   12 Jul 18 13:39 HEADER -> /etc/passwd/
    -rw-r--r--  1 someuser someuser  141 Jul 18 13:35 .htaccess
    -rw-r--r--  1 someuser someuser  229 Jul 18 13:03 ini.php
    -rw-r--r--  1 someuser someuser  28K Jul 18 13:28 ln
    -rw-r--r--  1 someuser someuser  84K Jul 24 14:55 maniac.php
    -rw-r--r--  1 someuser someuser 2.2K Jul 18 13:40 mysql.php
    -rw-r--r--  1 someuser someuser   24 Aug  2 10:15 php.ini
    drwxr-xr-x  2 someuser someuser 2.9M Aug  2 10:16 podi/
    -rw-r--r--  1 someuser someuser  48K Aug  2 10:15 priv8.php
    lrwxrwxrwx  1 someuser someuser   12 Jul 18 13:38 README -> /etc/passwd/
    drwxr-xr-x  2 someuser someuser 4.0K Jul 24 14:56 sym/
    lrwxrwxrwx  1 someuser someuser   40 Jul 18 13:31 test.shtml -> /home/filedown/public_html/wp-config.php
    lrwxrwxrwx  1 someuser someuser   40 Jul 18 13:35 tt.txt -> /home/filedown/public_html/wp-config.php
    -rwxr-xr-x  1 someuser someuser  23K Jul 18 12:15 ww.dd*
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  3. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    If you are root you will be able to follow the symlink.

    Even the best protections generally don't stop someone from creating a symlink to root or to other files; the point of the protections is to render said link useless or un-followable by an unprivileged user such as a cpanel user or the apache 'nobody' user.

    What you need to check is someuser.com/wp-content/themes/twentytwelve/rr/sym/root and make sure apache is not following the link(s).

    Also if you are using cloudlinux or the 'symlink race condition protection' option in EA, you do not need the rack911 patch and it may cause you problems.

    With cloudlinux you also have the option of just using 'securelinks on' in /usr/local/apache/conf/modhostinglimits.user.conf or setting the correct settings for securelinks in /etc/sysctl.conf as outlined in their documentation:

    http://docs.cloudlinux.com/index.html?securelinks.html

    Since 'nobody' is uid 99 on a cpanel system you would set:
    Code:
    fs.enforce_symlinksifowner = 1
    fs.symlinkown_gid = 99
    
    OR add securelinks on to /usr/local/apache/conf/modhostinglimits.user.conf and restart apache. That's the easiest way with cloudlinux and you don't need the rack911 or EA patch in that case.
     
Loading...

Share This Page