The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Symlink Race Condition

Discussion in 'Security' started by keat63, Mar 13, 2015.

  1. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Last night, I removed Ruid2 for two reasons.
    1. It seems to be conflicting with OWASP
    2. It appears to conflict with an OS Commerce application i'm testing.

    I Installed SUphp with SUexec and Bluehost Symlink Patch

    Today, I came in to work to find lots of errors like this.
    "Caught race condition abuser. attacker: 505, victim: 0 open file owner: 0, open file:"

    Which I assume is CSF.

    I've never seen these under Ruid2.

    Need I be worried ?
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    649
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    Here's the first result I found when entering "Caught race condition abuser. attacker: 505" (including the quotes) on Google:

    EA Symlink Race Condition

    Searching this page for that same quote, it shows:

    Thus, it's preventing access to files the user does not own. You can review the file to see if it's an exploit attempt.

    Thank you.
     
  3. keat63

    keat63 Well-Known Member

    Joined:
    Nov 20, 2014
    Messages:
    765
    Likes Received:
    20
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    I believe this was something left over from last nights changes and a user permissions thing.
    Digging deep inside the user folder i found a number of files which had not changed ownership when i ran CHOWN.
    Since I re ran CHOWN the errors appear to have subsided.
     
Loading...

Share This Page