The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

/usr/local/apache/proxy ?

Discussion in 'EasyApache' started by Curto, May 21, 2004.

  1. Curto

    Curto Active Member

    Joined:
    Sep 4, 2003
    Messages:
    40
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    NY, USA
    Does anyone know what purpose /usr/local/apache/proxy is there to achieve?

    I'm in the process of developing a procedure for hardening my servers, and I've found this path with is owned by nobody.nobody and as its on the main partition it does not have noexec set.

    This path appears to be vulnerable to the same types of issues as /tmp (before hardening).

    Would there be any side affect from removing this directory, or should I work around this (symlink to a path under /tmp which has noexec set)?
     
  2. AnthonyR

    AnthonyR Active Member

    Joined:
    Oct 28, 2003
    Messages:
    38
    Likes Received:
    0
    Trophy Points:
    6
    It is vulnerable and I found a DOS tool in there - and would love to know how to protect it (the server not the tool)
     
  3. Curto

    Curto Active Member

    Joined:
    Sep 4, 2003
    Messages:
    40
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    NY, USA
    Well...

    after consulting with the cpanel developers I've been told that path is not needed unless you're actually running a apache proxy server (you don't by default).

    So... there's two fixes

    1) If you're not running a proxy server, simply remove the directory (rm -rf /usr/local/apache/proxy)

    2) If you do need this path, then you can create a directory under tmp (mkdir /tmp/usr-local-apache-proxy; chown nobody.nobody /tmp/usr-local-apache-proxy; chmod 755 /tmp/usr-local-apache-proxy), remove the existing directory (rm -rf /usr/local/apache/proxy), and then create a symlink (ln -s /tmp/usr-local-apache-proxy /usr/local/apache/proxy).

    Note, solution #2 will only work if you already have your /tmp directory hardened to include noexec. Otherwise it doesn't secure it at all :) To harden I recommend (and use) these instructions: http://www.webhostgear.com/34.html

    Regards,
    Michael

    BTW, I'm out of the office till Tuesday afternoon... running away with my wife for our anniversary :)
     
  4. AnthonyR

    AnthonyR Active Member

    Joined:
    Oct 28, 2003
    Messages:
    38
    Likes Received:
    0
    Trophy Points:
    6
    Happy anniversary!

    Thanks for this - its great stuff :)
     
  5. tvcnet

    tvcnet Well-Known Member
    PartnerNOC

    Joined:
    Aug 15, 2003
    Messages:
    116
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    San Diego
    cPanel Access Level:
    DataCenter Provider
    Good notes.
    Yes, I expect 7 in 10 cpanel hosts are being hacked "now" or are have been hacked through this directory recently.
    /usr/local/apache/proxy

    Script kiddies love to put their IRC wares in there as well as DOS stuff.


    Also, Do Now:

    cd /usr/local/apache/proxy
    (should be no files in there.)

    locate /iroffer
    (oh my... do a google to see what it is)

    cd /var/spool/mail
    (look for "nobody" permissioned accounts)


    Best Wishes,
    Jim
     
Loading...

Share This Page