The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

What is the method to stop this hack?

Discussion in 'Security' started by Data 1, Jan 28, 2011.

  1. Data 1

    Data 1 Well-Known Member

    Joined:
    May 25, 2008
    Messages:
    113
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Columbus Ohio
    cPanel Access Level:
    DataCenter Provider
    I read all over the internet about the cross site script hack where all folders with 777 permissions are written to, putting a .htaccess file and a php file that begins with numbers only. It happened to a few of my servers more than once.

    I see no where that it says "to stop this from happening, do bla bla bla" or any test scripts you can run to see if it can happen on your server.

    Any insight from the seasoned professionals?
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,449
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    While we wait for one of them, I'll offer a few links to get you going in the right direction.

    Basic Security Concepts

    Recommended Security Settings Checklists

    http://docs.cpanel.net/twiki/pub/AllDocumentation/ReleaseNotes/recommended_settings.pdf

    There were several threads last year on the topic of iframe attacks you might like to search the forums for as well, they went in several directions with tips and discussion on this IIRC.

    Here's one of them:
    http://forums.cpanel.net/f185/iframe-javascript-hacks-62821.html

    Not sure how helpful any of that is but there you go.

    GL!
     
  3. Data 1

    Data 1 Well-Known Member

    Joined:
    May 25, 2008
    Messages:
    113
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Columbus Ohio
    cPanel Access Level:
    DataCenter Provider
    Thank you for the reply, I have read stuff till my eyes bled for months :) I know Suhosin is out because it kills the admin panel in wordpress installs.

    I have a test server set up with mod_security and suPHP, but have no way of verifying if it would stop this kind of attack. Seems like if user "nobody" cannot write it would cure the problem and so far it hasn't hampered any of the apps/scripts I have installed. It actually made things easier because 777 was not needed for scripts to write.

    Still I don't know if it would stop the ability to write outside your home directory, but if they could it would at least show which user was writing.

    Still testing, would like as much input and opinions as possible please.
     
  4. PenguinInternet

    PenguinInternet Well-Known Member
    PartnerNOC

    Joined:
    Jun 20, 2007
    Messages:
    149
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Cardiff, UK
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    We use Suhosin and host many Wordpress sites without any issues. You can always alter the suhosin config if you need to make any specific changes from issues - I wouldn't rule it out overall
     
  5. Data 1

    Data 1 Well-Known Member

    Joined:
    May 25, 2008
    Messages:
    113
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Columbus Ohio
    cPanel Access Level:
    DataCenter Provider
    OK I'll play with it again. What Suhosin didn't like was the admin panel in Wordpress attempts to change the php memory limit. I didn't know Suhosin was adjustable, thank you for the tip.
     
Loading...

Share This Page