Results 1 to 25 of 35
Thread: SymLink Vulnerability cPanel
-
01-11-2013, 08:23 AM #1Disabled
- Join Date
- Jan 2011
- Posts
- 674
SymLink Vulnerability cPanel
I have had lots of websites hacked on a shared cPanel server, and it appears that it is a Symlink vulnerability on the server. Can anyone advise how to protect against these attacks and how they are carried out?
-
01-11-2013, 08:43 AM #2Web Hosting Master
- Join Date
- Oct 2012
- Location
- Europe and USA
- Posts
- 991
Disable the symlink and shell functions in php.ini
Open /usr/lib/php.ini
Find this line:
Code:disable_functions =
Code:disable_functions = "symlink,shell_exec,exec,system,chmod"
Code:httpd restart
Last edited by NetworkPanda; 01-11-2013 at 08:50 AM.
★ NetworkPanda :: Web Hosting SSD Powered :: Reseller Hosting
★ Instant activation, fast servers, NVMe SSD disks, cPanel, Softaculous 1-click apps installer, daily backups
★ Multiple hosting locations: USA, Canada, France, UK, Germany, Italy, Spain, Poland, Finland
-
01-11-2013, 08:47 AM #3Disabled
- Join Date
- Jan 2011
- Posts
- 674
-
01-11-2013, 08:49 AM #4Web Hosting Master
- Join Date
- Oct 2012
- Location
- Europe and USA
- Posts
- 991
No, don't ever do this, symlinks are necessary for Linux and cPanel. Just disable their creation by PHP.
Regarding your other question, no, you do not need to edit httpd.conf
Some other security measures: Run EasyApache and install mod_security and suhosin (if now already done so)★ NetworkPanda :: Web Hosting SSD Powered :: Reseller Hosting
★ Instant activation, fast servers, NVMe SSD disks, cPanel, Softaculous 1-click apps installer, daily backups
★ Multiple hosting locations: USA, Canada, France, UK, Germany, Italy, Spain, Poland, Finland
-
01-11-2013, 08:50 AM #5Disabled
- Join Date
- Jan 2011
- Posts
- 674
Easyapache and mod_security are already installed, Suhosin is not supported as I am running PHP v5.3.
-
01-11-2013, 08:52 AM #6Web Hosting Master
- Join Date
- Oct 2012
- Location
- Europe and USA
- Posts
- 991
★ NetworkPanda :: Web Hosting SSD Powered :: Reseller Hosting
★ Instant activation, fast servers, NVMe SSD disks, cPanel, Softaculous 1-click apps installer, daily backups
★ Multiple hosting locations: USA, Canada, France, UK, Germany, Italy, Spain, Poland, Finland
-
01-11-2013, 08:54 AM #7Digital Marketing Strategist
- Join Date
- Dec 2011
- Location
- Germany
- Posts
- 1,180
You can use this SymLink patch for EasyApache:
1. http://spasov.us/patch/Apache.zip
Login as root go to /var/cpanel/easy/apache/custom_opt_mods/Cpanel/Easy/Apache
upload this files SymlinkProtection.pm SymlinkProtection.pm.tar.gz on this directory /var/cpanel/easy/apache/custom_opt_mods/Cpanel/Easy/Apache
2. Run /scripts/easyapache, and select SymlinkProtection from the "Exhaustive Options" list➤ Inbound Marketing & real SEO for web hosting providers
✎ Get in touch with me: co<at>infinitnet.de
-
01-11-2013, 08:55 AM #8Disabled
- Join Date
- Jan 2011
- Posts
- 674
-
01-11-2013, 08:57 AM #9Digital Marketing Strategist
- Join Date
- Dec 2011
- Location
- Germany
- Posts
- 1,180
-
01-11-2013, 08:58 AM #10Web Hosting Master
- Join Date
- Oct 2012
- Location
- Europe and USA
- Posts
- 991
★ NetworkPanda :: Web Hosting SSD Powered :: Reseller Hosting
★ Instant activation, fast servers, NVMe SSD disks, cPanel, Softaculous 1-click apps installer, daily backups
★ Multiple hosting locations: USA, Canada, France, UK, Germany, Italy, Spain, Poland, Finland
-
01-11-2013, 08:59 AM #11Disabled
- Join Date
- Jan 2011
- Posts
- 674
-
01-11-2013, 09:02 AM #12Hello World
- Join Date
- Nov 2009
- Location
- /etc/my.cnf
- Posts
- 10,657
Safemode won't protect from anything in this instance since its deprecated as of PHP 5.3 and shall be removed as of PHP 5.4
http://php.net/manual/en/features.safe-mode.phpUK Based Proactive Server Management.
Zabbix Enterprise 24/7 Monitoring.
-
01-11-2013, 09:04 AM #13Quality Web Hosting Matters
- Join Date
- Mar 2006
- Location
- Servers
- Posts
- 1,590
Disabling all these PHP functions will kill the functionality. Also if there is some vulnerability attacker can upload own php.ini and override all these php.ini restrictions implemented by web hosting company.
█ QHoster.com - Web Hosting with DDoS Protection | Shared & Reseller in Europe/North America
█ Linux/Windows RDP VPS 13 Locations : UK, US (5 states), Mexico, Canada, Bulgaria, Lithuania,
█ Italy, France, Germany,Netherlands, Switzerland, Rissia, Singapore | OpenVPN/PPTP Enabled
█ INSTANT | PayPal, Skrill, Payza, Bitcoin, WebMoney, Perfect Money, Ukash, CashU, paysafecard
-
01-11-2013, 09:08 AM #14Digital Marketing Strategist
- Join Date
- Dec 2011
- Location
- Germany
- Posts
- 1,180
-
01-11-2013, 09:10 AM #15Disabled
- Join Date
- Jan 2011
- Posts
- 674
-
01-11-2013, 09:19 AM #16Disabled
- Join Date
- Jan 2011
- Posts
- 674
Just tried to run easyapache and got this error:
-- Begin opt 'SymlinkProtection patch' --
-- Begin step 'Applying SymlinkProtection patch' --
Testing patch 'symlinkprotection.patch' -p1...
The text leading up to this was:
--------------------------
|--- httpd-2.2.22.orig/server/request.c 2012-03-03 17:39:45.000000000 -0400
|+++ httpd-2.2.22/server/request.c 2012-03-03 17:29:22.000000000 -0400
--------------------------
File to patch:
Skip this patch? [y]
3 out of 3 hunks ignored
Testing patch 'symlinkprotection.patch' -p0...
The text leading up to this was:
--------------------------
|--- httpd-2.2.22.orig/server/request.c 2012-03-03 17:39:45.000000000 -0400
|+++ httpd-2.2.22/server/request.c 2012-03-03 17:29:22.000000000 -0400
--------------------------
File to patch:
Skip this patch? [y]
3 out of 3 hunks ignored
!! Patch test 'symlinkprotection.patch' failed !!
!! Restoring original working apache !!
-
01-11-2013, 10:04 AM #17Disabled
- Join Date
- Jan 2011
- Posts
- 674
Ok, managed to get it working, it seems the patch was written for Apache v2.2.22 rather than for the latest current version v2.2.23.
To fix this error, simply update the patch file to use 2.2.23 and it should then install successfully via EasyApache.
-
01-13-2013, 11:43 AM #18Web Hosting Guru
- Join Date
- May 2011
- Posts
- 283
I would suggest you to get a cloudlinux kernal with cagefs enabled. So that symlinks from an account to root or home wont be accessible for that user.
-
01-14-2013, 12:48 PM #19Disabled
- Join Date
- Jan 2011
- Posts
- 674
I read on cPanel forum that you can also change the permissions of ln and this will stop users from being able to execute the symlink command, e.g.
chmod 760 /bin/ln
-
01-14-2013, 01:10 PM #20Web Hosting Master
- Join Date
- Oct 2012
- Location
- Europe and USA
- Posts
- 991
PHP web applications have no reason to run shell commands, so these disabled functions in my previous post do not cause any problems at all.
Also, functions disabled on the entire server by the global php.ini can not be enabled by local php.ini files uploaded by the users. The disable_functions directive can not be overridden by the users.Last edited by NetworkPanda; 01-14-2013 at 01:23 PM.
★ NetworkPanda :: Web Hosting SSD Powered :: Reseller Hosting
★ Instant activation, fast servers, NVMe SSD disks, cPanel, Softaculous 1-click apps installer, daily backups
★ Multiple hosting locations: USA, Canada, France, UK, Germany, Italy, Spain, Poland, Finland
-
01-31-2013, 09:49 AM #21Disabled
- Join Date
- Jan 2011
- Posts
- 674
Ok, seems like after I installed the patch few weeks ago, I got hacked again. Patch does not seem to be 100% effective, as a user managed to create a symlink to the root folder due to a weak cPanel login password for a specific user.
Does anyone know if the server or cPanel will break if I change the permissions of ln to 760?
-
01-31-2013, 10:46 AM #22Disabled
- Join Date
- Jan 2011
- Posts
- 674
Does the patch only prevent php files and not perl files?
-
01-31-2013, 11:19 AM #23Junior Guru Wannabe
- Join Date
- Nov 2007
- Location
- Iceland
- Posts
- 32
Upgrade to CloudLinux, it has protection against this as well as CageFS.
http://www.cloudlinux.com/blog/clnew...for-apache.php
http://docs.cloudlinux.com/index.html?securelinks.html
-
01-31-2013, 12:21 PM #24Web Hosting Master
- Join Date
- Mar 2003
- Location
- Canada
- Posts
- 9,072
RACK911 Labs | Penetration Testing | https://www.RACK911Labs.ca
www.HostingSecList.com - Security Notices for the Hosting Community.
-
01-31-2013, 12:52 PM #25WHT Addict
- Join Date
- Jul 2010
- Posts
- 123
We (HostGator) reported this vulnerability to Bugtraq in 2009 including a patch for Easyapache at that time (which has since been evolved into an even larger patch we utilize on our shared servers now).
If you google for 'hostgator bugtraq symlink' you'll see our report in the first result.
You can use our original patch, one of two patches provided in a huge forum thread on the cPanel forums about this issue, or cloudlinux as previously stated in this thread to resolve the issue for now.
However it should be noted that attack vectors still exist without kernel level patching if you go with the apache patch route.
Similar Threads
-
cPanel Vulnerability?
By joecooper in forum Web HostingReplies: 6Last Post: 02-22-2012, 06:07 PM -
Password Protect Symlink in cPanel
By w00ts!te in forum Hosting Software and Control PanelsReplies: 0Last Post: 07-23-2009, 02:17 PM -
cPanel Horde Vulnerability Found - Please update your cPanel ASAP
By Virtuoso Host in forum Hosting Security and TechnologyReplies: 14Last Post: 03-09-2008, 02:35 PM -
SIM installer symlink attack + race condition local root vulnerability
By jpetersen in forum Hosting Security and TechnologyReplies: 0Last Post: 04-29-2007, 01:54 PM -
CPanel vulnerability
By aah-jim in forum Hosting Software and Control PanelsReplies: 1Last Post: 02-19-2003, 09:27 AM