Page 1 of 3 123 LastLast
Results 1 to 15 of 35
  1. #1
    Join Date
    Jan 2011
    Posts
    669

    Question SymLink Vulnerability cPanel

    I have had lots of websites hacked on a shared cPanel server, and it appears that it is a Symlink vulnerability on the server. Can anyone advise how to protect against these attacks and how they are carried out?

  2. #2
    Join Date
    Oct 2012
    Location
    Europe and USA
    Posts
    818
    Disable the symlink and shell functions in php.ini

    Open /usr/lib/php.ini

    Find this line:
    Code:
    disable_functions =
    and modify it to

    Code:
    disable_functions = "symlink,shell_exec,exec,system,chmod"
    then restart Apache
    Code:
    httpd restart
    This will prevent the creation of symlinks and execution of shell commands by PHP scripts
    Last edited by NetworkPanda; 01-11-2013 at 08:50 AM.
    Network Panda :: Shared Web Hosting SSD Powered - SSD VPS
    Instant activation, SSD disks, cPanel, FFMPEG, Softaculous/Installatron
    Fast servers in USA, Canada, UK, Germany, Netherlands, France

  3. #3
    Join Date
    Jan 2011
    Posts
    669
    Quote Originally Posted by NetworkPanda View Post
    Disable the symlink and shell functions in php.ini

    Open /usr/lib/php.ini

    Find this line:
    Code:
    disable_functions =
    and modify it to

    Code:
    disable_functions = "symlink,shell_exec,exec,system"
    then restart Apache
    Code:
    httpd restart
    This will prevent the creation of symlinks and execution of shell commands by PHP scripts

    Thanks, any other change I can make, e.g. edit httpd conf file?

    How about turning off symlinks completely on the server? or will this break cPanel?

  4. #4
    Join Date
    Oct 2012
    Location
    Europe and USA
    Posts
    818
    Quote Originally Posted by kshazad86 View Post
    Thanks, any other change I can make, e.g. edit httpd conf file?

    How about turning off symlinks completely on the server? or will this break cPanel?
    No, don't ever do this, symlinks are necessary for Linux and cPanel. Just disable their creation by PHP.

    Regarding your other question, no, you do not need to edit httpd.conf

    Some other security measures: Run EasyApache and install mod_security and suhosin (if now already done so)
    Network Panda :: Shared Web Hosting SSD Powered - SSD VPS
    Instant activation, SSD disks, cPanel, FFMPEG, Softaculous/Installatron
    Fast servers in USA, Canada, UK, Germany, Netherlands, France

  5. #5
    Join Date
    Jan 2011
    Posts
    669
    Easyapache and mod_security are already installed, Suhosin is not supported as I am running PHP v5.3.

  6. #6
    Join Date
    Oct 2012
    Location
    Europe and USA
    Posts
    818
    Quote Originally Posted by kshazad86 View Post
    Easyapache and mod_security are already installed, Suhosin is not supported as I am running PHP v5.3.
    Suhosin is supported officially by PHP 5.3 and cPanel. We are already running it for several months on our servers with PHP 5.3.x
    Check again. If you can't install it via EasyApache, maybe you are not running the latest cPanel version.
    Network Panda :: Shared Web Hosting SSD Powered - SSD VPS
    Instant activation, SSD disks, cPanel, FFMPEG, Softaculous/Installatron
    Fast servers in USA, Canada, UK, Germany, Netherlands, France

  7. #7
    Join Date
    Dec 2011
    Location
    Germany
    Posts
    1,019
    You can use this SymLink patch for EasyApache:

    1. http://spasov.us/patch/Apache.zip

    Login as root go to /var/cpanel/easy/apache/custom_opt_mods/Cpanel/Easy/Apache

    upload this files SymlinkProtection.pm SymlinkProtection.pm.tar.gz on this directory /var/cpanel/easy/apache/custom_opt_mods/Cpanel/Easy/Apache

    2. Run /scripts/easyapache, and select SymlinkProtection from the "Exhaustive Options" list
    Also you can have a look at this article: http://www.hostbreak.com/blog/tech-t...erver-security
    r00t-Services.net | DDoS Protected VMs & Remote DDoS Protection, Security, Optimization.
    In business since 2011 | Contact us: support[at]r00t-services.net
    Affordable & Powerful DDoS Protection Service in Europe and the USA! (⌐■_■)--︻╦╤─ - - - DDoS

  8. #8
    Join Date
    Jan 2011
    Posts
    669
    Quote Originally Posted by NetworkPanda View Post
    Suhosin is supported officially by PHP 5.3 and cPanel. We are already running it for several months on our servers with PHP 5.3.x
    Check again. If you can't install it via EasyApache, maybe you are not running the latest cPanel version.
    Yep my mistake thanks, suhosin is already installed. One other thing, will enabling PHP Safe mode in the global php.ini file also help with these kind of attacks?

  9. #9
    Join Date
    Dec 2011
    Location
    Germany
    Posts
    1,019
    Quote Originally Posted by kshazad86 View Post
    Yep my mistake thanks, suhosin is already installed. One other thing, will enabling PHP Safe mode in the global php.ini file also help with these kind of attacks?
    No, safemode is deprecated in recent PHP versions.
    r00t-Services.net | DDoS Protected VMs & Remote DDoS Protection, Security, Optimization.
    In business since 2011 | Contact us: support[at]r00t-services.net
    Affordable & Powerful DDoS Protection Service in Europe and the USA! (⌐■_■)--︻╦╤─ - - - DDoS

  10. #10
    Join Date
    Oct 2012
    Location
    Europe and USA
    Posts
    818
    Quote Originally Posted by kshazad86 View Post
    Yep my mistake thanks, suhosin is already installed. One other thing, will enabling PHP Safe mode in the global php.ini file also help with these kind of attacks?
    This will protect from hacks but it will also disable some functions required by a lot of PHP scripts. I don't recommend it, it will disappoint your customers.
    Network Panda :: Shared Web Hosting SSD Powered - SSD VPS
    Instant activation, SSD disks, cPanel, FFMPEG, Softaculous/Installatron
    Fast servers in USA, Canada, UK, Germany, Netherlands, France

  11. #11
    Join Date
    Jan 2011
    Posts
    669
    Quote Originally Posted by infinitnet View Post
    You can use this SymLink patch for EasyApache:


    Also you can have a look at this article: http://www.hostbreak.com/blog/tech-t...erver-security
    Is this a custom patch? It wont break cPanel in anyway?

  12. #12
    Join Date
    Nov 2009
    Location
    /etc/my.cnf
    Posts
    9,760
    Quote Originally Posted by NetworkPanda View Post
    This will protect from hacks but it will also disable some functions required by a lot of PHP scripts. I don't recommend it, it will disappoint your customers.
    Safemode won't protect from anything in this instance since its deprecated as of PHP 5.3 and shall be removed as of PHP 5.4

    http://php.net/manual/en/features.safe-mode.php
    LeapHost High Performance Fully Managed App Solutions Powered By NitroStackô
    Fast Dedicated Servers | 15+ Global Locations | Server Management Specialists
    Fly Faster With The Speed of Light! | Be A Talkative Soul > Visit Our LH Forums

  13. #13
    Join Date
    Sep 2006
    Location
    Servers
    Posts
    1,543
    Disabling all these PHP functions will kill the functionality. Also if there is some vulnerability attacker can upload own php.ini and override all these php.ini restrictions implemented by web hosting company.
    QHoster.com - Web Hosting with DDoS Protection | Shared & Reseller in Europe/North America
    Linux/Windows RDP VPS - Locations UK, US, CA, BG, LT, FR, DE, NL, CH | OpenVPN/PPTP Enabled
    Instant setup | PayPal, Skrill, Payza, Bitcoin, WebMoney, Perfect Money, STP, Ukash, CashU
    █ Call us: (USA +1) 877 423 1155 | (UK +44) 800 610 1580 | (Skype) : qhoster

  14. #14
    Join Date
    Dec 2011
    Location
    Germany
    Posts
    1,019
    Quote Originally Posted by kshazad86 View Post
    Is this a custom patch? It wont break cPanel in anyway?
    It's from the cPanel forums and written by Rack911 afaik.
    r00t-Services.net | DDoS Protected VMs & Remote DDoS Protection, Security, Optimization.
    In business since 2011 | Contact us: support[at]r00t-services.net
    Affordable & Powerful DDoS Protection Service in Europe and the USA! (⌐■_■)--︻╦╤─ - - - DDoS

  15. #15
    Join Date
    Jan 2011
    Posts
    669
    Quote Originally Posted by infinitnet View Post
    It's from the cPanel forums and written by Rack911 afaik.
    ok great, will give this a try thanks

Page 1 of 3 123 LastLast

Similar Threads

  1. cPanel Vulnerability?
    By joecooper in forum Web Hosting
    Replies: 6
    Last Post: 02-22-2012, 06:07 PM
  2. Password Protect Symlink in cPanel
    By w00ts!te in forum Hosting Software and Control Panels
    Replies: 0
    Last Post: 07-23-2009, 02:17 PM
  3. cPanel Horde Vulnerability Found - Please update your cPanel ASAP
    By Virtuoso Host in forum Hosting Security and Technology
    Replies: 14
    Last Post: 03-09-2008, 02:35 PM
  4. SIM installer symlink attack + race condition local root vulnerability
    By jpetersen in forum Hosting Security and Technology
    Replies: 0
    Last Post: 04-29-2007, 01:54 PM
  5. CPanel vulnerability
    By aah-jim in forum Hosting Software and Control Panels
    Replies: 1
    Last Post: 02-19-2003, 09:27 AM

Related Posts from theWHIR.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •