Page 1 of 2 12 LastLast
Results 1 to 25 of 35
  1. #1
    Join Date
    Jan 2011
    Posts
    671

    Question SymLink Vulnerability cPanel

    I have had lots of websites hacked on a shared cPanel server, and it appears that it is a Symlink vulnerability on the server. Can anyone advise how to protect against these attacks and how they are carried out?

  2. #2
    Join Date
    Oct 2012
    Location
    Europe and USA
    Posts
    823
    Disable the symlink and shell functions in php.ini

    Open /usr/lib/php.ini

    Find this line:
    Code:
    disable_functions =
    and modify it to

    Code:
    disable_functions = "symlink,shell_exec,exec,system,chmod"
    then restart Apache
    Code:
    httpd restart
    This will prevent the creation of symlinks and execution of shell commands by PHP scripts
    Last edited by NetworkPanda; 01-11-2013 at 08:50 AM.
    Network Panda :: Shared Web Hosting SSD Powered - SSD VPS
    Instant activation, SSD disks, cPanel, FFMPEG, Softaculous/Installatron
    Fast servers in USA, Canada, UK, Germany, Netherlands, France

  3. #3
    Join Date
    Jan 2011
    Posts
    671
    Quote Originally Posted by NetworkPanda View Post
    Disable the symlink and shell functions in php.ini

    Open /usr/lib/php.ini

    Find this line:
    Code:
    disable_functions =
    and modify it to

    Code:
    disable_functions = "symlink,shell_exec,exec,system"
    then restart Apache
    Code:
    httpd restart
    This will prevent the creation of symlinks and execution of shell commands by PHP scripts

    Thanks, any other change I can make, e.g. edit httpd conf file?

    How about turning off symlinks completely on the server? or will this break cPanel?

  4. #4
    Join Date
    Oct 2012
    Location
    Europe and USA
    Posts
    823
    Quote Originally Posted by kshazad86 View Post
    Thanks, any other change I can make, e.g. edit httpd conf file?

    How about turning off symlinks completely on the server? or will this break cPanel?
    No, don't ever do this, symlinks are necessary for Linux and cPanel. Just disable their creation by PHP.

    Regarding your other question, no, you do not need to edit httpd.conf

    Some other security measures: Run EasyApache and install mod_security and suhosin (if now already done so)
    Network Panda :: Shared Web Hosting SSD Powered - SSD VPS
    Instant activation, SSD disks, cPanel, FFMPEG, Softaculous/Installatron
    Fast servers in USA, Canada, UK, Germany, Netherlands, France

  5. #5
    Join Date
    Jan 2011
    Posts
    671
    Easyapache and mod_security are already installed, Suhosin is not supported as I am running PHP v5.3.

  6. #6
    Join Date
    Oct 2012
    Location
    Europe and USA
    Posts
    823
    Quote Originally Posted by kshazad86 View Post
    Easyapache and mod_security are already installed, Suhosin is not supported as I am running PHP v5.3.
    Suhosin is supported officially by PHP 5.3 and cPanel. We are already running it for several months on our servers with PHP 5.3.x
    Check again. If you can't install it via EasyApache, maybe you are not running the latest cPanel version.
    Network Panda :: Shared Web Hosting SSD Powered - SSD VPS
    Instant activation, SSD disks, cPanel, FFMPEG, Softaculous/Installatron
    Fast servers in USA, Canada, UK, Germany, Netherlands, France

  7. #7
    Join Date
    Dec 2011
    Location
    Germany
    Posts
    1,023
    You can use this SymLink patch for EasyApache:

    1. http://spasov.us/patch/Apache.zip

    Login as root go to /var/cpanel/easy/apache/custom_opt_mods/Cpanel/Easy/Apache

    upload this files SymlinkProtection.pm SymlinkProtection.pm.tar.gz on this directory /var/cpanel/easy/apache/custom_opt_mods/Cpanel/Easy/Apache

    2. Run /scripts/easyapache, and select SymlinkProtection from the "Exhaustive Options" list
    Also you can have a look at this article: http://www.hostbreak.com/blog/tech-t...erver-security
    r00t-Services.net | DDoS Protected VMs & Remote DDoS Protection, Security, Optimization.
    In business since 2011 | Contact us: support[at]r00t-services.net
    Affordable & Powerful DDoS Protection Service in Europe and the USA! (⌐■_■)--︻╦╤─ - - - DDoS

  8. #8
    Join Date
    Jan 2011
    Posts
    671
    Quote Originally Posted by NetworkPanda View Post
    Suhosin is supported officially by PHP 5.3 and cPanel. We are already running it for several months on our servers with PHP 5.3.x
    Check again. If you can't install it via EasyApache, maybe you are not running the latest cPanel version.
    Yep my mistake thanks, suhosin is already installed. One other thing, will enabling PHP Safe mode in the global php.ini file also help with these kind of attacks?

  9. #9
    Join Date
    Dec 2011
    Location
    Germany
    Posts
    1,023
    Quote Originally Posted by kshazad86 View Post
    Yep my mistake thanks, suhosin is already installed. One other thing, will enabling PHP Safe mode in the global php.ini file also help with these kind of attacks?
    No, safemode is deprecated in recent PHP versions.
    r00t-Services.net | DDoS Protected VMs & Remote DDoS Protection, Security, Optimization.
    In business since 2011 | Contact us: support[at]r00t-services.net
    Affordable & Powerful DDoS Protection Service in Europe and the USA! (⌐■_■)--︻╦╤─ - - - DDoS

  10. #10
    Join Date
    Oct 2012
    Location
    Europe and USA
    Posts
    823
    Quote Originally Posted by kshazad86 View Post
    Yep my mistake thanks, suhosin is already installed. One other thing, will enabling PHP Safe mode in the global php.ini file also help with these kind of attacks?
    This will protect from hacks but it will also disable some functions required by a lot of PHP scripts. I don't recommend it, it will disappoint your customers.
    Network Panda :: Shared Web Hosting SSD Powered - SSD VPS
    Instant activation, SSD disks, cPanel, FFMPEG, Softaculous/Installatron
    Fast servers in USA, Canada, UK, Germany, Netherlands, France

  11. #11
    Join Date
    Jan 2011
    Posts
    671
    Quote Originally Posted by infinitnet View Post
    You can use this SymLink patch for EasyApache:


    Also you can have a look at this article: http://www.hostbreak.com/blog/tech-t...erver-security
    Is this a custom patch? It wont break cPanel in anyway?

  12. #12
    Join Date
    Nov 2009
    Location
    /etc/my.cnf
    Posts
    9,895
    Quote Originally Posted by NetworkPanda View Post
    This will protect from hacks but it will also disable some functions required by a lot of PHP scripts. I don't recommend it, it will disappoint your customers.
    Safemode won't protect from anything in this instance since its deprecated as of PHP 5.3 and shall be removed as of PHP 5.4

    http://php.net/manual/en/features.safe-mode.php
    UK Based Server Management
    Tel: 0203 189 1159

  13. #13
    Join Date
    Sep 2006
    Location
    Servers
    Posts
    1,548
    Disabling all these PHP functions will kill the functionality. Also if there is some vulnerability attacker can upload own php.ini and override all these php.ini restrictions implemented by web hosting company.
    QHoster.com - Web Hosting with DDoS Protection | Shared & Reseller in Europe/North America
    Linux/Windows RDP VPS - Locations UK, US, CA, BG, LT, FR, DE, NL, CH | OpenVPN/PPTP Enabled
    Instant setup | PayPal, Skrill, Payza, Bitcoin, WebMoney, Perfect Money, STP, Ukash, CashU
    █ Call us: (USA +1) 877 423 1155 | (UK +44) 800 610 1580 | (Skype) : qhoster

  14. #14
    Join Date
    Dec 2011
    Location
    Germany
    Posts
    1,023
    Quote Originally Posted by kshazad86 View Post
    Is this a custom patch? It wont break cPanel in anyway?
    It's from the cPanel forums and written by Rack911 afaik.
    r00t-Services.net | DDoS Protected VMs & Remote DDoS Protection, Security, Optimization.
    In business since 2011 | Contact us: support[at]r00t-services.net
    Affordable & Powerful DDoS Protection Service in Europe and the USA! (⌐■_■)--︻╦╤─ - - - DDoS

  15. #15
    Join Date
    Jan 2011
    Posts
    671
    Quote Originally Posted by infinitnet View Post
    It's from the cPanel forums and written by Rack911 afaik.
    ok great, will give this a try thanks

  16. #16
    Join Date
    Jan 2011
    Posts
    671
    Quote Originally Posted by kshazad86 View Post
    ok great, will give this a try thanks
    Just tried to run easyapache and got this error:

    -- Begin opt 'SymlinkProtection patch' --

    -- Begin step 'Applying SymlinkProtection patch' --
    Testing patch 'symlinkprotection.patch' -p1...
    The text leading up to this was:
    --------------------------
    |--- httpd-2.2.22.orig/server/request.c 2012-03-03 17:39:45.000000000 -0400
    |+++ httpd-2.2.22/server/request.c 2012-03-03 17:29:22.000000000 -0400
    --------------------------
    File to patch:
    Skip this patch? [y]
    3 out of 3 hunks ignored
    Testing patch 'symlinkprotection.patch' -p0...
    The text leading up to this was:
    --------------------------
    |--- httpd-2.2.22.orig/server/request.c 2012-03-03 17:39:45.000000000 -0400
    |+++ httpd-2.2.22/server/request.c 2012-03-03 17:29:22.000000000 -0400
    --------------------------
    File to patch:
    Skip this patch? [y]
    3 out of 3 hunks ignored
    !! Patch test 'symlinkprotection.patch' failed !!
    !! Restoring original working apache !!
    Any ideas how to get this patch installed correctly?

  17. #17
    Join Date
    Jan 2011
    Posts
    671
    Ok, managed to get it working, it seems the patch was written for Apache v2.2.22 rather than for the latest current version v2.2.23.

    To fix this error, simply update the patch file to use 2.2.23 and it should then install successfully via EasyApache.

  18. #18
    I would suggest you to get a cloudlinux kernal with cagefs enabled. So that symlinks from an account to root or home wont be accessible for that user.

  19. #19
    Join Date
    Jan 2011
    Posts
    671
    I read on cPanel forum that you can also change the permissions of ln and this will stop users from being able to execute the symlink command, e.g.

    chmod 760 /bin/ln
    I am assuming this would remove the execute permission of 'ln' command for other users? Are there any negative impacts of using this approach also?

  20. #20
    Join Date
    Oct 2012
    Location
    Europe and USA
    Posts
    823
    Quote Originally Posted by WebHostDog View Post
    Disabling all these PHP functions will kill the functionality. Also if there is some vulnerability attacker can upload own php.ini and override all these php.ini restrictions implemented by web hosting company.
    PHP web applications have no reason to run shell commands, so these disabled functions in my previous post do not cause any problems at all.

    Also, functions disabled on the entire server by the global php.ini can not be enabled by local php.ini files uploaded by the users. The disable_functions directive can not be overridden by the users.
    Last edited by NetworkPanda; 01-14-2013 at 01:23 PM.
    Network Panda :: Shared Web Hosting SSD Powered - SSD VPS
    Instant activation, SSD disks, cPanel, FFMPEG, Softaculous/Installatron
    Fast servers in USA, Canada, UK, Germany, Netherlands, France

  21. #21
    Join Date
    Jan 2011
    Posts
    671
    Ok, seems like after I installed the patch few weeks ago, I got hacked again. Patch does not seem to be 100% effective, as a user managed to create a symlink to the root folder due to a weak cPanel login password for a specific user.

    Does anyone know if the server or cPanel will break if I change the permissions of ln to 760?

  22. #22
    Join Date
    Jan 2011
    Posts
    671
    Does the patch only prevent php files and not perl files?

  23. #23
    Join Date
    Nov 2007
    Location
    Iceland
    Posts
    31
    Upgrade to CloudLinux, it has protection against this as well as CageFS.

    http://www.cloudlinux.com/blog/clnew...for-apache.php
    http://docs.cloudlinux.com/index.html?securelinks.html

  24. #24
    Join Date
    Mar 2003
    Location
    Canada
    Posts
    8,861
    Quote Originally Posted by kshazad86 View Post
    Does the patch only prevent php files and not perl files?
    Prevents it all.

    ... why cPanel doesn't implement it into EasyApache, who knows!
    Patrick William | RACK911 Labs | Software Security Auditing
    400+ Vulnerabilities Found - Free Quote @ https://www.RACK911Labs.com

    www.HostingSecList.com - Security notices for the hosting community.

  25. #25
    We (HostGator) reported this vulnerability to Bugtraq in 2009 including a patch for Easyapache at that time (which has since been evolved into an even larger patch we utilize on our shared servers now).

    If you google for 'hostgator bugtraq symlink' you'll see our report in the first result.

    You can use our original patch, one of two patches provided in a huge forum thread on the cPanel forums about this issue, or cloudlinux as previously stated in this thread to resolve the issue for now.

    However it should be noted that attack vectors still exist without kernel level patching if you go with the apache patch route.

Page 1 of 2 12 LastLast

Similar Threads

  1. cPanel Vulnerability?
    By joecooper in forum Web Hosting
    Replies: 6
    Last Post: 02-22-2012, 06:07 PM
  2. Password Protect Symlink in cPanel
    By w00ts!te in forum Hosting Software and Control Panels
    Replies: 0
    Last Post: 07-23-2009, 02:17 PM
  3. cPanel Horde Vulnerability Found - Please update your cPanel ASAP
    By Virtuoso Host in forum Hosting Security and Technology
    Replies: 14
    Last Post: 03-09-2008, 02:35 PM
  4. SIM installer symlink attack + race condition local root vulnerability
    By jpetersen in forum Hosting Security and Technology
    Replies: 0
    Last Post: 04-29-2007, 01:54 PM
  5. CPanel vulnerability
    By aah-jim in forum Hosting Software and Control Panels
    Replies: 1
    Last Post: 02-19-2003, 09:27 AM

Related Posts from theWHIR.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •