hosted by liquidweb


Go Back   Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : SymLink Vulnerability cPanel
Reply

Forum Jump

SymLink Vulnerability cPanel

Reply Post New Thread In Hosting Security and Technology Subscription
 
Send news tip View All Posts Thread Tools Search this Thread Display Modes
  #1  
Old 01-11-2013, 08:23 AM
kshazad86 kshazad86 is offline
Web Hosting Master
 
Join Date: Jan 2011
Posts: 607
Question

SymLink Vulnerability cPanel


I have had lots of websites hacked on a shared cPanel server, and it appears that it is a Symlink vulnerability on the server. Can anyone advise how to protect against these attacks and how they are carried out?



Sponsored Links
  #2  
Old 01-11-2013, 08:43 AM
NetworkPanda NetworkPanda is online now
/etc/init.d/universe start
 
Join Date: Oct 2012
Location: Europe and USA
Posts: 746
Disable the symlink and shell functions in php.ini

Open /usr/lib/php.ini

Find this line:
Code:
disable_functions =
and modify it to

Code:
disable_functions = "symlink,shell_exec,exec,system,chmod"
then restart Apache
Code:
httpd restart
This will prevent the creation of symlinks and execution of shell commands by PHP scripts

__________________
Network Panda
Web Hosting: Instant activation, SSD disks, FFMPEG.
Fast servers in USA, Canada, Germany, Netherlands, France, Italy.
SEO Hosting - Reseller Hosting


Last edited by NetworkPanda; 01-11-2013 at 08:50 AM.
  #3  
Old 01-11-2013, 08:47 AM
kshazad86 kshazad86 is offline
Web Hosting Master
 
Join Date: Jan 2011
Posts: 607
Quote:
Originally Posted by NetworkPanda View Post
Disable the symlink and shell functions in php.ini

Open /usr/lib/php.ini

Find this line:
Code:
disable_functions =
and modify it to

Code:
disable_functions = "symlink,shell_exec,exec,system"
then restart Apache
Code:
httpd restart
This will prevent the creation of symlinks and execution of shell commands by PHP scripts

Thanks, any other change I can make, e.g. edit httpd conf file?

How about turning off symlinks completely on the server? or will this break cPanel?

Sponsored Links
  #4  
Old 01-11-2013, 08:49 AM
NetworkPanda NetworkPanda is online now
/etc/init.d/universe start
 
Join Date: Oct 2012
Location: Europe and USA
Posts: 746
Quote:
Originally Posted by kshazad86 View Post
Thanks, any other change I can make, e.g. edit httpd conf file?

How about turning off symlinks completely on the server? or will this break cPanel?
No, don't ever do this, symlinks are necessary for Linux and cPanel. Just disable their creation by PHP.

Regarding your other question, no, you do not need to edit httpd.conf

Some other security measures: Run EasyApache and install mod_security and suhosin (if now already done so)

__________________
Network Panda
Web Hosting: Instant activation, SSD disks, FFMPEG.
Fast servers in USA, Canada, Germany, Netherlands, France, Italy.
SEO Hosting - Reseller Hosting

  #5  
Old 01-11-2013, 08:50 AM
kshazad86 kshazad86 is offline
Web Hosting Master
 
Join Date: Jan 2011
Posts: 607
Easyapache and mod_security are already installed, Suhosin is not supported as I am running PHP v5.3.

  #6  
Old 01-11-2013, 08:52 AM
NetworkPanda NetworkPanda is online now
/etc/init.d/universe start
 
Join Date: Oct 2012
Location: Europe and USA
Posts: 746
Quote:
Originally Posted by kshazad86 View Post
Easyapache and mod_security are already installed, Suhosin is not supported as I am running PHP v5.3.
Suhosin is supported officially by PHP 5.3 and cPanel. We are already running it for several months on our servers with PHP 5.3.x
Check again. If you can't install it via EasyApache, maybe you are not running the latest cPanel version.

__________________
Network Panda
Web Hosting: Instant activation, SSD disks, FFMPEG.
Fast servers in USA, Canada, Germany, Netherlands, France, Italy.
SEO Hosting - Reseller Hosting

  #7  
Old 01-11-2013, 08:54 AM
infinitnet infinitnet is offline
Web Hosting Master
 
Join Date: Dec 2011
Location: Germany
Posts: 954
You can use this SymLink patch for EasyApache:

Quote:
1. http://spasov.us/patch/Apache.zip

Login as root go to /var/cpanel/easy/apache/custom_opt_mods/Cpanel/Easy/Apache

upload this files SymlinkProtection.pm SymlinkProtection.pm.tar.gz on this directory /var/cpanel/easy/apache/custom_opt_mods/Cpanel/Easy/Apache

2. Run /scripts/easyapache, and select SymlinkProtection from the "Exhaustive Options" list
Also you can have a look at this article: http://www.hostbreak.com/blog/tech-t...erver-security

__________________
r00t-Services.net | Anti DDoS, WAF, Security, Optimization, Troubleshooting.
In business since 2011 | Contact us: support[at]r00t-services.net
Affordable & Powerful DDoS Protection Service in Europe and the USA! (⌐■_■)--︻╦╤─ - - - DDoS

  #8  
Old 01-11-2013, 08:55 AM
kshazad86 kshazad86 is offline
Web Hosting Master
 
Join Date: Jan 2011
Posts: 607
Quote:
Originally Posted by NetworkPanda View Post
Suhosin is supported officially by PHP 5.3 and cPanel. We are already running it for several months on our servers with PHP 5.3.x
Check again. If you can't install it via EasyApache, maybe you are not running the latest cPanel version.
Yep my mistake thanks, suhosin is already installed. One other thing, will enabling PHP Safe mode in the global php.ini file also help with these kind of attacks?

  #9  
Old 01-11-2013, 08:57 AM
infinitnet infinitnet is offline
Web Hosting Master
 
Join Date: Dec 2011
Location: Germany
Posts: 954
Quote:
Originally Posted by kshazad86 View Post
Yep my mistake thanks, suhosin is already installed. One other thing, will enabling PHP Safe mode in the global php.ini file also help with these kind of attacks?
No, safemode is deprecated in recent PHP versions.

__________________
r00t-Services.net | Anti DDoS, WAF, Security, Optimization, Troubleshooting.
In business since 2011 | Contact us: support[at]r00t-services.net
Affordable & Powerful DDoS Protection Service in Europe and the USA! (⌐■_■)--︻╦╤─ - - - DDoS

  #10  
Old 01-11-2013, 08:58 AM
NetworkPanda NetworkPanda is online now
/etc/init.d/universe start
 
Join Date: Oct 2012
Location: Europe and USA
Posts: 746
Quote:
Originally Posted by kshazad86 View Post
Yep my mistake thanks, suhosin is already installed. One other thing, will enabling PHP Safe mode in the global php.ini file also help with these kind of attacks?
This will protect from hacks but it will also disable some functions required by a lot of PHP scripts. I don't recommend it, it will disappoint your customers.

__________________
Network Panda
Web Hosting: Instant activation, SSD disks, FFMPEG.
Fast servers in USA, Canada, Germany, Netherlands, France, Italy.
SEO Hosting - Reseller Hosting

  #11  
Old 01-11-2013, 08:59 AM
kshazad86 kshazad86 is offline
Web Hosting Master
 
Join Date: Jan 2011
Posts: 607
Quote:
Originally Posted by infinitnet View Post
You can use this SymLink patch for EasyApache:


Also you can have a look at this article: http://www.hostbreak.com/blog/tech-t...erver-security
Is this a custom patch? It wont break cPanel in anyway?

  #12  
Old 01-11-2013, 09:02 AM
cd/home cd/home is offline
Web Hosting Master
 
Join Date: Nov 2009
Location: /etc/my.cnf
Posts: 9,408
Quote:
Originally Posted by NetworkPanda View Post
This will protect from hacks but it will also disable some functions required by a lot of PHP scripts. I don't recommend it, it will disappoint your customers.
Safemode won't protect from anything in this instance since its deprecated as of PHP 5.3 and shall be removed as of PHP 5.4

http://php.net/manual/en/features.safe-mode.php

__________________
LeapHost Solid High Performance Litespeed + Varnish + RAMDisk + MariaDB Hosting.
Fat Dedicated Servers | Uptime Monitoring | Backups | Proactive Server Management.
Server Setups | Stable Migrations | Security/Hardening | cPanel DNS Cluster Setups.
24/7 Ticket + Phone + Live Chat Support | Fancy An Offer > | Visit Our Special Offers


  #13  
Old 01-11-2013, 09:04 AM
WebHostDog WebHostDog is offline
Quality Web Hosting Matters
 
Join Date: Sep 2006
Location: Servers
Posts: 1,509
Disabling all these PHP functions will kill the functionality. Also if there is some vulnerability attacker can upload own php.ini and override all these php.ini restrictions implemented by web hosting company.

__________________
QHoster.com - Web Hosting with DDoS Protection | Shared & Reseller in Europe/North America
Linux and Windows RDP VPS - Locations UK, US, CA, FR, DE, NL, CH | OpenVPN/PPTP Enabled
Instant setup | PayPal, Skrill, Payza, Bitcoin, WebMoney, Perfect Money, STP, EgoPay, OKPay
█ Call us: (USA +1) 877 423 1155 | (UK +44) 800 610 1580 | (Skype) : qhoster

  #14  
Old 01-11-2013, 09:08 AM
infinitnet infinitnet is offline
Web Hosting Master
 
Join Date: Dec 2011
Location: Germany
Posts: 954
Quote:
Originally Posted by kshazad86 View Post
Is this a custom patch? It wont break cPanel in anyway?
It's from the cPanel forums and written by Rack911 afaik.

__________________
r00t-Services.net | Anti DDoS, WAF, Security, Optimization, Troubleshooting.
In business since 2011 | Contact us: support[at]r00t-services.net
Affordable & Powerful DDoS Protection Service in Europe and the USA! (⌐■_■)--︻╦╤─ - - - DDoS

  #15  
Old 01-11-2013, 09:10 AM
kshazad86 kshazad86 is offline
Web Hosting Master
 
Join Date: Jan 2011
Posts: 607
Quote:
Originally Posted by infinitnet View Post
It's from the cPanel forums and written by Rack911 afaik.
ok great, will give this a try thanks

Reply

Similar Threads
Thread Thread Starter Forum Replies Last Post
cPanel Vulnerability? joecooper Web Hosting 6 02-22-2012 06:07 PM
Password Protect Symlink in cPanel w00ts!te Hosting Software and Control Panels 0 07-23-2009 02:17 PM
cPanel Horde Vulnerability Found - Please update your cPanel ASAP Virtuoso Host Hosting Security and Technology 14 03-09-2008 02:35 PM
SIM installer symlink attack + race condition local root vulnerability jpetersen Hosting Security and Technology 0 04-29-2007 01:54 PM
CPanel vulnerability aah-jim Hosting Software and Control Panels 1 02-19-2003 09:27 AM

Related posts from TheWhir.com
Title Type Date Posted
WHMCS Releases Patch to Address Critical Security Issue Web Hosting News 2013-10-04 16:12:43
Heroku Works with Security Researcher to Fix Password Vulnerability Web Hosting News 2013-01-10 12:51:17
cPanel Security Updates Address Perl Module Vulnerabilities Web Hosting News 2012-12-06 12:55:54
cPanel Releases cPanel, WHM 11.34 with New User Interface Web Hosting News 2012-10-16 13:09:49
cPanel Conference 2012: Branding and How to Do it Better with Felipe Gasper Web Hosting News 2012-10-09 18:00:02


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Postbit Selector

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump
Login:
Log in with your username and password
Username:
Password:



Forgot Password?
Advertisement:
Web Hosting News:
WHT Membership
WHT Membership



 

X

Welcome to WebHostingTalk.com

Create your username to jump into the discussion!

WebHostingTalk.com is the largest, most influentual web hosting community on the Internet. Join us by filling in the form below.


(4 digit year)

Already a member?