I have a quick question.
A customer of mine has claimed that he been hacked via CGI scrtipts (namely entropymail.cgi IIRC). Anyhow, this user claims that someone has gone in, run a command which tarred up their whole home dir and then then moved it to a place that someone could download it (ie into the public_html folder)
First of all, is this plausible?
heres what the hacker allegedly used:
entropymail.cgi?|tar -cf user.tar /home/user/|
Now, i am sceptical that it would be so easy to hack soemthign which is built into cpanel (i know for a fact this user hadnt installed/used anything) but theres also the possibility that they have signed up for an account themselves (the hacker that is) and they have then use the aforementioned cgi thing to exploit this users site.
What i want to know is is this possible and if so, how would i go about fixing this massive security hole?
If the user is hacked via a 'script', then remove the script, or have the user fix the script, pretty simple. Nothing you do on the server end of things will stop that.
Security is about keeping your scripts secure as much as it is about the server itself. In fact, it's MORE about keeping user scripts secure and up to date. Unfortunately, that relies on the end user to do, not the owner, or systems administrator.
WHMCS Guru - WHMCS addons, management, support and more. WHMCS Notifications Extended - Add slack, hipchat, SMS, pushover to WHMCS !!
Linux Problems? WHMCS Issues? +1-866-546-8914 (linux-14) or @whmcsguru on twitter!
Yep, there is no such thing as entropymail afaik, but things liek entropysearch and stuff are around..
These are all built in scripts (i assume) and the fact that this person supposedly signed up with my company just to grab another users source.. means that 1 they are a very desperate individual.. and 2 that this is something that can only be disabled by blocking CGI access for all accounts AND removing the inbuilt cgi stuff in cPanel
Not something i would want to inflict on my customers.