Page 2 of 2 FirstFirst 12
Results 26 to 41 of 41
  1. #26
    Join Date
    Apr 2005
    Location
    HCMC
    Posts
    82
    Hi i was get this:

    CentOS 3.5 i686 - WHM X v3.1.0

    package kernel-smp-2.4.21-32.0.1.EL


  2. #27
    Join Date
    Apr 2003
    Location
    NC
    Posts
    3,093
    With those permissions and that kernel you should be ok. Has he done anything to verify that he can read the shadow file or is he just threatening?
    John W, CISSP, C|EH
    MS Information Security and Assurance
    ITEagleEye.com - Server Administration and Security
    Yawig.com - Managed VPS and Dedicated Servers with VIP Service

  3. #28
    Join Date
    Apr 2005
    Location
    HCMC
    Posts
    82
    By the way, disable telnet just block the port. How to prevent they run cgi-telnet with php , cgi ?

    Because i can se they use .pl and still can run command and do many thing ...

  4. #29
    Join Date
    May 2002
    Location
    Moscow
    Posts
    1,602
    cgi-telnet.pl as any perl script have a possibilities use any features which have in your system. for thism hacker not need cgi-telnet.pl, just perl (even suexeced) will be enough. for example, there is not way block to cgi application to walk around other directories or files, especially if they open for group reading.
    but, your /etc/shadow have a correct permission so. most likely he use may be some suid application and exploit for gaining access to this or maybe hacker use sudo.
    also, may be he just use some trojan virus which inserted to you local computer and just keylog your root password - BTW. it is very easy way for gaining root access.

    PS. regarding exploit - i remember that in past year one of our customer have a similar problem and hacker activity was terminated when we disable sudo on machine.
    Last edited by rustelekom; 08-09-2005 at 05:10 PM.
    TK Rustelekom LLC Dedicated server since 2002, RIPE NCC member, LIR

  5. #30
    Join Date
    Apr 2004
    Location
    Singapore
    Posts
    620
    Beside set the file to be read only by root for /etc/shadow

    can we set it for

    /etc/passwd and httpd.conf ?

    any other files needed to be make it not viewable by normal user..?
    Linux System admin (since 2001)
    * cPanel/WHM, Directadmin, Apache, DNS, PHP, HyperVM, Lxadmin, Openvz*

  6. #31
    Join Date
    Jul 2004
    Location
    U.A.E >> Dubai
    Posts
    218
    Originally posted by jayzee
    Beside set the file to be read only by root for /etc/shadow

    can we set it for

    /etc/passwd and httpd.conf ?

    any other files needed to be make it not viewable by normal user..?
    No, users will not be able to Login to their control panel and other services .

    you can chmod :

    /home to 711

    /tmp to 1777

    /etc/php.ini : 711

    /usr/local/apache/conf/httpd.conf :744

    /backup (backup folder ) to 700
    and so on....

    you can chmod any root directory to 711 , but be careful , it may stop any feature/service(like cpanel feature) so you have to customize it .

    Cheers.
    Last edited by SmartActive; 08-13-2005 at 06:56 AM.
    ٍSecurityWay.Net Managed Solutions
    Linux Security,Domain Registration Service,eNom Reseller Account from an ETP.
    http://domains.securityway.net/
    Believe an expert, believe on who has had experience.

  7. #32
    Join Date
    Apr 2005
    Location
    HCMC
    Posts
    82
    Hi, thanks all. But when i test with the newest remview version, It still can upload with Folder chmod 711.

    You can take a look with my files include here
    Attached Files Attached Files
    Last edited by VIETHOSTING; 08-13-2005 at 04:29 PM.

  8. #33
    Join Date
    May 2002
    Location
    Moscow
    Posts
    1,602
    2SV_Ngheo
    You may easily block remview using open_base php function. Also, you should understand that with php as module and with non enabld safe mode you can't get more security than you have if you not use something that jail or chroot EACH user.
    TK Rustelekom LLC Dedicated server since 2002, RIPE NCC member, LIR

  9. #34
    Join Date
    Jun 2003
    Location
    United Kingdom
    Posts
    716
    Humans are lazy, and most even for root password normally use this format <word><2 digit number

  10. #35
    Join Date
    Jul 2004
    Location
    U.A.E >> Dubai
    Posts
    218
    Yes , you should have safemode on , and disable some php functions , and use phpbasedir & I Prefer the use of phpsuexec .
    ٍSecurityWay.Net Managed Solutions
    Linux Security,Domain Registration Service,eNom Reseller Account from an ETP.
    http://domains.securityway.net/
    Believe an expert, believe on who has had experience.

  11. #36
    Join Date
    Apr 2005
    Location
    HCMC
    Posts
    82
    Hi,

    In fact, i know all that solutions, but hacker attacked with this:

    Run command: ln /etc/shadow.shadow >> This will make a hardlink to shadow. After that chmod to 777 then reinstall frontpage.

    Please tell me a solution ?

  12. #37
    Join Date
    May 2002
    Location
    Moscow
    Posts
    1,602
    are you give him non jailed ssh?
    BTW. you may restrict access for ordinary users to some system command.
    TK Rustelekom LLC Dedicated server since 2002, RIPE NCC member, LIR

  13. #38
    Join Date
    Apr 2005
    Location
    HCMC
    Posts
    82
    They use SSH through PHP shell and .pl files. It normal support by Apache. How can we prevent ?

    Pls check some first my posts, see all functions i was disable and what i've done.

  14. #39
    Join Date
    May 2002
    Location
    Moscow
    Posts
    1,602
    he can't use phpshell if you use open_base and also disable system function. but he may use perl system command.
    but ordinary user can't make hardlink with perl. just because perl is suexeced and rights and permission will assign to user script when he run it.
    but, he can run his script by cron and this may give to him chance. same about sudo command. also same for system utilits which have suid flag and may have exploit (on older, not updated system).
    TK Rustelekom LLC Dedicated server since 2002, RIPE NCC member, LIR

  15. #40
    Have you thought about installing mod_security

    This gives you the ability to log the "POST" events and then you can build up a rough idea of what they are doing and consequently using mod_security again you can block them.

    A good site with a constantly updated list of mod_security rules is gotroot.com

    Definitly worth an install

  16. #41
    Run command: ln /etc/shadow.shadow >> This will make a hardlink to shadow. After that chmod to 777 then reinstall frontpage.

    Please tell me a solution ?
    Sure, make sure you have seperate partitions for / and /home and others, /usr , /var etc

    Having everything under / is plain bad practice.

    You can't hard link across partitions.

Page 2 of 2 FirstFirst 12

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •