Track down cross account Symlinks on Linux server

One common exploit hackers try is this to create lots of symlinks to commonly used configuration files in other user’s accounts. Every PHP based CMS has configuration files somewhere containing database passwords and the like. The hacker has a list of these commonly found files.

Once he’s hacked your account, there’s a good chance he will also be able to get a list of all linux users on the server. Then, all he has to do is look for the commonly found configuration files in each users account.

Hacker, being lazy, will just try to create symlinks to the files in question, whether they exist or not. Now, if the hacker has used a kiddie script the chances are you have already detected his attack – but just in case he’s a little more resourceful, then here’s how you can search all cpanel accounts for evidence of Symlinks to files outside of each respective cpanel account:

ls /var/cpanel/users | grep -v "\`\|\.\|cpanel\|root\|mysql\|nobody" | while read CPUSER; do find /home/$CPUSER -type l -not \( -lname "/home/$CPUSER/*" -o -lname "*rvsitebuilder*" -o -lname "[^/]*" -o -lname "/usr/local/apache/domlogs/*" -o -lname "/usr/local/urchin/*" \) ; done

Apache Directives to prevent Symlink Attacks

In WHM Main >> Service Configuration >> Apache Configuration >> Global Configuration you will find the settings for Directory “/” Options.

To maintain a more secure server, you should only tick SymLinksIfOwnerMatch and NOT FollowSymLinks. This ‘might’ break some things depending on what you are trying to do legitimiaterly, but SymLinksIfOwnerMatch will only allow Apache to follow a symlink if the target has the same owner as the symlink.

Leave a comment

The true purpose of design

Design failure

Bad and Good DesignRegardless of the primary or secondary function of a design, bad design is always obvious, especially when you encounter it in your day to day life.

An instruction manual that makes it awkward to find essential information, a website that makes it incredibly hard to find essential information, or a fashion magazine with no glamorous pictures are all unlikely to make you a repeat customer (unless you like that sort of thing!). Show the full article…

Leave a comment

Grit Free Soda Blasting

Grit Free Soda BlastingGritFree Blasting is the brainchild of Peter Wardley. Peter sought an outlet more focussed on automotive, marine and aviation restoration, with an informal, fun, yet informative approach. It all started early in 2010, but due to the popularity of Soda Blasting, Ecoblast often left us to get on with the site. This was fun in many ways as it allowed us to fit more creative work into the job at our leisure.

Baking Soda MoleculeDespite only recently going live with the website, the GritFree team had been busy throughout 2011 and the Soda Blasting examples shown in their Portfolio page demonstrate how well the process is trusted by prestige customers.

Unlike shot blasting, the GritFree process is non-destructive. It was important to emphasise this, so graphics that were originally developed for parent company Ecoblast UK Ltd were re-used.

The job required a logo to be developed from the Ecoblast brand, some custom illustrations, and some original photography!

Leave a comment

SORBS SUCKS

Why SORBS Sucks

Now 7 days after the event, and SORBS is still listing our affected server.

Why do SORBS Suck? More to the point, why am I writing this negative blog post? I’m writing it because SORBS has demonstrated itself to be wholly unprofessional, slow, and inaccurate, and are causing real problems for genuine ISPs, and countless people.

7 days ago the hosting company I work for found a client who’s site had been hacked. It was quite nasty, and a perl script was pumping out spam at a pace. Within an hour or so, we had tracked it down and got it shut down. Too late. We had appeared on a couple of blacklists, including spamhause and spamcop, and SORBS (just 46 hits).

Within a few hours, the world recognised that we had stemmed the problem, and all was fine again… or was it…

SORBS still listed us. We tried to remove ourselves. SORBS  has to be THE worst system I’ve ever used, ever. And I’ve used some pretty bad systems. If you’re going to allow companies to use your data to make decisions about whether or not to deliver email you at least owe it to run a service that isn’t completely broken. 

Show the full article…

5 Comments

ConfigServer Exploit Scanner – external perl script to run upon detection of a match

One very useful option recently added to CXS is –script

For example, I am currently using something like:

/usr/sbin/cxs –report /var/log/cxs.scan –logfile /var/log/cxs.log –mail reports@myhost.co.uk –vir -I /etc/cxs/cxs.ignore –options mMOfSGChednWZDR –script /root/cxswatchscript.sh –xtra /etc/cxs/cxs.xtra -Z –sum -F 200000 -C /var/clamd -T 10 -B –allusers

the script defined above, /root/cxswatchscript.sh, receives 4 arguments from CXS

$1 = filename
$2 = option triggered
$3 = message reported
$4 = account name

Show the full article…

Leave a comment

ConfigServer Exploit Scanner – Individual User Warning Email Script

Parse the CXS Log file for warnings, and email your customers with details of the Malware found in their accounts via a Perl script.

  • Got ConfigServer Exploit Scanner – CXS – installed on your cPanel/WHM server?
  • Doing a full server scan every now and then, and getting swamped with the reports?
  • Want a script that will trawl the reports, and email the cpanel users with their problems automatically?

Then you came to the right place! Show the full article…

2 Comments