Archive | Linux RSS feed for this section

Install Perl Geo::IP cpan module on Centos 5 or 6

Installing this Perl module from cpan can be a bit tricky, as it looks for the GeoIP libraries in the wrong place.

You may see messages like this in the output when running : cpan Geo::IP

  • The GeoIP CAPI is not installed you should do that
  • GeoIP must be installed prior to building Geo::IP and I can’t find it in the standard library directories

It’s also compounded by the fact that currently Centos is shipping with a version of GeoIP-devel prior to 1.5, so you can’t install the GeoIP libraries via yum. I tried installing it from yum, and then got this error:

  • Your installed version of libgeoip is outdated!

Here’s the quick solution:

First, compile the GeoIP libraries from the C Source using the default configuration. This is all available from:

http://dev.maxmind.com/geoip/legacy/downloadable/

wget http://www.maxmind.com/download/geoip/api/c/GeoIP-latest.tar.gz;
tar xzf GeoIP-latest.tar.gz
cd GeoIP-1.5.1
./configure
make
make check
make install

Now we (hopefully) have the geoip libraries installed, and the latest database installed in /usr/local/share/GeoIP/GeoIP.dat

So, back to cpan. First, enter the cpan> shell (just run the cpan command on it’s own). Then enter the following command to fetch and locate the package installation files:

look Geo::IP

This will locate and download the source package for the module, and put you in the installation directory e.g.

/steve/.cpan/build/Geo-IP-1.42-V2q_q_

So, now we need to tell the package installer where to find the GeoIP libraries we previously installed from source and install the module manually.

perl Makefile.PL LIBS='-L/usr/local/lib' INC='-I/usr/local/include';
make;
make test;
make install

Mod_userdir URLs no longer work since Mod_ruid added

Just a quick one for today. I found that after recompiling apache with mod_ruid that mod_userdir is broken and would no longer serve pages from the customer’s vhost domain, and would only serve them from the server’s main URL.

http://customerdomain/~customerusername will no longer work

http://defaultserverhostname/~customerusername continues to work normally

This is due to permissions issues since the requests are now being served by the nobody account.

Track down cross account Symlinks on Linux server

One common exploit hackers try is this to create lots of symlinks to commonly used configuration files in other user’s accounts. Every PHP based CMS has configuration files somewhere containing database passwords and the like. The hacker has a list of these commonly found files.

Once he’s hacked your account, there’s a good chance he will also be able to get a list of all linux users on the server. Then, all he has to do is look for the commonly found configuration files in each users account.

Hacker, being lazy, will just try to create symlinks to the files in question, whether they exist or not. Now, if the hacker has used a kiddie script the chances are you have already detected his attack – but just in case he’s a little more resourceful, then here’s how you can search all cpanel accounts for evidence of Symlinks to files outside of each respective cpanel account:

ls /var/cpanel/users | grep -v "\`\|\.\|cpanel\|root\|mysql\|nobody" | while read CPUSER; do find /home/$CPUSER -type l -not \( -lname "/home/$CPUSER/*" -o -lname "*rvsitebuilder*" -o -lname "[^/]*" -o -lname "/usr/local/apache/domlogs/*" -o -lname "/usr/local/urchin/*" \) ; done

Apache Directives to prevent Symlink Attacks

In WHM Main >> Service Configuration >> Apache Configuration >> Global Configuration you will find the settings for Directory “/” Options.

To maintain a more secure server, you should only tick SymLinksIfOwnerMatch and NOT FollowSymLinks. This ‘might’ break some things depending on what you are trying to do legitimiaterly, but SymLinksIfOwnerMatch will only allow Apache to follow a symlink if the target has the same owner as the symlink.

ConfigServer Exploit Scanner – Individual User Warning Email Script

Parse the CXS Log file for warnings, and email your customers with details of the Malware found in their accounts via a Perl script.

  • Got ConfigServer Exploit Scanner – CXS – installed on your cPanel/WHM server?
  • Doing a full server scan every now and then, and getting swamped with the reports?
  • Want a script that will trawl the reports, and email the cpanel users with their problems automatically?

Then you came to the right place! Read More…

Retry timeout exceeded – Exim greylist problem

This article relates to Exim 4, running in a WHM/cPanel environment under Centos, but may affect other configs too.

You may find instances where a local user tries to send mail to a host that operates greylisting. The messages never gets to the recipient. You see things like this in the exim_mainlog

2011-11-10 15:14:05 1ROWKK-0003I1-Ia <= localuser@localdomain.co.uk H=something.com (FredBlogs) [2.2.2.2] P=esmtp S=7852 id=!&!AAAAAAAAAAAYAAAAAAAAAEDCVk4NrhRJjsshyvaOnAfCgAAAEAAAAOV7jpjiT51Jm/WbyNPkywIBAAAAAA==@domain.co.uk T="FW: test" for remoteuser@remotedomain.co.uk
2011-11-10 15:14:06 1ROWKK-0003I1-Ia == remoteuser@remotedomain.co.uk <remoteuser@remotedomain.co.uk> R=lookuphost T=remote_smtp defer (-44): SMTP error from remote mail server after RCPT TO:<remoteuser@remotedomain.co.uk>: host mail.host100.co.uk [5.5.5.5]: 451 Greylisted, please try again in 223 seconds
2011-11-10 15:14:06 1ROWKK-0003I1-Ia ** remoteuser@remotedomain.co.uk: retry timeout exceeded
2011-11-10 15:14:06 1ROWKK-0003I1-Ia Completed
Read More…

Find and replace all timthumb.php on server – bash script

The recent vulnerablity found in the popular timthumb.php image resizer has hit websites worldwide pretty hard. Pretty easy to deal with if you are just running your own site – just replace the script with the latest version from the source.

If you are running a hosting company, then you have either mitigated the issue somehow, or your helpdesk is probably still hung over from the after effects of exploited timthumb scripts.

So, cutting to the chase, here’s a script that I have used to run through whole cPanel based servers, looking for files called timthumb.php or thumb.php, which contain the text “timthumb” (almost every instance I have seen of the script contains this code in it somewhere).

It then moves/renames the file to something safe, and copies over the latest source from a location you can tweak in the script, and then sets the ownership and permissions correctly (assuming you are running suPHP).

The bash script:

Obviously, the usual disclaimers apply here – You are free to use this script, but NO responsibility can be accepted for anything that goes wrong if you choose to!

This is actually version 2, as it were – I have modified the script so that it now looks for the version number within the script and only updates versions that do not match those shown in the if statement.

#!/bin/bash
IFS="$"
###################################################################
##  timthumb correction                                          ##
###################################################################
 
GOODTHUMB="/root/scripts/timthumb.php"
 
###########################
##  Assign temp file     ##
###########################
TMPFILE="/tmp/healthchk.$$.tmp"
if [ -f ${TMPFILE} ]; then
   rm -f ${TMPFILE}
fi
 
# set pwd to tmp
cd /tmp
 
###########################
##  Create temp file     ##
###########################
setup_temp_file() {
  if [ -e $1 ]; then
     rm -f $1
  fi
  /bin/touch $1
  /bin/chown root:root $1
  /bin/chmod 0600 $1
}
 
##########################################################
##  SCRIPT BEGINS HERE                                  ##
##########################################################
 
echo "This script will check all home directories for timthumb..."
 
unset CPUSER CPHOME
 
/bin/ls -- /var/cpanel/users | /bin/grep -v "\`\|\.\|cpanel\|root\|mysql\|nobody" | while read CPUSER; do
   CPHOME="$(/bin/grep "^${CPUSER}:" /etc/passwd | cut -d':' -f6)/public_html"
   echo -e "\nChecking user ${CPUSER} - home directory = ${CPHOME}"
   echo "Checking ${CPHOME} ... "
   if [ -d ${CPHOME} ]; then
 
     #####################################
     ## Start looking for timthumb!     ##
     #####################################
     setup_temp_file ${TMPFILE} 
 
     /usr/bin/find ${CPHOME} -type f \( -iname "timthumb.php" -o -iname "thumb.php" \) >> ${TMPFILE} 2> /dev/null
     /bin/cat -- ${TMPFILE} | while read TARGET; do
         # every version of the script I have seen contains the string timthumb somewhere
        ISITBUTTER="$(/bin/grep -i timthumb ${TARGET} )"
        THEVERSION="$(/bin/grep -o "VERSION.*'[0-9\.]*'" ${TARGET} | /bin/grep -Eo "[0-9].[0-9]+" )"
        if [ ${#THEVERSION} -gt 1 ]; then # prevent crash on empty variable in next if test
            # You can modify the versions to accept (i.e. not modify) below
            if [ ${#ISITBUTTER} -gt 1 -a ${THEVERSION} != "2.8" -a ${THEVERSION} != "2.7" ]; then
                echo "Found one!: ${TARGET}    version ${THEVERSION}"
                mv ${TARGET} "${TARGET}._removedbykrystal"
                cp ${GOODTHUMB} ${TARGET}
                /bin/chown ${CPUSER}:${CPUSER} ${TARGET}
                /bin/chmod 640 ${TARGET}
            fi
        fi
     done
 
   fi
done
##  Clean up any trace
if [ -e ${TMPFILE} ]; then
   rm -f ${TMPFILE}
fi