disable viewing/exutting 755 perm files
Hello
I got hacked many times by cgi-telnet which I was stoping it by mod_sec and httpd.conf folder options like this
unfortuonitly ,, now days apache do not accept "Options=IncludesNOEXEC,-Indexes,Includes,-MultiViews,SymLinksIfOwnerMatch,-FollowSymLinks" and mod_sec rules are not charm enough as hacker can put any other name like xxxx.zy or uuuu.sym so I noticed one common factors needed to run this cgi which is file perm 755 so how can I forbidden 755 files from being open directly
Options +ExecCGI -FollowSymLinks -Includes +IncludesNOEXEC -Indexes -MultiViews +SymLinksIfOwnerMatch
AllowOverride All
Options -ExecCGI Includes -Indexes -FollowSymLinks +IncludesNOEXEC -MultiViews +SymLinksIfOwnerMatch
AllowOverride AuthConfig Indexes Limit FileInfo Options=IncludesNOEXEC,-Indexes,Includes,-MultiViews,SymLinksIfOwnerMatch,-FollowSymLinks
Order allow,deny
Allow from all
Options -ExecCGI Includes -Indexes -FollowSymLinks +IncludesNOEXEC -MultiViews +SymLinksIfOwnerMatch
AllowOverride AuthConfig Indexes Limit FileInfo Options=IncludesNOEXEC,-Indexes,Includes,-MultiViews,SymLinksIfOwnerMatch,-FollowSymLinks
Order allow,deny
Allow from all
unfortuonitly ,, now days apache do not accept "Options=IncludesNOEXEC,-Indexes,Includes,-MultiViews,SymLinksIfOwnerMatch,-FollowSymLinks" and mod_sec rules are not charm enough as hacker can put any other name like xxxx.zy or uuuu.sym so I noticed one common factors needed to run this cgi which is file perm 755 so how can I forbidden 755 files from being open directly
-
Hello :) Restricting any file that utilizes 0755 permissions is not recommended. You can modify the "Directory "/" Options" configuration for Apache via: "WHM Home " Service Configuration " Apache Configuration " Global Configuration" Thank you. 0 -
[quote="cPanelMichael, post: 1454851">Hello :) Restricting any file that utilizes 0755 permissions is not recommended. You can modify the "Directory "/" Options" configuration for Apache via: "WHM Home " Service Configuration " Apache Configuration " Global Configuration" Thank you.
sorry but I am speaking about directory home & /usr/local/apache/htdocs how to set this [COLOR="#FF0000">Options=IncludesNOEXEC,-Indexes,Includes,-MultiViews,SymLinksIfOwnerMatch,-FollowSymLinks or how to disable viewing any 755 perm file inside home0 -
ModSecurity, PHP settings, and Apache settings can only do so much. You need to find out HOW the cgi-telnet is getting there. most of the time, it is because of old wordpress plugins or joomla components being exploited. You should keep the apache access logs for your site(s) by enabling the archiving in each cpanel ("Raw Access logs"). When cgi-telnet script(s) appear, you can use the time stamps of the files to see how they were uploaded. Your best defense is making sure all installed web applications get updated on a regular basis, and have strong passwords. 0 -
[quote="quizknows, post: 1455072">ModSecurity, PHP settings, and Apache settings can only do so much. You need to find out HOW the cgi-telnet is getting there. most of the time, it is because of old wordpress plugins or joomla components being exploited. You should keep the apache access logs for your site(s) by enabling the archiving in each cpanel ("Raw Access logs"). When cgi-telnet script(s) appear, you can use the time stamps of the files to see how they were uploaded. Your best defense is making sure all installed web applications get updated on a regular basis, and have strong passwords.
thank you quizknows but your advise is good when we speack about 2-15 website but if you have shared hosting and you have more thant 150 account how do you think you will manage ?0 -
I manage many shared servers with that many accounts. I highly recommend using cloudlinux with CageFS and SecureLinks. This way if one site is hacked, they cannot affect your other customers. Customers who are hacked because of their own out-of-date software are responsible for their own cleanup, though I often do clean it up for them as a courtesy. One other thing; the execute permissions of a malicious CGI or PHP script really don't matter - it just has to be readable. PHP itself is the executable. You can "execute" a php file even if it is 444 since PHP itself is being executed and the script [name] itself is just an argument. 0
Please sign in to leave a comment.
Comments
5 comments