simulating hacked website questions
I'm simulating hacked website - I have uploaded one php script that calls shell function in one of my websites that I host on my server. I have shell in browser and I can list root directory / and I can surf and read various files. suPHP and suEXEC are enabled in cPanel.
I can probably circumvent this by enabling open_basedir tweak BUT I don't think this is going to solve the problem in a case of hacked web ie. attacker can upload php.ini file with custom open_basedir variable in php.ini file so there is no point in that. Is there some kind of another solution for this?
-
]I have shell in browser and I can list root directory / and I can surf and read various files.
Hello :) Could you elaborate on this? What files with sensitive data are you able to see? Are you sure it's not related to the question asked on this thread ? Thank you.0 -
He's talking about a PHP shell, where you can access anything world readable via apache. I recommend the "symlink race condition protection" in easy apache; it will stop processes running under PHP such as PHP shells from accessing files not owned by the same user. 0 -
Hello, I will also suggest you to install mod_sec on your server and scan your whole server through LMD (Maldet) and remove all infected files if you found in logs file. 0 -
OK, my web is not hacked, I have uploaded php shell script to see what can I access. I have suPHP enabled so I have copied php.ini file from /usr/local/lib/php.ini to /home/user/php.ini and I have added in it: open_basedir = "/home/user" Why can I still still access and read / through php script? It looks like suPHP doesn't read custom php.ini files which are in /home/user/ directory like is stated it will work in documentation: 0 -
Have you enabled "Symlink Race Condition Protection" as referenced by forum user quizknows? It's documented here: Symlink Race Condition Protection Thank you. 0 -
]Hello, I will also suggest you to install mod_sec on your server and scan your whole server through LMD (Maldet) and remove all infected files if you found in logs file.
Did you read this whole thread, or just the title?0 -
I have disabled FlollowSymlinks and set SymLinksIfOwnerMatch so this is ok. But above problem is not related to that, above problem is: php script is called which lists all files in root, /etc, /var etc. and it gives output... P.S. pfp-fpm fixes all this problems, with custom php.ini and locking users to home directories etc. There is no need for cagefs, cloud linux and etc. So please add it :) 0 -
Are you sure it's generating valid output (e.g. account-specific data)? Feel free to vote and add your feedback to the existing feature request at: [url=http://features.cpanel.net/responses/fastcgi-process-manager-fpm-sapi]FastCGI Process Manager (FPM) SAPI | cPanel Feature Requests Thank you. 0 -
Yes. But only directories with world readable flag can be accessed and also the ones with X flag Allready did :) 0 -
Ok, I have managed to get working custom php.ini file with suPHP enabled 1) suPHP is enabled 2) add custom php.ini by copying it to /home/user/php.ini and in file /home/user/public_html/.htaccess add this: suPHP_ConfigPath /home/user - with this custom php.ini file is read 3) php system function and exec_shell function circumvent this - you can add open_basedir in that custom php.ini file to /home/user/public_html/test and the website is not going to work but the php script which is in /home/user/public_html/test/hack.php is going to work and the shell is given in browser and hacker can surf the all files and dirs in system which are world readable. 4) add those functions in disable_functions section in php.ini so that they cannot get executed Also this is all meaningless if the configuration on the server allows custom php.ini files because hacker can bypass all the options stated in global php.ini file by adding his custom php.ini file or editing current custom php.ini file in the web... Eh, php-fpm would fix all this... 0 -
] Also this is all meaningless if the configuration on the server allows custom php.ini files because hacker can bypass all the options stated in global php.ini file by adding his custom php.ini file or editing current custom php.ini file in the web...
You may find this thread helpful: Methods to Increase Security on suPHP - Restricting who can use php.ini files Thank you.0 -
Thank you. So, If I have suPHP and none of the webisites has suPHP_ConfigPath in any of .htaccess files then I can use the above link to restrict who can use php.ini? I'm asking because if the webistes don't have "suPHP_ConfigPath" in any of .htaccess files but they have php.ini files in their public_html directories, they are ignored and not used. If I restrict them so they can only use global php.ini, is there an option in a later time to somehow allow only specific website to use custom php.ini with above restriction? 0 -
1. No, suPHP_ConfigPath will not override the method listed to restrict accounts to a global php.ini file. A php.ini file within an account's public_html directory should not be ignored if the "suPHP_ConfigPath" entry is not utilized. 2. Please ensure you read the section in that thread titled "If you have PHP 5.3+ and want to allow some accounts to have their own php.ini file". Thank you. 0
Please sign in to leave a comment.
Comments
13 comments