cPanel Symlink Race Attack

Wira_Soenaryo

Hello,

Currently I have one VPS to be used for cpanel share hosting account. The setting was using apache PHP with suPHP installed. Also AllowSymlink is allowed on Apache setting. Around 2 weeks ago my server got hacked by this sysmlink race attack...

Then I installed the mod_ruid2 on Apache.. but seems this mod_ruid2 ruin some of my email and php application.. also the server load seems a bit more high. As of now, I'm reverting back to my previous setting.

I read on some article, we can just disable the FollowSymlink options to prevent this attack. Is that right? But then some .htaccess setting may broke, right?

Any solution for this symlink problem?

Thanks...

nexmark

CloudLinux

tomsfarm

@nexmark said:
CloudLinux

1+ for CloudLinux

To the OP I'd suggest you get someone who has a lot more experience then you do to give your server quick look over. I'd do it for you Free of Charge let me know if you need any Assistance. Also I would suggest you switch to FCGID over suphp.

mustafaramadhan

In Kloxo-MR, apache use 'Options -Indexes -FollowSymlinks +SymLinksIfOwnerMatch' by default.

HyperSpeed

+2 for CloudLinux if you can afford it.

Please don't use Kloxo. Now that's asking for your server to be hacked.

mustafaramadhan

@HyperSpeed said:
+2 for CloudLinux if you can afford it.

Please don't use Kloxo. Now that's asking for your server to be hacked.

Still hacked for Kloxo 6.1.19?. And also hacked for Kloxo-MR 6.5 and or 7.0?.

Link/proof please.

Nyr

HyperSpeed said: Please don't use Kloxo. Now that's asking for your server to be hacked.

AFAIK the -MR version is said to be much better in terms of security. Never used any kind of panel, so I am not speaking from personal experience.

ATHK

6.5 - http://www.exploit-db.com/search/?action=search&filter_page=1&filter_description=&filter_exploit_text=kloxo&filter_author=&filter_platform=0&filter_type=0&filter_lang_id=0&filter_port=&filter_osvdb=&filter_cve=

mustafaramadhan

@ATHK said:
6.5 - http://www.exploit-db.com/search/?action=search&filter_page=1&filter_description=&filter_exploit_text=kloxo&filter_author=&filter_platform=0&filter_type=0&filter_lang_id=0&filter_port=&filter_osvdb=&filter_cve=

Read http://forum.mratwork.com/kloxo-mr-releases-and-announcements/(info)-kloxo-mr-6-5-0-csrf-vulnerability-really/

ATHK

@mustafaramadhan said:
Read http://forum.mratwork.com/kloxo-mr-releases-and-announcements/(info)-kloxo-mr-6-5-0-csrf-vulnerability-really/

Yea? The part about the guys server being turned into "an email bomb server" made me chuckle..

coolice

to protect from symlink race condition attack

With mod_ruid2 enable Apache jails from tweaks (Cloud Linux and Apache jails are the 2 recomended solutions by cPanel) https://documentation.cpanel.net/display/EA/Symlink+Race+Condition+Protection

About ruid2 speed when you recompile easy apache select eaccelerator I guarantee you 2-4 times difference in server load vs suphp

Wira_Soenaryo

Thank you for the solutions..

If I set -Indexes -FollowSymlinks +SymLinksIfOwnerMatch, will this absolutely stop this kind of attack? But by disable the FollowSymlinks many .htaccess files will failed... including usually on WordPress..

mustafaramadhan

@Wira_Soenaryo said:
Thank you for the solutions..

If I set -Indexes -FollowSymlinks +SymLinksIfOwnerMatch, will this absolutely stop this kind of attack? But by disable the FollowSymlinks many .htaccess files will failed... including usually on WordPress..

Need combine with open_basedir.

Wira_Soenaryo

@mustafaramadhan said:
Need combine with open_basedir.

I have enable the open_basedir protection too. Hope will add a new layer of security on this server..

Thanks..

obh_ridwan

Yes you can use a cloudlinux for againts symlink attack.

Sady

Use CloudLinux if you can afford it otherwise try mod_ruid2 with different PHP versions.