All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
cPanel Symlink Race Attack
Hello,
Currently I have one VPS to be used for cpanel share hosting account. The setting was using apache PHP with suPHP installed. Also AllowSymlink is allowed on Apache setting. Around 2 weeks ago my server got hacked by this sysmlink race attack...
Then I installed the mod_ruid2 on Apache.. but seems this mod_ruid2 ruin some of my email and php application.. also the server load seems a bit more high. As of now, I'm reverting back to my previous setting.
I read on some article, we can just disable the FollowSymlink options to prevent this attack. Is that right? But then some .htaccess setting may broke, right?
Any solution for this symlink problem?
Thanks...
Comments
CloudLinux
1+ for CloudLinux
To the OP I'd suggest you get someone who has a lot more experience then you do to give your server quick look over. I'd do it for you Free of Charge let me know if you need any Assistance. Also I would suggest you switch to FCGID over suphp.
In Kloxo-MR, apache use 'Options -Indexes -FollowSymlinks +SymLinksIfOwnerMatch' by default.
+2 for CloudLinux if you can afford it.
Please don't use Kloxo. Now that's asking for your server to be hacked.
Still hacked for Kloxo 6.1.19?. And also hacked for Kloxo-MR 6.5 and or 7.0?.
Link/proof please.
AFAIK the -MR version is said to be much better in terms of security. Never used any kind of panel, so I am not speaking from personal experience.
6.5 - http://www.exploit-db.com/search/?action=search&filter_page=1&filter_description=&filter_exploit_text=kloxo&filter_author=&filter_platform=0&filter_type=0&filter_lang_id=0&filter_port=&filter_osvdb=&filter_cve=
Read http://forum.mratwork.com/kloxo-mr-releases-and-announcements/(info)-kloxo-mr-6-5-0-csrf-vulnerability-really/
Yea? The part about the guys server being turned into "an email bomb server" made me chuckle..
to protect from symlink race condition attack
With mod_ruid2 enable Apache jails from tweaks (Cloud Linux and Apache jails are the 2 recomended solutions by cPanel) https://documentation.cpanel.net/display/EA/Symlink+Race+Condition+Protection
About ruid2 speed when you recompile easy apache select eaccelerator I guarantee you 2-4 times difference in server load vs suphp
Thank you for the solutions..
If I set -Indexes -FollowSymlinks +SymLinksIfOwnerMatch, will this absolutely stop this kind of attack? But by disable the FollowSymlinks many .htaccess files will failed... including usually on WordPress..
Need combine with open_basedir.
I have enable the open_basedir protection too. Hope will add a new layer of security on this server..
Thanks..
Yes you can use a cloudlinux for againts symlink attack.
Use CloudLinux if you can afford it otherwise try mod_ruid2 with different PHP versions.