A client hacked another client of mine using the following Perl code:
#!/usr/bin/perl
symlink ("/home/john/public_html/config.php","/home/carole/public_html/forums/includes/config.php");
After the hacker got the DB name, username and password it's very easy to change anything in the forum using PHP.
I'm using cPanel.
i have big problem all Forums in my server hacked by perl symlink see all config.php by shell perl in .txt by include
i solve it by make perl permission 000 but all thing in cpanel stop cause cpanel by perl
After reading an article on command line FTP, I FTP'd to my VPS and was shocked out much access someone without logging in (and Anonymous FTP is off) has. I am running cPanel Release on CentOS 4 and Virtuozzo 3. How can I improve server security without giving any SSH access? I was all ready to use WebDav over SSL but then it doesn't allow you to change permisisons. Security is my #1 priority. My friend who I host says his clients like FTP and FTP is a standard service.
Would FTP with SSL be more secure, or still pose the same problems with sniffers and people connecting and being able to do something? Can I force FTP over SSL while not having cPanel over-ride my settings wiht an update?
What can I do to solve this major security hole? Next on my list is forcing POPs and IMAPs, authentication for SMTP and even SSL SMTP. Then only SMTP incomg 25 and HHTP port 80 would be none secure, but everything mostly secure.
My understanding is that currently the only way to protect against it is to deny any requests for PDFs where the request string takes that particular form? Is that correct? Or will the browser not even submit anything beyond the # sign in the request for the PDF?
And if it is correct.... has anyone tried to cook up a recipe that we can all dump in our .htaccess files to get this fixed up?
I have just discovered a massive security in the CPANEL 10.9 software. This problem is in the BACKUP FEATURE. If you do remote ftp back onto the same account. It will put the file in the account home directory and it will have this type of stuff accountname:ROOTPASSWORD@serverhostname.com
View 14 Replies View Relatedive been trying to install it for about 3 hours and ive finally got it working. now, how do i configure it to be nice and secure?
first thing is that i want to restrict which paths people can use in scripts. my site needs to access any paths but site users can only access their own directories. i want the exact same thing as in this thread but with perl instead of php
how do i block certain functions and which ones do i block? i heard perl and php are very similar so im guessing i want to block similar functions to the ones listed here
I admit I know nothing when it comes to servers. Yet I do have a root server and I noticed that there are some days when the traffic spikes up to 20 times the average and when I login via ssh I see many perl processes. I don't know what those are since I don't use any perl scripts on my web site. Is this a potential or maybe an ongoing security issue?
View 2 Replies View RelatedI got an email from our rather new VPS server (all headers seem to show it's really from our IP) where an account was created by root and deleted 30 minutes later?!
Is there a cpanel loophole?
What should we do next?
+===================================+
| New Account Info |
+===================================+
| Domain: z0ne-h.com
| Ip: 72.xxx.xxx.xxx (y)
| HasCgi: y
| UserName: vampire
| PassWord: 0123969469
| CpanelMod: x
| HomeRoot: /home
| Quota: 10000 Meg
| NameServer: ns1.xxxxxxxxx.net
| Contact Email: only.vampire@gmail.com
+===================================+
Account was setup by: root (root)
I'm trying to create a symlink (ln -s) in SSH with the goal of having a php-file to be able to be reached from my wildcard subdomains "username.domain.com". The reason is because of XMLHttpRequest that resides in the php-file. When trying to access it from username.domain.com I only get an error, because of the cross-domain issue.
Anyway, I got the suggestion of creating a symlink on the file system, but I can't really get the symlink right... Where should I place it on the file system?
This is the path to the script;
Code:
/home/web2753/domains/domain.com/public_html/ajax/status.php
I tried creating the symlink in various places, like in the /domains/ directory;
Code:
ln -s /home/web2753/domains/domain.com/public_html/ajax/status.php
But I don't seem to get it right! If I have understood everything correctly, I'm supposed to create a symlink for status.php so the Subdomains can access it as if it was placed directly under the subdomains.
This is what my .JS file looks like (with the XMLhttprequest, this might not matter..?)
Code:
/home/web2753/domains/domain.com/public_html/javascript/edit.js
Code:
var cururl = 'htp domain com'; // this forum didn't like this url?
function createRequestObject() {
var req;
if (window.XMLHttpRequest) {
req = new XMLHttpRequest();
} else if (window.ActiveXObject) {
req = new ActiveXObject("Microsoft.XMLHTTP");
} else {
alert('Problem creating the XMLHttpRequest object');
}
return req;
}
function handleDivTag(divtag) {
var divtag;
return divtag;
}
var http = createRequestObject();
var divhandler = new handleDivTag(null);
function sendRequest(ua_id,show,series) {
http.open('get', cururl+'ajax/status.php?ua_id='+ua_id+'&show='+show+'&series='+series+'&dummy=' + new Date().getTime());
http.onreadystatechange = handleResponseTwo;
divhandler.divtag = ua_id;
http.send(null);
}
function handleResponseTwo() {
if (http.readyState == 4 && http.status == 200) {
var response = http.responseText;
if (response) {
document.getElementById('editinfo'+divhandler.divtag).innerHTML = response;
}
}
}
Everything works except of the cross-domain issue which I'm trying to overcome by creating a symlink.
I’ve been working on a project for weeks and I can not solve this, hope you can give me an idea. I am working on a dedicated server, and I need to create some symlinks between different accounts and users...
Both accounts are on the same partition of the server (home) and I have root access and SSH access for everything.
If I create a symlink to a directory of another account and on that directory there is any HTML file (e.g. Index.html), that symlink works great and it shows the content on that file.
HOWEVER if the symlink targets to a directory in which there is a file in (e.g. Index.php) or any script programmed in PHP (e.g. Joomla) it does not work and gives...
“Internal Server Error” + Additionally, a 404 Not Found error was encountered...
When I go to Cpanel the “error log” says...
[Sun Jul 05 09:15] [error] [client zz] File does not exist: /home/zzz/public_html/ 500 shtml
[Sun Jul 05 09:15] [error] [client zz] SoftException in Application.cpp:367: Mismatch between target UID (123) and UID (123) of file "/home/zzz/public_html/my-dir/my-symlink/ index php"
However, If go to SSH and edit server owner of the symlink, so both symlink and target file has the same owner (chown user:user directory_name) the problem is the same, but on the “error log” the UID Mismatch disappear and I only find...
File does not exist: /home/zzz/public_html/500 shtml
I’ve also tried modifying suexec by changing... “domain . tld ” for “domain - tld ” on the server alias, and does not work.
Here I give you more info about server file structure...
serveralias generation path...
/var/cpanel/userdata/USER/DOMAIN
suexec location...
/usr/local/apache/sbin/suexec
Server Information
System Linux
Apache Version 2.2.11 (Unix)
PERL Version 5.8.8
PHP Version 5.2.8
So the question is... HOW can I create a symlink between different users on the same dedicated server partition, that target to PHP scripts or how can I allow the server to execute PHP scripts through symlinks of different accounts?
I installed Apache2. In the the folder "var/www/html" I created a symlink to a different HDD that holds a number of movie files. My thinking is that it would be easy to access the movies through a browser from any computer on my local network.
I used the following command string while in the html directory, and created the symlink:
ln -sd /media/guy/movie1/Movies test
While sitting at the server, when I click on "test" it opens the correct directory and exposes the files. If I surf to apache from another machine it does not show the symlink.
Here the permissions on the symlink
lrwxrwxrwx 1 root root 24 May 11 19:56 test -> /media/guy/movie1/Movies
Excerpt from Apache access log:
192.168.1.158 - - [12/May/2015:08:40:07 -0400] "GET /favicon.ico HTTP/1.1" 404 502 "-" "Mozilla/5.0 (X11; Linux i686; rv:24.7) Gecko/20140802 Firefox/24.7 PaleMoon/24.7.1"
192.168.1.158 - - [12/May/2015:08:40:07 -0400] "GET /favicon.ico HTTP/1.1" 404 502 "-" "Mozilla/5.0 (X11; Linux i686; rv:24.7) Gecko/20140802 Firefox/24.7 PaleMoon/24.7.1"
192.168.1.158 - - [12/May/2015:08:40:07 -0400] "GET /favicon.ico HTTP/1.1" 404 502 "-" "Mozilla/5.0 (X11; Linux i686; rv:24.7) Gecko/20140802 Firefox/24.7 PaleMoon/24.7.1"
192.168.1.158 - - [12/May/2015:08:50:38 -0400] "GET / HTTP/1.1" 200 584 "-" "Mozilla/5.0 (X11; Linux i686; rv:24.7) Gecko/20140802 Firefox/24.7 PaleMoon/24.7.1"
192.168.1.158 - - [12/May/2015:08:50:39 -0400] "GET /icons/blank.gif HTTP/1.1" 304
I just got email from the company with which I co locate my servers (one of the resellers in MPT). The email said:
"We have detected a deny of service attack on one of your IP's
69.90.xxx.xxx. The attack was approximately 200Kpps and 120Mbps. The
IP has been null routed and will be in place for 24 hours."
Now all my sites hosted on that IP are down.
Is this the way the co location companies and their upstream providers deal with DOS attacks?
Its going to harm me a lot if I have to wait for 24 hours for the
services to work.
Just an FYI - we have been monitoring some attempts from europe. Here is a file that they were trying to include using a hole in PHPCoin's URL handler:
[URL removed] stringa.txt
The attempt was coming from linux.htd-information.dk
Code:
$ md5sum sim-current.tar.gz
6c1cece6f3af87598c4bdb09cabcb3cc sim-current.tar.gz
Line 25, file: sim-2.5-3/setup
Code:
TMPS="/tmp/sim_cj"
Line 399, file sim-2.5-3/install/sim
Code:
cat $TMPS >> /etc/crontab
If a local user creates a symlink to that file, then writes to the sim_cj file being linked to, as SIM is being installed, they can influence the contents of /etc/crontab.
Contacted the vendor via email on 04/17/07, email bounced.
Opened a ticket via their helpdesk ~5 days ago, no response.
Again, this is only an issue during the install, which is an extremely small window of time. Any bug that could lead to root access should be fixed, however.
I run a web hosting company and one of my servers is a LAMP server running CentOs 5. A user of mine has a Joomla installation running to manage his website and he has run into the following problem that I am puzzled by.
When Joomla adds a component or module to itself, or when a user uses the Joomla upload functionality, Joomla will add the new files under the user name "apache". This makes sense as it is the apache service running PHP that is actually creating the files.
However, when he FTP's into the account to modify these files, he doesn't have the appropriate permissions to do so as he doesn't have a root level login, just permissions on his home directory which is the site. Any help would be much appreciated.
Also, does anyone know how to change the owner/group of a directory and all of its sub directories in Linux without changing the actual permissions? I.e. some of the files in the folder have different permissions (0644 as apposed to 0755) than its parent but if I do a top down user/group change on the folder it will change everything in that folder to 0755.
When i was running top -cd2 command following scripts are taking high cup uses on server. But when we are go home directory we didn't find any thing.
24489 "User Name" 20 0 6732 5084 1164 S 8.0 0.2 11:00.69 /usr/bin/perl -w hnc.cgi
26456 "User Name" 20 0 6876 5080 1164 S 8.0 0.2 7:23.47 /usr/bin/perl -w hnc.cgi
32569 "User Name" 20 0 6748 5056 1164 S 7.5 0.2 8:57.30 /usr/bin/perl -w hnc.cgi
update us why this script are running under some particular users and what the application of this script.
I have a website is written by Perl language. I donnt know how to run it.
I installed Activeperl 5.0 and IIS is running. I have heared someone who told me that need to install a software as Emperl/ html-emperl, is it right?
How do you install perl on a centos 5?
View 3 Replies View RelatedA client's server's password was guessed, and the hacker conveniently uninstalled perl. I can't seem to get perl reinstalled. Any ideas on how this would be done? RPM, TAR's and YUM don't work, as they require perl!
Is this going to be a reinstall job?
all we know that perl language its using in alot of scripts and alot of system admins stop it why this why u dont try stopp the problems from it and make ur client have perl to used it in scripts lets try this if some one need to see passwd he will do cat /etc/passwd what about make this chmod 700 /bin/cat and he will used wget to get files what about this chmod 700 /usr/bin/wget and lynx what about chmod 700 /usr/bin/lynx in this case we make root only can using this commands any system admin sure know now the idea and he can use it as he want ,, this secured method not only in perl its in another programing language put i give this as a clear exampel.
View 5 Replies View RelatedI have a Centos VPS with Cpanel. I have begun receiving some email notifications, apparantly from my cpanel... The latest one says that the version of perl I am running is too old.
Subj: [checkperlmodules] perl version too old (v5.8.8 required, v5.8.7 is installed.)
Are there any problems or dire consequences from upgrading or side effects? What version should I upgrade to?
I've been trying to figure this out for about the past week and haven't had any success.
Can't locate funcs.pl in @INC (@INC contains: lib/perl . /usr/lib/perl5/5.8.8/i686-linux /usr/lib/perl5/5.8.8 /usr/lib/perl5/site_perl/5.8.8/i686-linux /usr/lib/perl5/site_perl/5.8.8 /usr/lib/perl5/site_perl/5.8.5 /usr/lib/perl5/site_perl/5.8.4 /usr/lib/perl5/site_perl/5.8.3 /usr/lib/perl5/site_perl/5.8.2 /usr/lib/perl5/site_perl/5.8.1 /usr/lib/perl5/site_perl/5.8.0 /usr/lib/perl5/site_perl) at ./terr.pl line 28.
I'm trying to run perl magick.
Tasks: 150 total, 7 running, 143 sleeping, 0 stopped, 0 zombie
Cpu(s): 76.9% us, 23.1% sy, 0.0% ni, 0.0% id, 0.0% wa, 0.0% hi, 0.0% si
Mem: 1026224k total, 604068k used, 422156k free, 61396k buffers
Swap: 1052248k total, 140736k used, 911512k free, 233200k cached
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
12825 apache 25 0 6752 2040 936 R 33 0.2 1556:57 perl
15338 apache 25 0 7592 4068 1324 R 33 0.4 545:03.58 perl
5817 apache 25 0 6996 4052 1240 R 33 0.4 520:37.18 perl
27139 apache 25 0 6404 4068 1248 R 33 0.4 197:40.96 perl
29176 apache 25 0 7964 4092 1272 R 33 0.4 523:40.92 perl
14785 apache 25 0 7392 4088 1272 R 31 0.4 1158:41 perl
27420 root 16 0 3248 1000 760 R 1 0.1 0:00.04 top
27441 qmaild 16 0 4736 752 604 S 0 0.1 0:00.01 qmail-smtpd
1 root 16 0 1956 96 64 S 0 0.0 0:06.83 init
2 root RT 0 0 0 0 S 0 0.0 0:04.04 migration/0
3 root 34 19 0 0 0 S 0 0.0 0:00.56 ksoftirqd/0
4 root RT 0 0 0 0 S 0 0.0 0:02.36 migration/1
5 root 34 19 0 0 0 S 0 0.0 0:00.47 ksoftirqd/1
6 root 5 -10 0 0 0 S 0 0.0 0:00.12 events/0
7 root 5 -10 0 0 0 S 0 0.0 0:00.05 events/1
8 root 9 -10 0 0 0 S 0 0.0 0:00.00 khelper
9 root 15 -10 0 0 0 S 0 0.0 0:00.00 kacpid
24 root 5 -10 0 0 0 S 0 0.0 0:00.00 kblockd/0
25 root 5 -10 0 0 0 S 0 0.0 0:00.00 kblockd/1
44 root 15 0 0 0 0 S 0 0.0 0:24.16 pdflush
26 root 15 0 0 0 0 S 0 0.0 0:00.00 khubd
46 root 13 -10 0 0 0 S 0 0.0 0:00.00 aio/0
47 root 13 -10 0 0 0 S 0 0.0 0:00.00 aio/1
45 root 15 0 0 0 0 S 0 0.0 2:45.50 kswapd0
193 root 25 0 0 0 0 S 0 0.0 0:00.00 kseriod
308 root 15 0 0 0 0 S 0 0.0 4:29.19 kjournald
1393 root 6 -10 1968 4 0 S 0 0.0 0:00.02 udevd
1912 root 6 -10 0 0 0 S 0 0.0 0:00.00 kauditd
1976 root 7 -10 0 0 0 S 0 0.0 0:00.00 kmirrord
1995 root 22 0 0 0 0 S 0 0.0 0:00.00 kjournald
1996 root 15 0 0 0 0 S 0 0.0 0:01.55 kjournald
1997 root 20 0 0 0 0 S 0 0.0 0:00.00 kjournald
2769 root 15 0 2908 244 176 S 0 0.0 2:48.00 syslogd
2773 root 16 0 3348 196 140 S 0 0.0 0:00.00 klogd
2783 root 16 0 3092 272 208 S 0 0.0 0:08.25 irqbalance
2798 named 16 0 50760 4492 1408 S 0 0.4 2:59.58 named
2852 root 15 0 2664 260 104 S 0 0.0 0:00.13 smartd
2861 root 16 0 5220 380 264 S 0 0.0 0:15.04 sshd
[root@cl-t058-280cl tmp]#
I am suffering with perl scripts attack. Please help me to resolve this issue.
How do I trace what user this is?
Code:
PID USER PRI NI SIZE RSS SHARE STAT %CPU %MEM TIME CPU COMMAND 9488 nobody 25 0 1612 1280 1108 S 21.1 0.2 619:37 1 perl bodyb3 200.101.193.42 0 5000
I also ran netstat -n and found this:
Code:
udp 15184 0 server.host.com:55936 ns1.datacenter.net:domain ESTABLISHED
How can change perl 5.8.8 to 5.8.7
Now I cant Install any Perl Module use CP.
all show me this :
Testing connection speed...(this could take a while)...Done
Ping:2.016 Testing connection speed to cpan.erlbaum.net using pureperl...(157450.00 bytes/s)...Done
Ping:2.316 Testing connection speed to cpan.belfry.net using pureperl...(157450.00 bytes/s)...Done
Ping:1.911 Testing connection speed to cpan.glines.org using pureperl...(104300.00 bytes/s)...Done
Three usable mirrors located
Mirror Check passed for cpan.erlbaum.net (/index.html)
Unknown config variable 'less'
commit: wrote '/usr/lib/perl5/5.8.8/CPAN/Config.pm'
CPAN: File::HomeDir loaded ok (v0.65)
CPAN: Storable loaded ok (v2.16)
Going to read /home/.cpan/Metadata
Database was generated on Wed, 15 Aug 2007 01:38:08 GMT
Acme:pork is up to date (0.0.7).
perlmod--Install done
i,m facing perl script on my server and i can,t find a way to protect it from perl
really i need the best way
i choose this forum because most of you here are expert in this filed . ... ..
Want to apply this to a forum
[url]
I think I installed html2ps correctly, but I do not know how to get ps2pdf installed on Centos 4.5
I have cpanel as well
We are using FreeBsd with Cpanel.
Some one has upload some scripts,they are running and attacking
to other systems.
last pid: 64017; load averages: 59.59, 60.75, 63.04 up 19+22:52:28 12:03:45
457 processes: 61 running, 315 sleeping, 81 zombie
CPU states: 52.4% user, 0.0% nice, 47.6% system, 0.0% interrupt, 0.0% idle
Mem: 465M Active, 212M Inact, 236M Wired, 22M Cache, 111M Buf, 62M Free
Swap: 2048M Total, 458M Used, 1590M Free, 22% Inuse
PID USERNAME PRI NICE SIZE RES STATE TIME WCPU CPU COMMAND
3282 root 128 0 37536K 30520K RUN 3:49 4.79% 4.79% perl
62953 root 128 0 30284K 25248K RUN 0:05 1.90% 1.90% perl
49249 root 128 0 33720K 28876K RUN 0:46 1.86% 1.86% perl
2981 root 128 0 40928K 30724K RUN 3:56 1.56% 1.56% perl
76809 nobody 127 0 4148K 2080K RUN 13:52 1.42% 1.42% perl5.8.8
19633 nobody 127 0 4148K 2128K RUN 2:34 1.42% 1.42% perl5.8.8
57451 nobody 126 0 4148K 2072K RUN 39:24 1.22% 1.22% perl5.8.8
76599 nobody 126 0 4148K 2080K RUN 13:53 1.22% 1.22% perl5.8.8
76966 nobody 126 0 4148K 2080K RUN 14:01 1.17% 1.17% perl5.8.8
60286 nobody 126 0 4148K 2072K RUN 38:42 1.12% 1.12% perl5.8.8
77488 nobody 126 0 4148K 2080K RUN 13:48 1.12% 1.12% perl5.8.8
77697 nobody 126 0 4148K 2080K RUN 13:47 1.12% 1.12% perl5.8.8
56573 nobody 126 0 4148K 2096K RUN 39:55 1.07% 1.07% perl5.8.8
58126 nobody 126 0 4148K 2072K RUN 39:11 1.07% 1.07% perl5.8.8
76513 nobody 126 0 4148K 2080K RUN 13:58 1.07% 1.07% perl5.8.8
76807 nobody 126 0 4148K 2080K RUN 13:57 1.07% 1.07% perl5.
What would I have to add inside .htaccess to allow perl scripts to run?
View 1 Replies View RelatedI've got a rouge perl script running on one of my servers and need help in tracking it down.
TOP
1877 apache 25 0 4856 3060 1252 R 49.9 0.3 13:51.98 perl
as soon as ps is killed it restarts
/tmp
-rw-r--r-- 1 apache apache 29572 Apr 15 01:11 blue
-rw-r--r-- 1 apache apache 29572 Apr 15 01:11 blue.1
-rw-r--r-- 1 apache apache 29572 Apr 15 01:11 blue.10
-rw-r--r-- 1 apache apache 29572 Apr 15 01:11 blue.11
-rw-r--r-- 1 apache apache 29572 Apr 15 01:11 blue.12
-rw-r--r-- 1 apache apache 29572 Apr 15 01:11 blue.13
-rw-r--r-- 1 apache apache 29572 Apr 15 01:11 blue.14
-rw-r--r-- 1 apache apache 29572 Apr 15 01:11 blue.15
-rw-r--r-- 1 apache apache 29572 Apr 15 01:11 blue.16
-rw-r--r-- 1 apache apache 29572 Apr 15 01:11 blue.17
-rw-r--r-- 1 apache apache 29572 Apr 15 01:11 blue.18
-rw-r--r-- 1 apache apache 29572 Apr 15 01:11 blue.2
-rw-r--r-- 1 apache apache 48444 Apr 15 01:11 blue.3
-rw-r--r-- 1 apache apache 29572 Apr 15 01:11 blue.4
-rw-r--r-- 1 apache apache 29572 Apr 15 01:11 blue.5
-rw-r--r-- 1 apache apache 29572 Apr 15 01:11 blue.6
-rw-r--r-- 1 apache apache 29572 Apr 15 01:11 blue.7
-rw-r--r-- 1 apache apache 29572 Apr 15 01:11 blue.8
-rw-r--r-- 1 apache apache 29572 Apr 15 01:11 blue.9
and over the past couple of days there's been a number of these
-rw------- 1 apache apache 99 Apr 20 02:22 sess_00f39873b47be556f0c047e96b726640
-rw------- 1 apache apache 68 Apr 20 08:20 sess_01d2ba3e471475384ea3c1d2ff1cde7f
-rw------- 1 apache apache 0 Apr 20 06:04 sess_01ea1b9ebe41331239ded82506f66090
-rw------- 1 apache apache 0 Apr 19 23:04 sess_0a83f93845da3fabce31d897f13735b0
-rw------- 1 apache apache 68 Apr 20 01:50 sess_0c83beb8ba2ce1f42833874b0d8a7470
-rw------- 1 apache apache 68 Apr 20 08:25 sess_0d5989b161d7d6434692de42faa248ab
-rw------- 1 apache apache 0 Apr 19 18:15 sess_10f858c3904a12a1e4c9e7da70e0fbb8
-rw------- 1 apache apache 26 Apr 20 09:39 sess_11a8b8d85883c8f2da146bb8f97bd25e
-rw------- 1 apache apache 68 Apr 19 14:22 sess_11f018952ec1cae08e6d8a95a0c99287
-rw------- 1 apache apache 26 Apr 19 21:18 sess_1706bf1b9e5d4b09e29cfbc3517d6755
-rw------- 1 apache apache 26 Apr 20 02:22 sess_1c48c7232dbc7087c312d43debb942a7
-rw------- 1 apache apache 0 Apr 20 06:46 sess_1cdf7ecf082c27f389b759adef50f932
-rw------- 1 apache apache 0 Apr 20 08:04 sess_1d6d06ea737c1eff71152a590cd420a4
-rw------- 1 apache apache 26 Apr 20 09:42 sess_26b16f5a5b59639af28f6bc49dba1ed5ly
