How To Stop This Attack [Bypass Safe_mode & Openbase Dir]
Feb 6, 2008
Recently, some of our Linux/cPanel servers got hacked (not rooted) by using the following code (method)
#!/usr/bin/perl
symlink ("/home/USER/config.php","/home/USER2/test.txt");
The hacker just execute the perl file , and then he called the "test.txt" file through internet explorer , and its done , he can read the file easily !
We tried to :
1- run php as CGI module.
2- run SUPHP module.
3- run php as apache module.
4- enable open_basedir and safe_mode.
But the hacker still can bypass the system!
the only solution is to disable /usr/bin/perl , chmoded it to 700 . but thats caused a broken cpanel!
as it requires it to be at 755 for proper operation, since it is used by customers as well when it suexec into the user when they log into cPanel. and so we cannot change it to that setting (700), since it breaks the entire system.
So is there any way to stop the "symlink" perl function?
any way to stop this attack method?
View 14 Replies
ADVERTISEMENT
May 9, 2007
Before when they attack my site I can't stop them. Now at I can but I have to monator the server all the time and execute this program :
Code:
#!/bin/bash
#Collecting list of ip addresses connected to port 80
netstat -plan|grep :80|awk {'print $5'}|cut -d: -f 1|sort|uniq -c|sort -nk 1 > /root/iplist
#Limit the no of connections
LIMIT=5;
for ip in `cat /root/iplist |awk '{print $2}'`;do
if [ `grep $ip /root/iplist | awk '{print $1}'` -gt $LIMIT ]
then
echo "5 connection from $ip... `grep $ip /root/iplist | awk '{print $1}'` number of connections... Blocking $ip";
#Blocking the ip ...
/etc/rc.d/init.d/iptables save > /dev/null;
CHECK_IF_LOCALIP=0;
/sbin/ifconfig | grep $ip > /dev/null;
if [ $? -ne $CHECK_IF_LOCALIP ]
then
{
FLAG=0;
grep $ip /etc/sysconfig/iptables | grep DROP > /dev/null;
if [ $? -ne $FLAG ]
then
iptables -I INPUT -s $ip -j DROP;
else
echo " Ipaddress $ip is already blocked ";
fi
}
else
echo " Sorry, the ip $ip cannot be blocked since this is a local ip of the server ";
fi
fi
done
It's block any connectin that has more than 5 connections.
My problem now that when I left my pc and when I come back my server can't response.
I used this to let it work every minute :
Code:
SHELL=/bin/sh
0-59/1 * * * * root /root/ddos/blockip5.sh >
and put it here /etc/cron.d/anti-ddos.cron
Is there any advice about it ? to let work all the time not every minute. like every 5 second.
I found that when I left my pc and come back to run this script I can't login to the server I have to reboot it then log again.
This message come from support :
In the past 12 Hours we have seen a maximum of #35 mbps and an average of 12 mbps of malicious traffic being sent to your server
I am using APF and also I use DDoS-Deflate version 0.6 and evasive mod.
Any more advice ? they keep attacking me for more than 1 Month 24 hours
View 3 Replies
View Related
Mar 24, 2009
Server - Windows 2003, IIS, Windows Mail
I am undergoing heavy SMTP attack, if i accept all connections in RELAY setting of SMTP
If i grant access only to Server IP, then attack stops, but all emails send, start bouncing back to me, as relay failed.
View 6 Replies
View Related
Jul 7, 2009
My server was hit with flood recently, to the point where I was unable to log in via SSH. Running 'netstat' command showed I was getting flooded with thousands of http requests from China/Saudi Arabia/Korea. I installed APF firewall and added those countries to deny list.
Next day I was hit from Russia and Romania and some others. By reading some posts on this site, on top of APF, I have also installed Dos Deflate. It was working for couple of hours, but then it stopped working. I could not even log in via SSH. My provider told me that APF was using all of the "conntrack" connections. I have increased conntrack connections to 130,000 (I have 4 Gigs of RAM on my server). Is that possible? (I have about 300 IP ranges in my APF deny list).
Next day, I was got hit by different attack: there was 11 Mbps of malicious traffic on average sent to my server. My provider put me behind firewall to mitigate against that kind of attack.
Currently, I am both behind the hardware firewall and I have APF and Dos Deflate running. However my server is not accessible.
When I request, I can log in for couple of minutes, but then I get kicked out.
View 9 Replies
View Related
Jan 10, 2007
Today my system which is hosting the site bepenfriends got compramised(win 2k3) and now LT tech guys are working on it to reload the system with a data save. I was not having a hardware firewall which caused this problem. But i had windows firewall, windows malinious software removal tool (defender i haven't installed). I have updated all patches of win2k3 whch was released till today.
Now after restore it will be great work to bring my website back with all those rewritten urls and the softwares and its licenses.
Now please help me out in below stuff.
How to stop further attack and further compramisation of server.
View 9 Replies
View Related
Jun 21, 2007
Does anyone know if PHP safe_mode can be enabled on a per user basis?
View 9 Replies
View Related
Feb 1, 2008
when I make open_basedir effect in whm > security center
I have in my script this problem :
Warning: tempnam() [function.tempnam]: open_basedir restriction in effect. File() is not within the allowed path(s): (/home/xxxx/:/usr/lib/php:/usr/local/lib/php:/tmp) in /admincp/misc.php on line 685Warning: fwrite(): supplied argument is not a valid stream resource in /admincp/misc.php on line 688Warning: fclose(): supplied argument is not a valid stream resource in /admincp/misc.php on line 689
when I disable it I have this other one problem :
Warning: fopen() [function.fopen]: SAFE MODE Restriction in effect. The script whose uid is 32010 is not allowed to access /tmp/vbthumbLTfVOk owned by uid ..
View 2 Replies
View Related
Mar 1, 2008
i have a dedicated server wich has safe_mode ON.
i run a joomla portal and i am having issues regarding uploading new modules and stuff like that.. i know that the solution is disabling the safe_mode
i have tried using a customized php.ini but it didnt work... what else can i try?
View 4 Replies
View Related
Jun 13, 2008
i get an error message for a site im trying to build.
id like to know if there are scripts i can upload myself to turn off safe mode and to sto the base dir thing.
i understand this can be done in php.ini and htaccess.
Warning: curl_setopt() [function.curl-setopt]: CURLOPT_FOLLOWLOCATION cannot be activated when in safe_mode or an open_basedir is set in /home/g/public_html/term-sample.php on line 58
View 3 Replies
View Related
Dec 3, 2007
how i can disable safe mode for 1 account .... i have the fallowing info system :
php 5.2.5
apche 2.2
suphp
i have search in the httpd.conf and i found this
Code:
ServerName xxxx.com
ServerAlias www.xxxx.com xxxxx.com
DocumentRoot /home/xxxxx/public_html
ServerAdmin webmaster@***********
UseCanonicalName Off
TransferLog /usr/local/apache/domlogs/xxxx.com
CustomLog /usr/local/apache/domlogs/xxxx.com-bytes_log "%{%s}t %I .
%{%s$
## User sansnom # Needed for Cpanel::ApacheConf
UserDir disabled
UserDir enabled xxxxxxx
<IfModule mod_suphp.c>
suPHP_UserGroup xxxxx xxxxx
</IfModule>
<IfModule concurrent_php.c>
php4_admin_value open_basedir "/home/xxxx:/usr/lib/php:/usr/php4/lib$
php5_admin_value open_basedir "/home/xxxx:/usr/lib/php:/usr/local/li$
</IfModule>
<IfModule !concurrent_php.c>
<IfModule mod_php4.c>
php_admin_value open_basedir "/home/xxxxx:/usr/lib/php:/usr/php4/$
</IfModule>
<IfModule mod_php5.c>
php_admin_value open_basedir "/home/xxxxx:/usr/lib/php:/usr/local$
</IfModule>
<IfModule sapi_apache2.c>
php_admin_value open_basedir "/home/xxxxx:/usr/lib/php:/usr/php4/$
</IfModule>
</IfModule>
<IfModule !mod_disable_suexec.c>
SuexecUserGroup xxxxxx xxxxxx
</IfModule>
ScriptAlias /cgi-bin/ /home/xxxxxx/public_html/cgi-bin/
in wich part chould i add the commande line to disable the safe mode?
View 2 Replies
View Related
Dec 10, 2008
How can custom safe_mode / register_globals for an account?
Hi,
I have with CentOS 5.2 + cPanel/WHM. For security i edited suphp.conf and force all users use my main php.ini config:
[phprc_paths]
application/x-httpd-php=/usr/local/lib/
;application/x-httpd-php4=/usr/local/php4/lib/
application/x-httpd-php5=/usr/local/lib/
Now i wanna turn on register_globals and turn off safe mode for an account, how can i do that?
View 3 Replies
View Related
Aug 24, 2007
I have put an Access database inside an access_db folder on Godaddy and written some .asp pages that query it. I am trying to make sure that I take necessary precautions against hackers reading or even writing to the database. Maybe someone can give some remarks about whether any of these concerns are realistic, and if so, why and what I could do about it?
1) Could someone somehow navigate directly to the database and read or write to it (the access_db folder seems to have no read/write permissions as set by default by Godaddy, but how secure is that?)
2) I permit entry through use of a a userid and password that are looked up in an mdb in the same folder (not listed in the html itself). If there’s a match, I store the userid as a session cookie. Then, to visit any other pages, each page first checks to see if the cookie is empty before proceeding. Is it possible for someone to set the cookie themselves and thus break through (can a cookie be set manually?) If so, would it help if I mandated that the cookie be set to something specific (right now it just has to be non-blank) or can they find out what the cookie should be set to as well?
View 3 Replies
View Related
Apr 10, 2014
I'm trying to get exception from auth (.htpasswd ) for one specific URL, but seems, that it does not work with my Rewriting rules. Disabling RewriteEngine solving auth problem. My .htaccess:
Code:
SetEnv APPLICATION_ENV development
# Rewrite
RewriteEngine On
RewriteBase /
# ZEND
RewriteCond %{REQUEST_FILENAME} -s [OR]
RewriteCond %{REQUEST_FILENAME} -l [OR]
RewriteCond %{REQUEST_FILENAME} -d
[Code] .....
View 1 Replies
View Related
May 5, 2007
I accidently found that it could be available to de-activate mod_security in a certain directory by using a .htaccess like that...
<IfModule mod_security.c>
SecFilterEngine Off
SecFilterScanPOST Off
</IfModule>
I believe it's something related to the "AllowOverride" directive from apache but im not exactly sure, the available arguments for this directive are "AuthConfig, FileInfo, Indexes, Limit, Options", I've tried hardly to find a way to not to disable the usage of .htaccess files and keep it's functionality but also to prevent it from being able to modify through it the functionality of mod_security.
I'm sure Anyone here could help me in this issue as it's a big pain for any server running apache in a shared vhosting environment.
View 13 Replies
View Related
Jul 23, 2009
My blog is set up to display in the root of my domain, although the files on the server sit within their own folder:
i.e
Server files
Public_html/wordpressfiles/
Broswer displays
www . mydomain . com/
(disaplys pages from /wordpressfiles)
The problem I have is that I can't access individual directories within the root, unrelated to wordpress.
e.g
I have
Public_html/folder2/...
Setup on the server, but if I enter the path in my browser:
www . mydomain . com/folder2
wordpress thinks I want to access:
www . mydomain . com/wordpress/folder2
...which doesn't exist.
How can I re-gain access to folders in the root, without wordpress interfering?
View 2 Replies
View Related
Oct 12, 2007
I am running on;
Plesk versionpsa v8.0.1_build80060613.20 os_CentOS 4.2
Operating systemLinux 2.6.9-023stab033.6-smp
License key numberPLSK.00170782.0006
I need to be able to access cgi between vhost domains. In particular one frequently updated file located 'centrally' in the cgi-bin of one of the vhost domain.
I would like to be able to have other vhost domains be able to access this file but suexec won't let that happen. I have searched around and tried to following;
Created vhost.conf file in the conf directory of one of the domains.
The vhost.conf file contained (with no #):
# <IfModule mod_suexec.c>
# SuexecUserGroup userid psacln
# </IfModule>
I ran;
/usr/local/psa/admin/bin/websrvmng -u --vhost-name=<domain name>
Then reboot.
The result was all the vhosts stopped working. I reset the websvrmng, things returned to normal.
Then I tried updating the httpd.include file adding (with no #);
# <IfModule mod_suexec.c>
# SuexecUserGroup userid psacln
# </IfModule>
Then reboot.
The result was the same, all vhosts stopped working.
Does anyone have an idea how I can achieve this? I know I can disable suexec all together but that wreaked a little havoc with the cgi app when I tried that.
View 2 Replies
View Related
Feb 20, 2013
I just setup an intranet wiki running apache2.2 on ubuntu 12.04. The server currently requires two-way certificate authentication (i.e. a server cert AND client certs).In <VirtualHost *:80>, Redirect permanent / https://<intranetSite>
Everything works dandy, except now that I'd like to find a way to bypass the client cert check for localhost so that I can run some maintenance scripts via cron on the server. Or perhaps it's possible to bypass SSL entirely, just for localhost?
View 2 Replies
View Related
May 1, 2009
my DNS stop resolving, once a day i need to restart the service in cpanel/whm , what can be done to prevent that ?
its a fresh vps only cpanel is there and 2 domains with no pages just a simple under costruction index page . in CSF i have a Your Score: 106/112 in security , it firewalled and hardened
right now is using 299 of ram out of 512 burstable to 768
View 3 Replies
View Related
Jun 30, 2008
I was wondering if anyone has any methods to stop spammers? Currently i am keeping watch on the mail queue and making sure nothing unsual. I have in WHM configuration setup to not allow more 200 mail messages per account per hour but for some reason it will hit thousands. WHMCS does seem to suspend them automatically or maybe its because of WHM BUT only when its too late.
Any thoughts or suggestions?
View 9 Replies
View Related
Jun 2, 2009
Have a persistent spammer who kept emailing my clients, even non existent domain accounts and getting the bounced emails to be send to a particular yahoo address. I tried to block in all ways but can't seem to stop him. His spams are from all over the world. Any suggestions?
View 3 Replies
View Related
Nov 5, 2009
How to stops the scripts like c99 shell from installing into the server?
View 1 Replies
View Related
Jul 1, 2009
how to stop gunzip -c?
By mistake instead of using gunzip file name on my friend's vps, I had used gunzip -c filename
and its taking hell a lot of time to unzip it, I have no clue on how to stop this and I am scared if I close ssh client, it might be still adding load to the server ..
I am unzipping an 4.5mb file, which on un-compression must be around 14.5mb ..
for the past 10 mins its still unzipping and not sure how long it will go on.. unless I stop it..
View 2 Replies
View Related
Feb 6, 2009
a site i manage for a client is being hacked every couple of days, its not the actual site but the hosts server thats getting attacked, all sites on that server, well actually all thier servers.
They have made no attempt to sort this problem, i report it they look at the site and say "site loads fine for us" which it does.
All index files are having a base64 encode line written after the <body> tag, this adds hundreds of spam links which are hidden with display:none; they also add .html to application types in htaccess for php to run in these files too.
Problem is, i am moving the site to another host but cannot change the nameservers to the new host's untill the client returns from a holiday, so i must keep the site up on the insecure host for now.
I am removing the spam code almost daily, is there anyway i can stop this attack happening for the time being, the host does nothing.
View 14 Replies
View Related
Apr 17, 2009
I have a server that is sending spam, but I can not know who sent because the server not has installed suphp.
There is another option to see who sends spam?
View 6 Replies
View Related
Jul 19, 2009
Is there a way to stop hotlinking? I have a client who has a blog. They have post pics of tattoos. Now there are at least 50 tattoo forums, blogs and other sites hotling to the pics. Now his bandwidth usage has skyrocketed. So enable hotlink protection in his cPanel. Just did a redirect to my main hosting site with a nice please stop hotlink image. Now I see all this in my logs. So I then made a 150 x 9000 clear BG gf with the text at the top please stop hotlinking.
My questions is there any way to stop it. If not should I just make a 1x1 clear gif to redirect to? Also is there a way to not have this traffic show in my log files?
View 4 Replies
View Related
Dec 25, 2008
I want to stop emailing myself
I have received quite a few emails from senders claiming to be the recipients [in this case one of my email accounts]. I did not send these emails. This is happening with almost every email account I have setup on one of my domains.
I know this is probably an easy fix-- I am simply unsure of what it is.
I noted that someone else recently posted a similar question-- with only one response. I wanted to see if another post my garner another response.
View 3 Replies
View Related
Nov 14, 2008
I would like to ask about the best system or software code used to stop bots and offline down loaders from entering website.
View 2 Replies
View Related
May 4, 2008
to stop iptables cause when any user make refresh he is take banned from server
i need to stop iptables or how to make rules for it
View 9 Replies
View Related
Jun 14, 2008
I already enabled awstat in whm features manager.
And it was working till 3 jan 2008!
But statistic doesn't update now!
View 5 Replies
View Related