I have some clients running outdated php scripts. They have many bugs.
Last week a website got hacked. The attacker uploaded a PHP shell and made a deface.
I've personally uploaded a php shell and guess what, I can access even the root directory!
What can I do?
I've discovered spam sending scripts and bank scam pages on one of my personal websites. God knows what else could be affected.
Please tell me what's wrong!
I've installed ISPConfig on a virtual server. I have the same problem!
Everything went normal with the installation!

http://docs.ispconfig.org/en-sandbox-dynamic-site/?page=faq

The hosted webpages are served by the Apache that ships with your linux distribution.

You cannot blame ISPConfig for that hack because IMHO ISPConfig has nothing to do with that.

You should Backup ISPConfig base and settings and do a fresh install. It the safest way.

Hope this can help:
http://howtoforge.com/forums/showthread.php?t=28258&highlight=backup+restore

http://howtoforge.com/forums/showthread.php?t=23448&highlight=backup+restore

Read again!
I have already installed a new server that has the same problem!

Well that part of your post I didnt understand.

You installed new ISPConfig on virtual server and uploaded the attacker script and it works? or

After a clean install and restore of ISPConfig settings script is still there?

The installation on the virtual server was just to find out if there was a problem with my server or with all ispconfig installations.


You can test the bug on your own server. Just upload a c99 or r57 php shell script and change the working directory to /.

you can look in /var/www and from there in all accounts, stealing passwords from configuration files, scripts...

main problem is how did that script get on your server.

here is what i have found as ways to stop those scripts form working:
http://www.webhostingtalk.com/showthread.php?p=5315461

The installation on the virtual server was just to find out if there was a problem with my server or with all ispconfig installations.


You can test the bug on your own server. Just upload a c99 or r57 php shell script and change the working directory to /.

you can look in /var/www and from there in all accounts, stealing passwords from configuration files, scripts... An this has still nothing to do with ISPConfig as _X_ explained above. You are just saying that a hacker script that you uploaded to a php webspace is working, ispconfig is not envolved in executing that script at all.

So, back to your original problem. If you want to prevent that a php script accesses the whole folder, you can do several things:

1) activate php safemode for the website.
2) update your php to the latest version.
3) Deactivate potential harmful functions in your php.ini lieke exec, passthru etc.
4) install security extensions for apache like mod_security
5) install suhosin for php.

the problem is that if you host, let's say, 10 websites and one person uploads a bad script you'll get in trouble!

for example some cms scripts don't run if php is in safemode (joomla is one of them).

please don't close the thread! I'll be back with information.

for example some cms scripts don't run if php is in safemode (joomla is one of them).

Sure, but why you blame ispconfig for joomla being insecure or not supporting safemode?

Take a look at the points that I posted above to secure your php installation.

from what i know joomla can work and be safe with this settings in Apache Directives (Optional)::

Options FollowSymLinks
AllowOverride All
php_admin_flag register_globals Off
php_admin_value disable_functions "show_source system shell_exec passthru exec phpinfo popen proc_open"
php_admin_flag allow_url_fopen Off
php_admin_flag magic_quotes_gpc On
php_admin_value session.save_path "/var/www/web1/phptmp/"
php_admin_value open_basedir "/var/www/web1/"

and PHP Safe Mode dissabled.

Correct me if I'm wrong.

I guess this should work fine. To sum it up, if you want to run a hosting business, you should make yourself familar on how to secure the different applications on your server :)

One note. I'am not sure if "AllowOverride All" is really nescessary, as this would allow an attacker to remove the security settings that you set in the apache directives field again in a .htaccess file.

on my test server it resulted with:

Internal Server Error

The server encountered an internal error or misconfiguration and was unable to complete your request.

.htaccess: Options not allowed here

maybe it has to do something with SEF on joomla?

Take a look in the error log of the website, there should be listed the exact option which caused the error and then it is better to allow overriding for just that option.

.htaccess: Options not allowed here

is from error.log in /var/www/web1/log/

Hmm, ok. Can you please post the content of the .htaccess file.

here goes htaccess:
Options +FollowSymLinks
RewriteEngine On
RewriteBase /

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} (/|\.htm|\.php|\.html|/[^.]*)$ [NC]
RewriteRule ^(content/|component/) index.php

RewriteCond %{REQUEST_URI} ^(/component/option,com) [NC,OR]
RewriteCond %{REQUEST_URI} (/|\.htm|\.php|\.html|/[^.]*)$ [NC]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule (.*) index.php

RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]

i guess problem is in first line?

:confused: just saw that there are some duplicate lines :rolleyes:

Yes, the directive "Options +FollowSymLinks" should not be put in an .htaccess file. Either you put it wrapped into a directory directive in the apache directives field or you enable "Options +FollowSymLinks" globally in the apache2.conf file for all sites.

Just to repeat for anyone interested into setting ISPConfig for Joomla 1.0.x:

htaccess - with support for SEFurl plug-ins:
RewriteEngine On
RewriteBase /

RewriteRule ^(content/|component/) index.php

RewriteCond %{REQUEST_URI} ^(/component/option,com) [NC,OR]
RewriteCond %{REQUEST_URI} (/|\.htm|\.php|\.html|/[^.]*)$ [NC]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule (.*) index.php

RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]

Apache Directives (Optional): -change webXXX with your configuration
<Directory "/var/www/webXXX/web">
Options FollowSymLinks
php_admin_flag register_globals Off
php_admin_value disable_functions "show_source system shell_exec passthru exec phpinfo popen proc_open"
php_admin_flag allow_url_fopen Off
php_admin_flag magic_quotes_gpc On
php_admin_value session.save_path "/var/www/webXXX/phptmp/"
php_admin_value open_basedir "/var/www/webXXX/"
</Directory>

and PHP Safe Mode dissabled - Joomla 1.0.x doesnt work with this option enabled.

I found a solution:
in /etc/apache2/apache2.conf

replace
<Directory /var/www/*/web>
Options +Includes -Indexes
AllowOverride None
AllowOverride Indexes AuthConfig Limit FileInfo
Order allow,deny
Allow from all

<Files ~ "^\.ht">
Deny from all
</Files>
</Directory>


With:
<Directory /var/www/*/web>
Options +Includes -Indexes
AllowOverride None
AllowOverride Indexes AuthConfig Limit FileInfo
Order allow,deny
Allow from all
php_admin_value open_basedir /var/www/web

<Files ~ "^\.ht">
Deny from all
</Files>
</Directory>


This should be included in the setup script for ISPConfig.

[later edit]

looks that this option can be bypassed with a simple script.
i've even restricted some functions from php.ini

Try with what I did in post above.

edit htaccess in site root (/var/www/webX/web) and add Apache Directives (Optional) in settings for same site.

It would be nice if that solves the problem.

EDIT: in this post: http://www.howtoforge.com/forums/showpost.php?p=155251&postcount=19

I've managed to make a php script (c99 shell) show my apache config file:

cat echo /etc/apache2/apache2.conf

i can't change directories, but i can guess paths. still more work to do.

i'm going to check suphp tomorrow because it's 1:30am. from this mod's description looks like it could solve the problem.

@_X_, please try to remove the allowoveride all, this should not be nescessary anymore now and allows to override all other security settings.

@cracknel: and you are 100% sure that you configured it exactly as x described? The option you described does not work and thats why it is not integrated in ispconfig.

I did ... dont know how it ended up in post :rolleyes:

Made changes to:
http://www.howtoforge.com/forums/showpost.php?p=155251&postcount=19

Is this needed for Joomla 1.5 or need any changes?

Thanks much,
G
Just to repeat for anyone interested into setting ISPConfig for Joomla 1.0.x:

htaccess - with support for SEFurl plug-ins:
RewriteEngine On
RewriteBase /

RewriteRule ^(content/|component/) index.php

RewriteCond %{REQUEST_URI} ^(/component/option,com) [NC,OR]
RewriteCond %{REQUEST_URI} (/|\.htm|\.php|\.html|/[^.]*)$ [NC]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule (.*) index.php

RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]

Apache Directives (Optional): -change webXXX with your configuration
<Directory "/var/www/webXXX/web">
Options FollowSymLinks
php_admin_flag register_globals Off
php_admin_value disable_functions "show_source system shell_exec passthru exec phpinfo popen proc_open"
php_admin_flag allow_url_fopen Off
php_admin_flag magic_quotes_gpc On
php_admin_value session.save_path "/var/www/webXXX/phptmp/"
php_admin_value open_basedir "/var/www/webXXX/"
</Directory>

and PHP Safe Mode dissabled - Joomla 1.0.x doesnt work with this option enabled.

htaccess looks different for joomla 1.5, but you got it in installation so use that one.

about Apache Directives (Optional): -change webXXX with your configuration

<Directory "/var/www/webXXX/web">
Options FollowSymLinks - if you put this here you can comment out line in htaccess
php_admin_flag register_globals Off - dissables Register Globals - during installation you will have red On/Off so change it so it becomes green as i remember
php_admin_value disable_functions "show_source system shell_exec passthru exec phpinfo popen proc_open" - dissables some php functions that are not used by majority of extensions
php_admin_flag allow_url_fopen Off - dont know about this one
php_admin_flag magic_quotes_gpc On - Magic Quotes option
php_admin_value session.save_path "/var/www/webXXX/phptmp/" - this sets session folder inside open_basedir
php_admin_value open_basedir "/var/www/webXXX/"
</Directory>

if someone can explain this in more details please do so.

I dont know if joomla 1.5 works with PHP safe mode enabled.

http://www.installationwiki.org/Image:2387_02_013.PNG

http://demo.joomla.org/1.5/categoryblog/15-can-joomla-15-operate-with-php-safe-mode-on.html

so if you enable safe mode you have to use ftp access for file management in joomla instalation. if i got it right that is.

Thanks for the info.

I did not enable Safe Mode for the Joomla 1.5 site, but I did add the Apache Directives as listed. I didn't enable Safe Mode because the Joomla installer called for it to be off and since I don't know Joomla that well and, well, because I'm basically chicken.

It seems to be working without problems. I'll keep a lookout for anything broken, such as Joomla add-ons.

Thanks vary much for helping me secure our ISPConfig server.

G

only real problem u can have with this line:
php_admin_value disable_functions "show_source system shell_exec passthru exec phpinfo popen proc_open"

it disables php functions so if your extension uses one of those you can have problems. on the other hand if you do have extension that uses these functions it can be considered to be dangerous extension so you should search for another extension that does the same job without compromiting security.

That sounds like good advice.

Thanks again!

G