Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 2 > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #11  
Old 1st January 2008, 16:32
aceyzeriat aceyzeriat is offline
Member
 
Join Date: Aug 2007
Location: Paris, France
Posts: 47
Thanks: 4
Thanked 1 Time in 1 Post
Default

Hello Falko,

I also found some exploits installed in the backups of the web sites but not in the main web sites !
Seems that my exclusion rules are not properly set up

When I make a safe copy of the web sites I host I usually just make a brutal "cp" in a "backup" directory, seems that apache has access to that sub directory (I thought only document root was accessible).

ideas ?
regards,
Arnaud
Reply With Quote
Sponsored Links
  #12  
Old 1st January 2008, 21:55
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,735 Times in 2,571 Posts
Default

Do you use vulnerable web applications? Do you use PHP Safe Mode?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #13  
Old 2nd January 2008, 08:00
aceyzeriat aceyzeriat is offline
Member
 
Join Date: Aug 2007
Location: Paris, France
Posts: 47
Thanks: 4
Thanked 1 Time in 1 Post
Default

I host a lot of joomla web sites which don't support PHP_SafeMode. The difficulty for a joomla web site is to find an hosting server with the SafeMode turned off.

Now I believe I will reconsider those web sites and encourage the use of Drupal as CMS instead.


regards,
Arnaud
Reply With Quote
  #14  
Old 2nd January 2008, 11:48
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,486
Thanks: 813
Thanked 5,256 Times in 4,121 Posts
Default

Quote:
I host a lot of joomla web sites which don't support PHP_SafeMode. The difficulty for a joomla web site is to find an hosting server with the SafeMode turned off.
I know this problem, its common with joomla. I had a joomla site on one of the servers that I maintained, the owner of the site did not install all joomla patches immediately when they get released. The website got hacked serveral times and only a strict php setup with safemode on prevented that the hackers were able to break out of the website directory. The last time it was a r57shell too if I remember correctly.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #15  
Old 4th January 2008, 05:46
aceyzeriat aceyzeriat is offline
Member
 
Join Date: Aug 2007
Location: Paris, France
Posts: 47
Thanks: 4
Thanked 1 Time in 1 Post
Default

Hello Till,

Do you mean he actually succeeded to make his joomla site operate with phpsafemode turned on ?

I have a question concerning perl scripts ...

The server has been used to run perl scripts sending phishing mail
Since none of my sites actually use perl script I brutaly uninstalled mode_perl ... and still attacks have restarted using perl scripts !!

I looked at http://perl.apache.org/docs/2.0/user/config/config.html

To enable mod_perl built as DSO add to httpd.conf:
LoadModule perl_module modules/mod_perl.so
This setting specifies the location of the mod_perl module relative to the ServerRoot setting, therefore you should put it somewhere after ServerRoot is specified.
If mod_perl has been statically linked it's automatically enabled.

How do I know if it has been statically linked ?
Anyway, removing mod_perl from the machine should have prevented the use of perl scripts, no ?

regards,
Arnaud
Reply With Quote
  #16  
Old 4th January 2008, 11:24
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,486
Thanks: 813
Thanked 5,256 Times in 4,121 Posts
Default

Quote:
Do you mean he actually succeeded to make his joomla site operate with phpsafemode turned on ?
Partially. But this guy did use joomla only for edit the text on some pages.

Quote:
How do I know if it has been statically linked ?
I dont think that its statically linked in one of the common linux distributions.

Quote:
Anyway, removing mod_perl from the machine should have prevented the use of perl scripts, no ?
Do you have cgi support enabled for the website? Additionally, if php is run without safemode, it can be used to start a perl script even if mod_perl is not loaded.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #17  
Old 10th May 2009, 15:06
Ovidiu Ovidiu is offline
Senior Member
 
Join Date: Sep 2005
Posts: 1,259
Thanks: 76
Thanked 23 Times in 19 Posts
Default

I just had a similar rkhunter report:

Quote:
Warning: The command '/sbin/chkconfig' has been replaced by a script:
/sbin/chkconfig: a /usr/bin/perl script text executable
this hapened while I was still setting up the serevr, I remember, I couldn't find chkconfig, had to look for the package containing it and install it. would rkhunter --propupd remove this warning? I am sure that was me who caused that warning...
Reply With Quote
  #18  
Old 11th May 2009, 13:19
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,735 Times in 2,571 Posts
Default

Which distribution are you using? How did you install rkhunter?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #19  
Old 11th May 2009, 13:33
Ovidiu Ovidiu is offline
Senior Member
 
Join Date: Sep 2005
Posts: 1,259
Thanks: 76
Thanked 23 Times in 19 Posts
Default

its the perfect debian lenny setup for ispcfg3, didn't want to open a new thread as this topic seemed pretty close.
Reply With Quote
  #20  
Old 12th May 2009, 18:23
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,735 Times in 2,571 Posts
 
Default

Debian doesn't use /sbin/chkconfig (that's for RedHat-based distros only).
How did you install rkhunter?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Site Skeletons rbartz Feature Requests 11 29th November 2008 16:07
I just need one website...... showe1966 Installation/Configuration 21 19th September 2007 23:20
Static Web Site Configurations christopher Installation/Configuration 8 18th November 2006 14:43
New site problem cybereatl Installation/Configuration 3 11th November 2006 16:22
unsuccessful site creation, site not listed, will not delete ronee Installation/Configuration 10 26th October 2006 10:30


All times are GMT +2. The time now is 23:55.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.