#1  
Old 15th November 2008, 21:08
Cracknel Cracknel is offline
Junior Member
 
Join Date: Nov 2008
Posts: 6
Thanks: 0
Thanked 0 Times in 0 Posts
Angry Security Problem

I have some clients running outdated php scripts. They have many bugs.
Last week a website got hacked. The attacker uploaded a PHP shell and made a deface.
I've personally uploaded a php shell and guess what, I can access even the root directory!
What can I do?
I've discovered spam sending scripts and bank scam pages on one of my personal websites. God knows what else could be affected.
Please tell me what's wrong!
I've installed ISPConfig on a virtual server. I have the same problem!
Everything went normal with the installation!
Reply With Quote
Sponsored Links
  #2  
Old 15th November 2008, 21:40
_X_ _X_ is offline
Senior Member
 
Join Date: Oct 2008
Posts: 247
Thanks: 8
Thanked 37 Times in 35 Posts
Default

http://docs.ispconfig.org/en-sandbox...site/?page=faq

Quote:
The hosted webpages are served by the Apache that ships with your linux distribution.
You cannot blame ISPConfig for that hack because IMHO ISPConfig has nothing to do with that.

You should Backup ISPConfig base and settings and do a fresh install. It the safest way.

Hope this can help:
http://howtoforge.com/forums/showthr...backup+restore

http://howtoforge.com/forums/showthr...backup+restore
Reply With Quote
  #3  
Old 15th November 2008, 21:45
Cracknel Cracknel is offline
Junior Member
 
Join Date: Nov 2008
Posts: 6
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Read again!
I have already installed a new server that has the same problem!
Reply With Quote
  #4  
Old 15th November 2008, 22:04
_X_ _X_ is offline
Senior Member
 
Join Date: Oct 2008
Posts: 247
Thanks: 8
Thanked 37 Times in 35 Posts
Default

Well that part of your post I didnt understand.

You installed new ISPConfig on virtual server and uploaded the attacker script and it works? or

After a clean install and restore of ISPConfig settings script is still there?
Reply With Quote
  #5  
Old 15th November 2008, 22:10
Cracknel Cracknel is offline
Junior Member
 
Join Date: Nov 2008
Posts: 6
Thanks: 0
Thanked 0 Times in 0 Posts
Default

The installation on the virtual server was just to find out if there was a problem with my server or with all ispconfig installations.


You can test the bug on your own server. Just upload a c99 or r57 php shell script and change the working directory to /.

you can look in /var/www and from there in all accounts, stealing passwords from configuration files, scripts...
Reply With Quote
  #6  
Old 15th November 2008, 22:17
_X_ _X_ is offline
Senior Member
 
Join Date: Oct 2008
Posts: 247
Thanks: 8
Thanked 37 Times in 35 Posts
Default

main problem is how did that script get on your server.

here is what i have found as ways to stop those scripts form working:
http://www.webhostingtalk.com/showthread.php?p=5315461
Reply With Quote
  #7  
Old 15th November 2008, 22:20
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,814
Thanks: 821
Thanked 5,340 Times in 4,189 Posts
Default

Quote:
The installation on the virtual server was just to find out if there was a problem with my server or with all ispconfig installations.


You can test the bug on your own server. Just upload a c99 or r57 php shell script and change the working directory to /.

you can look in /var/www and from there in all accounts, stealing passwords from configuration files, scripts...
An this has still nothing to do with ISPConfig as _X_ explained above. You are just saying that a hacker script that you uploaded to a php webspace is working, ispconfig is not envolved in executing that script at all.

So, back to your original problem. If you want to prevent that a php script accesses the whole folder, you can do several things:

1) activate php safemode for the website.
2) update your php to the latest version.
3) Deactivate potential harmful functions in your php.ini lieke exec, passthru etc.
4) install security extensions for apache like mod_security
5) install suhosin for php.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #8  
Old 15th November 2008, 22:24
Cracknel Cracknel is offline
Junior Member
 
Join Date: Nov 2008
Posts: 6
Thanks: 0
Thanked 0 Times in 0 Posts
Default

the problem is that if you host, let's say, 10 websites and one person uploads a bad script you'll get in trouble!

for example some cms scripts don't run if php is in safemode (joomla is one of them).

please don't close the thread! I'll be back with information.
Reply With Quote
  #9  
Old 15th November 2008, 22:27
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,814
Thanks: 821
Thanked 5,340 Times in 4,189 Posts
Default

Quote:
for example some cms scripts don't run if php is in safemode (joomla is one of them).
Sure, but why you blame ispconfig for joomla being insecure or not supporting safemode?

Take a look at the points that I posted above to secure your php installation.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #10  
Old 15th November 2008, 22:29
_X_ _X_ is offline
Senior Member
 
Join Date: Oct 2008
Posts: 247
Thanks: 8
Thanked 37 Times in 35 Posts
 
Default

from what i know joomla can work and be safe with this settings in Apache Directives (Optional)::

Options FollowSymLinks
AllowOverride All
php_admin_flag register_globals Off
php_admin_value disable_functions "show_source system shell_exec passthru exec phpinfo popen proc_open"
php_admin_flag allow_url_fopen Off
php_admin_flag magic_quotes_gpc On
php_admin_value session.save_path "/var/www/web1/phptmp/"
php_admin_value open_basedir "/var/www/web1/"

and PHP Safe Mode dissabled.

Correct me if I'm wrong.
Reply With Quote
The Following 2 Users Say Thank You to _X_ For This Useful Post:
bernholdt (16th November 2008), till (15th November 2008)
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
sending e-mail using mail() function linuxuser1 HOWTO-Related Questions 38 21st April 2009 12:20
Virtual users... Ubuntu 8.04 spaceuser HOWTO-Related Questions 12 19th June 2008 08:04
SE linux problem when security context is modified raj123 Technical 1 28th June 2006 08:57
problem with ssh security Jonathan Installation/Configuration 1 26th May 2006 01:52
Possible security problem bjmg General 2 15th March 2006 18:33


All times are GMT +2. The time now is 00:12.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.