Security Problem

[Cracknel]

I have some clients running outdated php scripts. They have many bugs.
Last week a website got hacked. The attacker uploaded a PHP shell and made a deface.
I've personally uploaded a php shell and guess what, I can access even the root directory!
What can I do?
I've discovered spam sending scripts and bank scam pages on one of my personal websites. God knows what else could be affected.
Please tell me what's wrong!
I've installed ISPConfig on a virtual server. I have the same problem!
Everything went normal with the installation!

[_X_]

http://docs.ispconfig.org/en-sandbox...site/?page=faq

Quote:

The hosted webpages are served by the Apache that ships with your linux distribution.

You cannot blame ISPConfig for that hack because IMHO ISPConfig has nothing to do with that.

You should Backup ISPConfig base and settings and do a fresh install. It the safest way.

Hope this can help:
http://howtoforge.com/forums/showthr...backup+restore

http://howtoforge.com/forums/showthr...backup+restore

[Cracknel]

Read again!
I have already installed a new server that has the same problem!

[_X_]

Well that part of your post I didnt understand.

You installed new ISPConfig on virtual server and uploaded the attacker script and it works? or

After a clean install and restore of ISPConfig settings script is still there?

[Cracknel]

The installation on the virtual server was just to find out if there was a problem with my server or with all ispconfig installations.


You can test the bug on your own server. Just upload a c99 or r57 php shell script and change the working directory to /.

you can look in /var/www and from there in all accounts, stealing passwords from configuration files, scripts...

[_X_]

main problem is how did that script get on your server.

here is what i have found as ways to stop those scripts form working:
http://www.webhostingtalk.com/showthread.php?p=5315461

[till]

Quote:

The installation on the virtual server was just to find out if there was a problem with my server or with all ispconfig installations.


You can test the bug on your own server. Just upload a c99 or r57 php shell script and change the working directory to /.

you can look in /var/www and from there in all accounts, stealing passwords from configuration files, scripts...

An this has still nothing to do with ISPConfig as _X_ explained above. You are just saying that a hacker script that you uploaded to a php webspace is working, ispconfig is not envolved in executing that script at all.

So, back to your original problem. If you want to prevent that a php script accesses the whole folder, you can do several things:

1) activate php safemode for the website.
2) update your php to the latest version.
3) Deactivate potential harmful functions in your php.ini lieke exec, passthru etc.
4) install security extensions for apache like mod_security
5) install suhosin for php.

[Cracknel]

the problem is that if you host, let's say, 10 websites and one person uploads a bad script you'll get in trouble!

for example some cms scripts don't run if php is in safemode (joomla is one of them).

please don't close the thread! I'll be back with information.

[till]

Quote:

for example some cms scripts don't run if php is in safemode (joomla is one of them).

Sure, but why you blame ispconfig for joomla being insecure or not supporting safemode?

Take a look at the points that I posted above to secure your php installation.

[_X_]

from what i know joomla can work and be safe with this settings in Apache Directives (Optional)::

Options FollowSymLinks
AllowOverride All
php_admin_flag register_globals Off
php_admin_value disable_functions "show_source system shell_exec passthru exec phpinfo popen proc_open"
php_admin_flag allow_url_fopen Off
php_admin_flag magic_quotes_gpc On
php_admin_value session.save_path "/var/www/web1/phptmp/"
php_admin_value open_basedir "/var/www/web1/"

and PHP Safe Mode dissabled.

Correct me if I'm wrong.