23
Feb

How to prevent the symbolic link hack for cPanel

So, cPanel servers can be hacked with .htaccess files and symbolic links. Joomla and Wordpress are popular code to hack.Here is a common cPanel / Apache hack:

et me show you which method "Hacker..." uses to get source of the config files of your website for example wp-config.php and I will show you how to prevent this.

1) He login to cPanel as a normal user http://ip-address/cpanel then type login and password to Login
2) Then he opens File manager (show hidden files "dotfiles") and then creates new .htaccess file with following source:
#.htaccess file source 
Options Indexes FollowSymLinks
DirectoryIndex doesnt-matter. htm
AddType txt .php
AddHandler txt .php
#End of .htaccess file
3) Then he creates a symbolic link (soft link) with perl scripts or just uses CRON job to create a symbolic link of top level directory "/" typing: "ln -s / topdir"
4) After that, he open browser and typing http://server-ip/~his-home-dir/topdi.../wp-config.php and then just looking source of the page, all data present as a TXT(text) data. That's all. User has been hacked.


Here is a post from StevenC who is a server security / administrator at Rack911.com.

How to install our patch (apache 2.2 only):

wget http://layer1.rack911.com/before_apache_make -O /scripts/before_apache_make 
chmod 700 /scripts/before_apache_make
#Rebuild apache after. 
/scripts/easyapache

If you have any issues, let us know, we would be interested in hearing it.
If you want to thank us, your free to do that aswell.

When trying to access a file located in another account via a symlink, you will see this in the error log:

[Sun Nov 06 05:06:23 2011] [error] [client xxxxxx] Symbolic link not allowed or link target not accessible: /home/xxxxx/public_html/1/confirm.txt
Also, find out if your already a victim:

find /home*/*/public_html -type l
---

How to remove?:

rm -f /scripts/before_apache_make
#Rebuild apache after. 
/scripts/easyapache
Enjoy.
His original post is here: ...cpanel.net...prevent-creating-symbolic-links..#post996441

The thread is here:...cpanel.net...prevent-creating-symbolic-links..

I hope this can help some people out, this is a WIDE issue, cPanel still takes thier money, and by the looks of it (I've only read lots of threads, so don't hold me to it) aren't doing anything about it because it's to do with Apache.
Apache provide a perfectly good webserver, where stand alone, symlinks wouldn't be a problem. cPanel uses it for a multiuser level, and isn't making the required changed to an Open Source Project to ensure it is secure?
8539