1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

A Big Security Hole on all Linux (Apache, cPanel Servers)

Discussion in 'Site & Server Administration' started by sady92, May 15, 2011.

  1. #1
    Hello,

    Some time ago i faced a problem with one of the worst Shells for Admins and the best Shells For Hackers.

    this shell can hack everything on your host, it can access your server with syslink.. with some Shell Comands..

    i think every server is in danger with this type of shell around..

    dose have someone faced this thing before

    IMAGE: http://i.imgur.com/z2DTK.png
     
    sady92, May 15, 2011 IP
  2. hans

    hans Well-Known Member

    Messages:
    2,923
    Likes Received:
    126
    Best Answers:
    1
    Trophy Points:
    173
    #2
    secure your site completely = mod_security / snort, chown and chmod (permissions)
    use SSH to access with server key
    disable any pwd logins
    use direct admin instead of cPanel
    disable ANY and all uploads!
     
    hans, May 17, 2011 IP
  3. DnHype

    DnHype Active Member

    Messages:
    1,011
    Likes Received:
    24
    Best Answers:
    0
    Trophy Points:
    80
    #3
    Use LMD ( Linux Malware Detection )
    make it to run on a daily basic and check the report it return,
    Make sure you update your site scripts, mainly script where you can upload files.

    If you need server audit, hardening just contact me !
     
    DnHype, May 17, 2011 IP
  4. sady92

    sady92 Member

    Messages:
    181
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    38
    #4
    I am Suring you None of them WORKS :).. as the problem is on The SSH Commands in the Server...
     
    sady92, May 17, 2011 IP
  5. RonBrown

    RonBrown Well-Known Member

    Messages:
    934
    Likes Received:
    55
    Best Answers:
    4
    Trophy Points:
    105
    #5
    How about elaborating a little?. Obviously many experienced system admins take security very seriously and would like to know more about this to determine if it's really a threat to their own servers.
     
    RonBrown, May 17, 2011 IP
  6. sady92

    sady92 Member

    Messages:
    181
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    38
    #6
    I Fixed this Issue, Well, if someone need the Shell :) just Send me a PM..
     
    sady92, May 17, 2011 IP
  7. blockdos

    blockdos Active Member

    Messages:
    96
    Likes Received:
    0
    Best Answers:
    3
    Trophy Points:
    71
    #7
    lol its just a modifed r57 shell, they been around for years. use mod security with a good ruleset, maldet/clamav to scan for them and csf for general security will stop most of these. this is not a dangerous hack, can only access what is under the user it was uploaded under.
     
    blockdos, May 21, 2011 IP
  8. AllHostOne.co.uk

    AllHostOne.co.uk Member

    Messages:
    384
    Likes Received:
    4
    Best Answers:
    0
    Trophy Points:
    45
    #8
    I've never heard of this before? Where'd you hear this? But I think any security alert is a security alert and that we must be on alert and so I will be upgrading the server security now
     
    AllHostOne.co.uk, May 22, 2011 IP
  9. blockdos

    blockdos Active Member

    Messages:
    96
    Likes Received:
    0
    Best Answers:
    3
    Trophy Points:
    71
    #9
    OMG and you are a ceo of a host?

    he is talking about a php shell people, surely most of you arent that retarded
     
    blockdos, May 22, 2011 IP
  10. AllHostOne.co.uk

    AllHostOne.co.uk Member

    Messages:
    384
    Likes Received:
    4
    Best Answers:
    0
    Trophy Points:
    45
    #10
    I am the CEO Of a host indeed.
    Could be any time of virus or hack to be honest, not always neccesarily via PHP shell.
     
    AllHostOne.co.uk, May 22, 2011 IP
  11. sady92

    sady92 Member

    Messages:
    181
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    38
    #11
    No, that shell can access your root, access your database, access your configurations, even the mod_rules can make that. As i have tested all the ways posible, and the only one can fix it is doing some tricks :)

    IF you want i can show how i can make symlinks on your server without you giving me permission, just with htaccess, with php.ini :)

    Well, a friend of mine Got Hacked from this shell with 1000 Clients inside it.. and its nothing regarding to cPanel...


    Well, if you secure tmp, And make some rules on mod_security you wont have problems with virus and other stuff, but this is not a virus, this shell can really damage your company.
     
    sady92, May 22, 2011 IP
  12. blockdos

    blockdos Active Member

    Messages:
    96
    Likes Received:
    0
    Best Answers:
    3
    Trophy Points:
    71
    #12
    unless it is exploiting the kernel its not going to give root automatically. Just a php shell, it will have all the permissions as the php user it was uploaded under. If its uploaded on a server running php as nobody, no openbasedir, safemode it may be able to access multiple users but an up to date server running suphp, current php, mod security, etc; it can only exploit the user its uploaded under.
    Paste the source, trust me its no new hack-o-matic. I can setup an account if you like, guarantee you can do nothing more then what a normal php script under that user could do. Ive had this same discussion on another forum before, person came back with /etc/passwd, big deal. Like I said, guarantee it can only do what the user its under can do.
     
    blockdos, May 22, 2011 IP
  13. blockdos

    blockdos Active Member

    Messages:
    96
    Likes Received:
    0
    Best Answers:
    3
    Trophy Points:
    71
    #13
    blockdos, May 22, 2011 IP
  14. sady92

    sady92 Member

    Messages:
    181
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    38
    #14
    Do you want me to show you :) ?
     
    sady92, May 22, 2011 IP
  15. AllHostOne.co.uk

    AllHostOne.co.uk Member

    Messages:
    384
    Likes Received:
    4
    Best Answers:
    0
    Trophy Points:
    45
    #15
    Ofcourse. Thanks for letting us know anyway, Looks like it's time to secure beyond Cpanel ;)
     
    AllHostOne.co.uk, May 22, 2011 IP
  16. blockdos

    blockdos Active Member

    Messages:
    96
    Likes Received:
    0
    Best Answers:
    3
    Trophy Points:
    71
    #16
    give me link to download it to server, ill put up the link here and show you its just a php shell.
     
    blockdos, May 22, 2011 IP