Saturday, July 13, 2013

What is symlink hack and protection

Well symlink stands for symbolic link or can also be called soft-link, and to best describe it for everyone out there it is like a shortcut in windows now to explain in a bit more detail imagine your on your desktop and you create a shortcut to "C:/" this is essentially like creating a symlink from "/home/userx/www/" to "/"
please note that a shortcut is not the same as a symlink. as windows does also support symlinking I only use them as a reference as they are similar and help explain it for those who may not understand otherwise.


i am making this tutorial for those who have shelled websites and they cant root server as  not all linux boxes can be rooted , also we dont have exploits for all linux kernels.

so here i am gonna show you how to hack websites on a server using symlink ,
but first u will need a shelled website on that server ,thatn only u can do symlink without shell u cant do symlink.

Now  here i am not gonna tell you to create two folders and then do symlink here i will use automated symlink script which you can download from here and upload on the shelled website. 

http://www.mediafire.com/download/fvnta4eh1wam65r/symlink+files.zip

http://www.mediafire.com/download/08oeos9cpaloeum/Bypass_Symlink_on_2013_Server_With_Different_.htaccess_and_Methods_by_Sen_Haxor.rar

===================================================

/usr/local/apache/conf/httpd.conf
paste this code and save it

<Directory "/">
Options -ExecCGI -FollowSymLinks Includes IncludesNOEXEC Indexes -MultiViews SymLinksIfOwnerMatch
AllowOverride All
</Directory>

<Directory "/usr/local/apache/htdocs">
Options IncludesNOEXEC Indexes -FollowSymLinks +SymLinksIfOwnerMatch -ExecCGI
AllowOverride None
Order allow,deny
Allow from all

</Directory>
<Directory "/home">
Options All -ExecCGI -FollowSymLinks -Includes -IncludesNOEXEC -MultiViews +SymLinksIfOwnerMatch
AllowOverride AuthConfig Indexes Limit Fileinfo
</Directory>

<Directory "/home2">
Options All -ExecCGI -FollowSymLinks -Includes -IncludesNOEXEC -MultiViews +SymLinksIfOwnerMatch
AllowOverride AuthConfig Indexes Limit Fileinfo
</Directory>

==================================
How precisely did you disable it in httpd.conf file? If you uncheck FollowSymLinks in WHM > Apache Configuration > Global Configuration area and save that setting, then you should have httpd.conf change to the following:

The setting for <Directory "/"> should not be able to be overrode by any user's .htaccess file.

<Directory "/">
Options ExecCGI Includes IncludesNOEXEC Indexes SymLinksIfOwnerMatch
AllowOverride All
</Directory>

<Directory "/usr/local/apache/htdocs">
Options Includes Indexes FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all

</Directory>
====================================
Let me show you which method "Hacker..." uses to get source of the config files of you'r web-site for example wp-config.php and I will show you how to prevent this.

1) He login to cPanel as a normal user http://ip-address/cpanel then type login and password to Login
2) Then he open File manager (show hidden files "dotfiles") and then creates new .htaccess file with following source:
#.htaccess file source
Options Indexes FollowSymLinks
DirectoryIndex doesnt-metter.htm
AddType txt .php
AddHandler txt .php
#End of .htaccess file
3) Then he creates symbalic link (soft link) with perl scripts or just uses CRON job to create symbalic link of top level directory "/" typing: "ln -s / topdir"
4) After that, he open browser and typing http://server-ip/~his-home-dir/topdi.../wp-config.php and then just looking source of the page, all data present as a TXT(text) data. That's all. User has been hacked.
-------------------------------------------------------------------------------------------------------
Solution:
1) Open you'r php.conf with you'r favorite editor: nano /usr/local/apache/conf/php.conf
2) Commit: #AddType application/x-httpd-php5 .php5 .php4 .php .php3 .php2 .phtml
3) Add these lines:
<FilesMatch "\.ph(p[2-6]?|tml)$"> # this equal to: .php, .php2, .php3, .php4, .php5, .php6 .phtml
SetHandler application/x-httpd-php5
</FilesMatch>
4) Save you'r changes and close php.conf
5) Restart httpd server typing: /etc/init.d/httpd restart
6) Done
=====================================
Prevent SymLink Attack On Cpanel Server
Edit httpd.conf
vi /etc/httpd/conf/httpd.conf
Find
<Directory "/">
Options +ExecCGI -FollowSymLinks -Includes +IncludesNOEXEC +Indexes -MultiViews +SymLinksIfOwnerMatch
AllowOverride All
</Directory>
Replace With
<Directory "/">
Options +ExecCGI -FollowSymLinks +Includes +IncludesNOEXEC +Indexes -MultiViews +SymLinksIfOwnerMatch
AllowOverride AuthConfig FileInfo Indexes Limit Options=Includes,Indexes,MultiViews
</Directory>
Make the changes permanent.
/usr/local/cpanel/bin/apache_conf_distiller --update
service httpd restart
=============================================
Find Symlink files or folders in your cpanel server
There are many symlink hacking attempt caused trouble in your server. they can create a sym link folder by using

script. This is major security issues. how to find all the symbolic links under a particular directory using the “find” command.

Use the below commands to find symlink directory in your cpanel server.

find <search folder path> -lname <symlink file path>
Use the below command to find all the sym link files

find /home -type l -printf '%p -> %l\n'

or

find /home -type l -exec ls -lad {} \;
List all symbolic links in current directory

find /home -type l
Another examples,

In order to find all the /root folder symlinks in your /home directory, use this command

cd /home

find -lname /root
Use ls command to lise all the sym links

ls -lahR | grep ^l
=================================================
How to install our patch (apache 2.2 only):
yum install patch
wget http://layer1.rack911.com/before_apache_make -O /scripts/before_apache_make
chmod 700 /scripts/before_apache_make
#Rebuild apache after.
/scripts/easyapache
=================================================
[News 20/1: Bluehost appear to have developed a patch which closes the race exploit - see http://tinyurl.com/apache-fstat-patch-bluehost]

[News Feb 2013: cPanel have released a patch which is selectable in easyapache. I beleive this is the bluehost patch above, though they haven't made it clear what it does. If you check the patch and discover details, please let us know. The bluehost patch uses fstat() to check file ownership *after* the file has been opened, which is the only correct way to implement the SymLinksIfOwnerMatch check.]
=================================================

 

ConfigServer Firewall 6.02 Features Symlink Race Condition Protection

No comments:

Post a Comment