We are happy to announce that Vesta is back under active development as of 25 February 2024. We are working on v1 candidate and expect to engage more with the community over the coming months. We are committed to open source, and we encourage contributors to help us build the future of Vesta.
How To Secure from Backdoor Script?
How To Secure from Backdoor Script?
I test the hxxp://code.google.com/p/b374k-shell/ and it goes perfect to read all the data on the server. How to secure the server from the jumping directory caused by backdoor?
Re: How To Secure from Backdoor Script?
what do you mean by all data?
can you browse other users folders?
can you browse other users folders?
Re: How To Secure from Backdoor Script?
jesus christ monkey balls !!! yes it does browse whole server lol lol hahhahaha
https://code.google.com/p/b374k-shell/ give it a try
https://code.google.com/p/b374k-shell/ give it a try
Re: How To Secure from Backdoor Script?
I tested it in cpanel (latest version) the environment is isolated.
old version of cpanel is more vulnerable
but vesta opened all doors widely.
I am shocked. If one of my hosting clients want to f#£k me, my ass is wide open.
old version of cpanel is more vulnerable
but vesta opened all doors widely.
I am shocked. If one of my hosting clients want to f#£k me, my ass is wide open.
Re: How To Secure from Backdoor Script?
Yes, it's like a ghost that overshadow.. I'm also thinking if I was wrong in editing the script and someone can upload this can be bad.cagatay wrote:I tested it in cpanel (latest version) the environment is isolated.
old version of cpanel is more vulnerable
but vesta opened all doors widely.
I am shocked. If one of my hosting clients want to f#£k me, my ass is wide open.
Please vestacp team action as soon as possible!
Re: How To Secure from Backdoor Script?
There is a way. I just download and tested this shell. It's ordinary shell script, this script can't even win to openbasedir and mod_ruid. So, you understand, for security reason better use these apache2 settings. And simple logic one user = one site.
Apache Template - basedir
Nginx - hosting
Example of apache2 config for domain:
Apache Template - basedir
Nginx - hosting
Example of apache2 config for domain:
Code: Select all
<VirtualHost ip:8080>
ServerName mydomain.su
ServerAlias www.mydomain.su mydomain-su.erza.ru
ServerAdmin [email protected]
DocumentRoot /home/mydomain/web/mydomain.su/public_html
ScriptAlias /cgi-bin/ /home/mydomain/web/mydomain.su/cgi-bin/
Alias /vstats/ /home/mydomain/web/mydomain.su/stats/
Alias /error/ /home/mydomain/web/mydomain.su/document_errors/
#SuexecUserGroup mydomain mydomain
CustomLog /var/log/apache2/domains/mydomain.su.bytes bytes
CustomLog /var/log/apache2/domains/mydomain.su.log combined
ErrorLog /var/log/apache2/domains/mydomain.su.error.log
<Directory /home/mydomain/web/mydomain.su/public_html>
AllowOverride All
Options +Includes -Indexes +ExecCGI
php_admin_value open_basedir /home/mydomain/web/mydomain.su/public_html:/home/mydomain/tmp
php_admin_value upload_tmp_dir /home/mydomain/tmp
php_admin_value session.save_path /home/mydomain/tmp
</Directory>
<Directory /home/mydomain/web/mydomain.su/stats>
AllowOverride All
</Directory>
<IfModule mod_ruid2.c>
RMode config
RUidGid mydomain mydomain
RGroups www-data
</IfModule>
<IfModule itk.c>
AssignUserID mydomain mydomain
</IfModule>
Include /home/mydomain/conf/web/apache2.mydomain.su.conf*
</VirtualHost>
Re: How To Secure from Backdoor Script?
I can browse other users' files, not just the user folders created under my account. whole server is open.skurudo wrote:There is a way. I just download and tested this shell. It's ordinary shell script, this script can't even win to openbasedir and mod_ruid. So, you understand, for security reason better use these apache2 settings. And simple logic one user = one site.
Apache Template - basedir
Nginx - hosting
Example of apache2 config for domain:
Code: Select all
<VirtualHost ip:8080> ServerName mydomain.su ServerAlias www.mydomain.su mydomain-su.erza.ru ServerAdmin [email protected] DocumentRoot /home/mydomain/web/mydomain.su/public_html ScriptAlias /cgi-bin/ /home/mydomain/web/mydomain.su/cgi-bin/ Alias /vstats/ /home/mydomain/web/mydomain.su/stats/ Alias /error/ /home/mydomain/web/mydomain.su/document_errors/ #SuexecUserGroup mydomain mydomain CustomLog /var/log/apache2/domains/mydomain.su.bytes bytes CustomLog /var/log/apache2/domains/mydomain.su.log combined ErrorLog /var/log/apache2/domains/mydomain.su.error.log <Directory /home/mydomain/web/mydomain.su/public_html> AllowOverride All Options +Includes -Indexes +ExecCGI php_admin_value open_basedir /home/mydomain/web/mydomain.su/public_html:/home/mydomain/tmp php_admin_value upload_tmp_dir /home/mydomain/tmp php_admin_value session.save_path /home/mydomain/tmp </Directory> <Directory /home/mydomain/web/mydomain.su/stats> AllowOverride All </Directory> <IfModule mod_ruid2.c> RMode config RUidGid mydomain mydomain RGroups www-data </IfModule> <IfModule itk.c> AssignUserID mydomain mydomain </IfModule> Include /home/mydomain/conf/web/apache2.mydomain.su.conf* </VirtualHost>
No response from vesta team...
Re: How To Secure from Backdoor Script?
Wait what? It's not correct open basedir.
Rewrite a bit templates and rebuild web:
http://forum.vestacp.com/viewtopic.php? ... dir#p20079
Rewrite a bit templates and rebuild web:
Code: Select all
php_admin_value open_basedir %docroot%:%home%/%user%/tmp
php_admin_value upload_tmp_dir %home%/%user%/tmp
php_admin_value session.save_path %home%/%user%/tmp
Re: How To Secure from Backdoor Script?
Why not just block some php functions like exec(), system()? http://php.net/manual/en/ini.core.php#i ... -functions
Re: How To Secure from Backdoor Script?
I'm using the default settings VestaCP. What should I change if it is to avoid evil script like this. Please explain more details on each step because I am very beginner.skurudo wrote:There is a way. I just download and tested this shell. It's ordinary shell script, this script can't even win to openbasedir and mod_ruid. So, you understand, for security reason better use these apache2 settings. And simple logic one user = one site.
Apache Template - basedir
Nginx - hosting
Example of apache2 config for domain:
Code: Select all
<VirtualHost ip:8080> ServerName mydomain.su ServerAlias www.mydomain.su mydomain-su.erza.ru ServerAdmin [email protected] DocumentRoot /home/mydomain/web/mydomain.su/public_html ScriptAlias /cgi-bin/ /home/mydomain/web/mydomain.su/cgi-bin/ Alias /vstats/ /home/mydomain/web/mydomain.su/stats/ Alias /error/ /home/mydomain/web/mydomain.su/document_errors/ #SuexecUserGroup mydomain mydomain CustomLog /var/log/apache2/domains/mydomain.su.bytes bytes CustomLog /var/log/apache2/domains/mydomain.su.log combined ErrorLog /var/log/apache2/domains/mydomain.su.error.log <Directory /home/mydomain/web/mydomain.su/public_html> AllowOverride All Options +Includes -Indexes +ExecCGI php_admin_value open_basedir /home/mydomain/web/mydomain.su/public_html:/home/mydomain/tmp php_admin_value upload_tmp_dir /home/mydomain/tmp php_admin_value session.save_path /home/mydomain/tmp </Directory> <Directory /home/mydomain/web/mydomain.su/stats> AllowOverride All </Directory> <IfModule mod_ruid2.c> RMode config RUidGid mydomain mydomain RGroups www-data </IfModule> <IfModule itk.c> AssignUserID mydomain mydomain </IfModule> Include /home/mydomain/conf/web/apache2.mydomain.su.conf* </VirtualHost>