Vesta Control Panel - Forum

I test the hxxp://code.google.com/p/b374k-shell/ and it goes perfect to read all the data on the server. How to secure the server from the jumping directory caused by backdoor?

what do you mean by all data?

can you browse other users folders?

jesus christ monkey balls !!! yes it does browse whole server lol lol hahhahaha

https://code.google.com/p/b374k-shell/ give it a try

I tested it in cpanel (latest version) the environment is isolated.

old version of cpanel is more vulnerable

but vesta opened all doors widely.

I am shocked. If one of my hosting clients want to f#£k me, my ass is wide open.

cagatay wrote:I tested it in cpanel (latest version) the environment is isolated.

old version of cpanel is more vulnerable

but vesta opened all doors widely.

I am shocked. If one of my hosting clients want to f#£k me, my ass is wide open.

Yes, it's like a ghost that overshadow.. I'm also thinking if I was wrong in editing the script and someone can upload this can be bad.

Please vestacp team action as soon as possible!

There is a way. I just download and tested this shell. It's ordinary shell script, this script can't even win to openbasedir and mod_ruid. So, you understand, for security reason better use these apache2 settings. And simple logic one user = one site.

Apache Template - basedir
Nginx - hosting

Example of apache2 config for domain:

skurudo wrote:There is a way. I just download and tested this shell. It's ordinary shell script, this script can't even win to openbasedir and mod_ruid. So, you understand, for security reason better use these apache2 settings. And simple logic one user = one site.

Apache Template - basedir
Nginx - hosting

Example of apache2 config for domain:

Code: Select all

<VirtualHost ip:8080>
    ServerName mydomain.su
    ServerAlias www.mydomain.su mydomain-su.erza.ru
    ServerAdmin [email protected]
    DocumentRoot /home/mydomain/web/mydomain.su/public_html
    ScriptAlias /cgi-bin/ /home/mydomain/web/mydomain.su/cgi-bin/
    Alias /vstats/ /home/mydomain/web/mydomain.su/stats/
    Alias /error/ /home/mydomain/web/mydomain.su/document_errors/
    #SuexecUserGroup mydomain mydomain
    CustomLog /var/log/apache2/domains/mydomain.su.bytes bytes
    CustomLog /var/log/apache2/domains/mydomain.su.log combined
    ErrorLog /var/log/apache2/domains/mydomain.su.error.log
    <Directory /home/mydomain/web/mydomain.su/public_html>
        AllowOverride All
        Options +Includes -Indexes +ExecCGI
php_admin_value open_basedir /home/mydomain/web/mydomain.su/public_html:/home/mydomain/tmp
php_admin_value upload_tmp_dir /home/mydomain/tmp
php_admin_value session.save_path /home/mydomain/tmp
    </Directory>
    <Directory /home/mydomain/web/mydomain.su/stats>
        AllowOverride All
    </Directory>

    <IfModule mod_ruid2.c>
        RMode config
        RUidGid mydomain mydomain
        RGroups www-data
    </IfModule>
    <IfModule itk.c>
        AssignUserID mydomain mydomain
    </IfModule>

    Include /home/mydomain/conf/web/apache2.mydomain.su.conf*

</VirtualHost>

I can browse other users' files, not just the user folders created under my account. whole server is open.

No response from vesta team...

Wait what? It's not correct open basedir.

Rewrite a bit templates and rebuild web: http://forum.vestacp.com/viewtopic.php? ... dir#p20079

Why not just block some php functions like exec(), system()? http://php.net/manual/en/ini.core.php#i ... -functions

skurudo wrote:There is a way. I just download and tested this shell. It's ordinary shell script, this script can't even win to openbasedir and mod_ruid. So, you understand, for security reason better use these apache2 settings. And simple logic one user = one site.

Apache Template - basedir
Nginx - hosting

Example of apache2 config for domain:

Code: Select all

<VirtualHost ip:8080>
    ServerName mydomain.su
    ServerAlias www.mydomain.su mydomain-su.erza.ru
    ServerAdmin [email protected]
    DocumentRoot /home/mydomain/web/mydomain.su/public_html
    ScriptAlias /cgi-bin/ /home/mydomain/web/mydomain.su/cgi-bin/
    Alias /vstats/ /home/mydomain/web/mydomain.su/stats/
    Alias /error/ /home/mydomain/web/mydomain.su/document_errors/
    #SuexecUserGroup mydomain mydomain
    CustomLog /var/log/apache2/domains/mydomain.su.bytes bytes
    CustomLog /var/log/apache2/domains/mydomain.su.log combined
    ErrorLog /var/log/apache2/domains/mydomain.su.error.log
    <Directory /home/mydomain/web/mydomain.su/public_html>
        AllowOverride All
        Options +Includes -Indexes +ExecCGI
php_admin_value open_basedir /home/mydomain/web/mydomain.su/public_html:/home/mydomain/tmp
php_admin_value upload_tmp_dir /home/mydomain/tmp
php_admin_value session.save_path /home/mydomain/tmp
    </Directory>
    <Directory /home/mydomain/web/mydomain.su/stats>
        AllowOverride All
    </Directory>

    <IfModule mod_ruid2.c>
        RMode config
        RUidGid mydomain mydomain
        RGroups www-data
    </IfModule>
    <IfModule itk.c>
        AssignUserID mydomain mydomain
    </IfModule>

    Include /home/mydomain/conf/web/apache2.mydomain.su.conf*

</VirtualHost>

I'm using the default settings VestaCP. What should I change if it is to avoid evil script like this. Please explain more details on each step because I am very beginner.