How To Secure from Backdoor Script?

[sllz]

I test the hxxp://code.google.com/p/b374k-shell/ and it goes perfect to read all the data on the server. How to secure the server from the jumping directory caused by backdoor?

[cagatay]

what do you mean by all data?

can you browse other users folders?

[cagatay]

jesus christ monkey balls !!! yes it does browse whole server lol lol hahhahaha

https://code.google.com/p/b374k-shell/ give it a try

[cagatay]

I tested it in cpanel (latest version) the environment is isolated.

old version of cpanel is more vulnerable

but vesta opened all doors widely.

I am shocked. If one of my hosting clients want to f#£k me, my ass is wide open.

[sllz]

I tested it in cpanel (latest version) the environment is isolated.

old version of cpanel is more vulnerable

but vesta opened all doors widely.

I am shocked. If one of my hosting clients want to f#£k me, my ass is wide open.

Yes, it's like a ghost that overshadow.. I'm also thinking if I was wrong in editing the script and someone can upload this can be bad.

Please vestacp team action as soon as possible!

[skurudo]

There is a way. I just download and tested this shell. It's ordinary shell script, this script can't even win to openbasedir and mod_ruid. So, you understand, for security reason better use these apache2 settings. And simple logic one user = one site.

Apache Template - basedir
Nginx - hosting

Example of apache2 config for domain:

Code: Select all

<VirtualHost ip:8080>
    ServerName mydomain.su
    ServerAlias www.mydomain.su mydomain-su.erza.ru
    ServerAdmin [email protected]
    DocumentRoot /home/mydomain/web/mydomain.su/public_html
    ScriptAlias /cgi-bin/ /home/mydomain/web/mydomain.su/cgi-bin/
    Alias /vstats/ /home/mydomain/web/mydomain.su/stats/
    Alias /error/ /home/mydomain/web/mydomain.su/document_errors/
    #SuexecUserGroup mydomain mydomain
    CustomLog /var/log/apache2/domains/mydomain.su.bytes bytes
    CustomLog /var/log/apache2/domains/mydomain.su.log combined
    ErrorLog /var/log/apache2/domains/mydomain.su.error.log
    <Directory /home/mydomain/web/mydomain.su/public_html>
        AllowOverride All
        Options +Includes -Indexes +ExecCGI
php_admin_value open_basedir /home/mydomain/web/mydomain.su/public_html:/home/mydomain/tmp
php_admin_value upload_tmp_dir /home/mydomain/tmp
php_admin_value session.save_path /home/mydomain/tmp
    </Directory>
    <Directory /home/mydomain/web/mydomain.su/stats>
        AllowOverride All
    </Directory>

    <IfModule mod_ruid2.c>
        RMode config
        RUidGid mydomain mydomain
        RGroups www-data
    </IfModule>
    <IfModule itk.c>
        AssignUserID mydomain mydomain
    </IfModule>

    Include /home/mydomain/conf/web/apache2.mydomain.su.conf*

</VirtualHost>

[cagatay]

There is a way. I just download and tested this shell. It's ordinary shell script, this script can't even win to openbasedir and mod_ruid. So, you understand, for security reason better use these apache2 settings. And simple logic one user = one site.

Apache Template - basedir
Nginx - hosting

Example of apache2 config for domain:

Code: Select all

<VirtualHost ip:8080>
    ServerName mydomain.su
    ServerAlias www.mydomain.su mydomain-su.erza.ru
    ServerAdmin [email protected]
    DocumentRoot /home/mydomain/web/mydomain.su/public_html
    ScriptAlias /cgi-bin/ /home/mydomain/web/mydomain.su/cgi-bin/
    Alias /vstats/ /home/mydomain/web/mydomain.su/stats/
    Alias /error/ /home/mydomain/web/mydomain.su/document_errors/
    #SuexecUserGroup mydomain mydomain
    CustomLog /var/log/apache2/domains/mydomain.su.bytes bytes
    CustomLog /var/log/apache2/domains/mydomain.su.log combined
    ErrorLog /var/log/apache2/domains/mydomain.su.error.log
    <Directory /home/mydomain/web/mydomain.su/public_html>
        AllowOverride All
        Options +Includes -Indexes +ExecCGI
php_admin_value open_basedir /home/mydomain/web/mydomain.su/public_html:/home/mydomain/tmp
php_admin_value upload_tmp_dir /home/mydomain/tmp
php_admin_value session.save_path /home/mydomain/tmp
    </Directory>
    <Directory /home/mydomain/web/mydomain.su/stats>
        AllowOverride All
    </Directory>

    <IfModule mod_ruid2.c>
        RMode config
        RUidGid mydomain mydomain
        RGroups www-data
    </IfModule>
    <IfModule itk.c>
        AssignUserID mydomain mydomain
    </IfModule>

    Include /home/mydomain/conf/web/apache2.mydomain.su.conf*

</VirtualHost>

I can browse other users' files, not just the user folders created under my account. whole server is open.

No response from vesta team...

[skurudo]

Wait what? It's not correct open basedir.

Rewrite a bit templates and rebuild web:

Code: Select all

php_admin_value open_basedir %docroot%:%home%/%user%/tmp
php_admin_value upload_tmp_dir %home%/%user%/tmp
php_admin_value session.save_path %home%/%user%/tmp

http://forum.vestacp.com/viewtopic.php? ... dir#p20079

[SCelik]

Why not just block some php functions like exec(), system()? http://php.net/manual/en/ini.core.php#i ... -functions

[sllz]

There is a way. I just download and tested this shell. It's ordinary shell script, this script can't even win to openbasedir and mod_ruid. So, you understand, for security reason better use these apache2 settings. And simple logic one user = one site.

Apache Template - basedir
Nginx - hosting

Example of apache2 config for domain:

Code: Select all

<VirtualHost ip:8080>
    ServerName mydomain.su
    ServerAlias www.mydomain.su mydomain-su.erza.ru
    ServerAdmin [email protected]
    DocumentRoot /home/mydomain/web/mydomain.su/public_html
    ScriptAlias /cgi-bin/ /home/mydomain/web/mydomain.su/cgi-bin/
    Alias /vstats/ /home/mydomain/web/mydomain.su/stats/
    Alias /error/ /home/mydomain/web/mydomain.su/document_errors/
    #SuexecUserGroup mydomain mydomain
    CustomLog /var/log/apache2/domains/mydomain.su.bytes bytes
    CustomLog /var/log/apache2/domains/mydomain.su.log combined
    ErrorLog /var/log/apache2/domains/mydomain.su.error.log
    <Directory /home/mydomain/web/mydomain.su/public_html>
        AllowOverride All
        Options +Includes -Indexes +ExecCGI
php_admin_value open_basedir /home/mydomain/web/mydomain.su/public_html:/home/mydomain/tmp
php_admin_value upload_tmp_dir /home/mydomain/tmp
php_admin_value session.save_path /home/mydomain/tmp
    </Directory>
    <Directory /home/mydomain/web/mydomain.su/stats>
        AllowOverride All
    </Directory>

    <IfModule mod_ruid2.c>
        RMode config
        RUidGid mydomain mydomain
        RGroups www-data
    </IfModule>
    <IfModule itk.c>
        AssignUserID mydomain mydomain
    </IfModule>

    Include /home/mydomain/conf/web/apache2.mydomain.su.conf*

</VirtualHost>

I'm using the default settings VestaCP. What should I change if it is to avoid evil script like this. Please explain more details on each step because I am very beginner.