rack911 [patch] not working

Portal Home > Knowledgebase > Articles Database > rack911 [patch] not working

Posted by NewLegend, 08-09-2013, 06:58 PM
Hi , My server got hacked by create symlink to root, Now I trying to fix this security hole. The general recommendation is to use something like grsecurity kernel or rack911 symlink patch. But rack911 not working in my server, the below is my server information: • CENTOS 5 cPanel WHM 11.38.1 (build 15) • root_options: ExecCGI, FollowSymLinks, IncludesNOEXEC, Indexes, SymLinksIfOwnerMatch. I did this steps in my server, 1. wget layer1.rack911.com/before_apache_make -O /scripts/before_apache_make 2. chmod 700 /scripts/before_apache_make 3. Rebuild apache after. /scripts/easyapache Now after all that, I can create symlink to root ?! Please advice me ,, Last edited by NewLegend; 08-09-2013 at 06:59 PM. Reason: add more info
Posted by RobM, 08-09-2013, 07:03 PM
The only way to make sure there no back doors is a full OS reinstall and restore from backups. Remember it just takes online line of code they installed and they are back in again.
Posted by NewLegend, 08-09-2013, 07:13 PM
my problems relating to install rack911
Posted by Kingfish85, 08-09-2013, 07:23 PM
Have you cantacted them?
Posted by net, 08-09-2013, 07:26 PM
Your best bet is to reload the OS then install grsecurity.
Posted by NewLegend, 08-09-2013, 07:33 PM
This is another problem, I can not find a good explanation and steps to install grsecurity.
Posted by Patrick, 08-09-2013, 07:38 PM
http://docs.cpanel.net/twiki/bin/vie...e/SymlinkPatch Another option would be to install CloudLinux. Also, are you saying your server has been rooted or that someone was able to symlink to the root / directory?
Posted by Steven, 08-09-2013, 07:48 PM
I think your title for this thread is inaccurate for what this thread is about. I respectfully ask you to contact the moderators to have it modified. With that said, if you are expecting to not be able to create a symlink then you are mistaken on the patches offered by us and others. You will always be able to create a symlink. Following the symlink is what these patches are supposed to take care of. Besides, since the original introduction of that patch, new and better options have come out (blue host patch, cloudlinux, betterlinux, tpe-kmod modifications, grsecurity, mod_ruid2). One thing to keep in mind, once you are compromised by a symlink hack -- you have huge problems. Someone will have all the passwords to your mysql databases and there is no patches that will help that. Any exploit in any site will allow them to gain access and use those logins again even if you are patched. Last edited by Steven; 08-09-2013 at 07:54 PM.
Posted by NewLegend, 08-09-2013, 09:41 PM
Ohh Steven, I think you are the person who worked on Rack911. Initially apologized for the unintentional mistake in the title. actually my server has good OS-level permissions. the malicious user can create symbolic to /home/* , but he don't have access to write or even read in this folders. But on the other side, will be able to read folders like /etc and take a look at all configuration files without write. There's document in cPanel website about protection against symbolic, and in this document all the recommendations with Filesystem-level solutions (mod_ruid) that's not supported on CentOS version 5. Other options are Kernel or apache-level patches solutions, so i tried install Rack911 but i think I did not understand Rack911 well. So is my steps below to install Rack911 correct ? 1. wget layer1.rack911.com/before_apache_make -O /scripts/before_apache_make 2. chmod 700 /scripts/before_apache_make 3. Rebuild apache after. /scripts/easyapache I really want a solution to this issue, Whether using patches or on kernel level. cpanel document : http://docs.cpanel.net/twiki/bin/vie...e/SymlinkPatch Thanks ,,, Last edited by NewLegend; 08-09-2013 at 09:51 PM.
Posted by Steven, 08-09-2013, 09:43 PM
If you don't want them to read those folders at all your only option is cloudlinux cagefs. That is the only option available for cpanel servers that will do this. Symlinks are not required to read /etc. You can access things like /etc/passwd directly. http://docs.cloudlinux.com/cagefs.html
Posted by NewLegend, 08-09-2013, 10:33 PM
Thanks for your update ,, Do you want to tell me that ( Rack911, bluehost patch, grsecurity or mod_ruid2 ) allow to malicious user read file like configuration. you told me earlier that patches/grsecurity/mod_ruid2 take care after symblic is created, ok but what is the point of this patches and other soutions if the malicious user is able to see files like /etc/passwd or apache config files. Last edited by NewLegend; 08-09-2013 at 10:37 PM.
Posted by Steven, 08-09-2013, 10:39 PM
Look, those files have readable permissions for everyone to read it. There is no patches that are going to be able to be applied to the server and magically work the way you want it except for cagefs. The symlink patches are intended to block people from reading other peoples files inside their account by making it so that if the symlink is to a file they don't own they can't read it.. The ONLY thing it does is deal with symlinks. It does nothing for world readable permissions, which is the problem you are talking about now. In order to avoid that you have to jail a user, and thats where cloudlinux cagefs comes in. or you can try to use cpanels experiemental jailshell + mod_ruid2. Other then that there are no options -- and no betterlinux even though it has protections will not stop what you want.
Posted by NewLegend, 08-09-2013, 11:13 PM
I really appreciate you this information. In my case the patches will not be useful where the malicious user can not read /home/* after symbolic created to /home/otheruser. And about readable files like (/etc/passwd or apache config), I have two options: 1/ cloudlinux: prices. 2/ cpanels experiemental jailshell + mod_ruid2: not supported on centos 5. But what about grsecurity ? Last edited by NewLegend; 08-09-2013 at 11:22 PM.
Posted by Steven, 08-10-2013, 12:17 AM
You are very confused here at what these things do. Yes you cannot read /home/* with a symlink but you CAN READ /home/user/public_html/wp-config.php WITH a symlink. The reason it works is because apache runs as user nobody, public_html is owned by group nobody so apache can access the files. Because of this txt files will be accessible because they are loaded by apache directly. This is the reason the patches are created, to prevent that from happening. Without the patches you are vulnerable (even if you think you are not, you are). The attacker will do ln -s /home/user/public_html/wp-config.php wp-config.txt and then go to http://www.domain.com/wp-config.txt and the contents are readable. Mod_ruid2 grsecurity apache patches cloudlinux betterlinux 1H all will block that problem with the symlinks. Now, Cagefs is really the only solution you have to stop people from seeing other users in files like /etc/passwd. It has to be jailed, there is no free solutions that will work in your case. Simple as that. If you want full protection, then you have to pay. Last edited by Steven; 08-10-2013 at 12:21 AM.
Posted by NewLegend, 08-10-2013, 12:52 PM
I did two symblic tests in my server, 1. To /etc/passwd The symblic working fine and I can read /etc/passwd file. 2. To /home/otheruser/public_html/test.txt Not working, and I got this error ==> Permission denied /home/targetuser# ll drwx--x--x. 10 targetuser targetuser 4096 Aug 9 17:58 ./ drwx--x--x. 20 root root 4096 Aug 9 21:29 ../ lrwxrwxrwx. 1 targetuser targetuser 33 Aug 9 17:58 access-logs -> /usr/local/apache/domlogs/targetuser/ -rw-r--r--. 1 targetuser targetuser 18 Jul 18 14:19 .bash_logout -rw-r--r--. 1 targetuser targetuser 176 Jul 18 14:19 .bash_profile -rw-r--r--. 1 targetuser targetuser 124 Jul 18 14:19 .bashrc -rw-------. 1 targetuser targetuser 0 Aug 9 17:53 .contactemail drwx------. 5 targetuser targetuser 4096 Aug 9 18:12 .cpanel/ drwxr-x---. 2 targetuser mail 4096 Aug 9 17:53 etc/ drwxr-x---. 2 targetuser targetuser 4096 Aug 9 17:53 .htpasswds/ -rw-------. 1 targetuser targetuser 13 Aug 9 17:54 .lastlogin drwxr-x---. 8 targetuser targetuser 4096 Aug 9 17:53 mail/ drwxr-x---. 3 targetuser targetuser 4096 Aug 9 17:53 public_ftp/ drwxr-x---. 4 targetuser targetuser 4096 Aug 10 17:08 public_html/ drwxr-xr-x. 7 targetuser targetuser 4096 Aug 9 18:12 tmp/ drwx------. 2 targetuser targetuser 4096 Aug 9 17:55 .trash/ lrwxrwxrwx. 1 targetuser targetuser 11 Aug 9 17:53 www -> public_html/
Posted by Steven, 08-10-2013, 12:57 PM
drwxr-x---. 4 targetuser targetuser 4096 Aug 10 17:08 public_html/ You have to be running mod_ruid2 for this to work. This will not with apache in default form since apache by default runs as user nobody, with those permissions it can't read your files. The group has to be 'nobody'. Mod_RUID2 makes each user have their own httpd processes running under their username. In default form, without mod_ruid2 or symlink patches you can read other users files. I will repeat again. The only possible way your going to stop the reading of /etc/passwd with apache is cagefs or jailshell + mod_ruid2 . End of story. They both create 'new' passwd file that only contain the users information that is reading it, not other users. Furthermore, lets not forget... pure-ftpd currently has a bug where it will follow symlinks... so in theory you can symlink and read /etc/passwd too and none of the apache patches will help that including jailshell... so again -- cagefs. There is alot of ways to circumvent things with symlinks, and sadly theres no simple free patches that are going to help you like you think there are. Just stop fighting, pay the small fee that cloudlinux prices and get the security you are wanting. Last edited by Steven; 08-10-2013 at 01:04 PM.