cgi-bin weakness after conpromized ftp access

Nerigal

Verified User
Joined
Jul 6, 2009
Messages
124
Hi,

figured that the best way to hack server is to hack to end-user itself...
some of my customers got FTP access compromised and some hacker dude used it to run, in cgi-bin...
some very malicious perl script.
so my question is how can i set every user.conf option cgi=off

and prevent users from running perl code from a txt file...or what ever the fake extension used.

actually the only possibility i figured is to chmod /usr/bin/perl 700
any better suggestion ?

Thanks
 
Hello,

You might want to disable *.pl and *.cgi extensions in ProFTPd. It would not allow anybody to upload perl scripts by FTP.
Those users who would want to upload perl scripts could use Directadmin, or upload an archive, which can be extracted in Directadmin.

so my question is how can i set every user.conf option cgi=off

You can do it in root shell with sed or perl.

For example:
Code:
cd /usr/local/directadmin/data/users/
perl -pi -e 's/cgi=ON/cgi=OFF/' */user.conf

You might need to rewrite apache virtual hosts to let the updates to take effect:

echo "action=rewrite&value=httpd" >> /usr/local/directadmin/data/task.queue

actually the only possibility i figured is to chmod /usr/bin/perl 700
any better suggestion ?

Not, the best idea, it might break legitimate software. Check step 14. here http://help.directadmin.com/item.php?id=247
 
awesome thanks !

is it a good idea to add /bin to the list of binary ? chgrp apache /usr/bin/perl /usr/bin/wget /usr/local/bin/wget /usr/local/bin/curl /usr/bin/curl /usr/bin/python

like /bin/sh and such ? if i understand this method we can add as many binary as you wish that the common user's group cannot run ?
and then of course chmod it 705
 
here the php hack code found on the leaked user.

very lucky that all exec function was disabled already...

Code:
removed...
 
Last edited:
You should not post the hackers php code in public for others to copy and use. Moderator, please remove the php code.

this is a script that you can easily found anyway...but i did remove it

with all this bullsh....im kinda in reminding mood to make sure about the security setup.
from the shell script is it possible to display the content of /etc/shadow even if open_basedir is ON with php native function sush as fread?
 
Last edited:
You should not post the hackers php code in public for others to copy and use. Moderator, please remove the php code.


Firstly I could not understand why the forums got blocked by my antivirus.
 
but would be very great and appreciated if someone with not my actual panic mind state could analyze this php shell script and
update the "basic security" procedure just to make sure everything is up to date with the actual hack flavor.

i can send it by pm if needed. ( will only send to people im usual to see around in this forum )

thanks again.
 
zEitEr,
seams like you reached PM limit lol
anyway i cannot pm the code because the length is to long, so PM me your email adress, i will send you a rar file.

thanks a lot for your time and help
 
Back
Top