Directadmin security from joomla hackers

E

Exter

Verified User
Joined
May 15, 2009
Messages
8
Hello there!

I am not sure if this thread has been posed in the right place but...

The problem is that we have a huge amount of customers that has been hacked via joomla 1.5 joomla 3.0 and so on. This list can be long...

I have take a look in to this self but i have not solved the problem ;(

This php security setting did i have today:

disable_functions = exec,system,passthru,shell_exec,escapeshellarg,escapeshellcmd,proc_close,proc_open,dl,popen,show_source

and i have also close down the exec from temp directory and so on from fstab in our systems. http://help.directadmin.com/item.php?id=247

The biggest problem into this is that they are running a php script to bring down another websites around the world. (like DDOS) with a mount of 1 Gigabit/s plus.

So i want to know how you guys do to secure your system so you have not to suspend all the customers that have been hacked. i know a few webresellers today that have solved this problem but they are not using directadmin at all ;(

So can you please be kind to help me out with this situation or give me some ides so will that be estimated.

/Best Regards Egner.
 
Last edited:
Hi there ZEitEr!

0. I use PHP5-cgi today with SuPhP (standard in Directadmin!)
1. This i already tell you about : disable_functions = exec,system,passthru,shell_exec,escapeshellarg,escapeshellcmd,proc_close,proc_open,dl,popen,show_source
2. Of curse i have a firewall to this server (PF firewalls) well i cant see what that will help unfortunately...
3. Well can you describe this a lite bit more ? ( how did your fstab setup look like?
4. Well the problem is that the maldet do not working under a OpenVZ cluster :( so that wont help..

What will mod_ruid2 do to protect the server against enemies ? such joomla attackers?
Well the problem is that them start those script from the customers public_html directory and not the temp folders on the server.


/Best Regards
 
Exter said:
0. I use PHP5-cgi today with SuPhP (standard in Directadmin!)
Click to expand...

Sure, it can be installed with custombuild. The main idea is that PHP scrips should run not with apache user privileges.

Exter said:
1. This i already tell you about : disable_functions = exec,system,passthru,shell_exec,escapeshellarg,escapeshellcmd,proc_close,proc_open,dl,popen,show_source
Click to expand...

That might be not enough. Our list is even bigger.

Exter said:
2. Of curse i have a firewall to this server (PF firewalls) well i cant see what that will help unfortunately...
Click to expand...

You might want to try CSF/LFD. Even raw iptables might help to block outgoing connections for unauthorized users, to prevent spamming using sockets in PHP scrips, etc.

Exter said:
3. Well can you describe this a lite bit more ? ( how did your fstab setup look like?
Click to expand...

That's depends, on server type, virtualization.

Exter said:
4. Well the problem is that the maldet do not working under a OpenVZ cluster :( so that wont help..
Click to expand...

How do you know that?

Exter said:
What will mod_ruid2 do to protect the server against enemies ? such joomla attackers?
Click to expand...

The main idea is that PHP scrips should run not with apache user privileges. You either use PHP-CGI or PHP-CLI with mod_ruid2.
For more information read this http://boomshadow.net/tech/php-handlers/

Exter said:
Well the problem is that them start those script from the customers public_html directory and not the temp folders on the server.
Click to expand...

That's for sure, but firstly they are uploaded into a temp directory. Of course if you secure /tmp, that won't protect from uploading malware into public_html directories. Still securing /tmp is a necessary thing.

Though I don't have a guide on how to protect against uploading malware via vulnerability of PHP scrips. There can be applied some things to minimize the side effects.
 
That might be not enough. Our list is even bigger.

Can you share your disable_functions ?
 
We have this:
Code: 
disable_functions = dl,exec,system,passthru,shell_exec,escapeshellarg,escapeshellcmd,proc_close,proc_open,popen,show_source

This is the procedure I use to secure /tmp as wel as /var/tmp /home/tmp and /dev/shm:
Secure /dev/shm:
in /etc/fstab change:
none /dev/shm tmpfs defaults,rw 0 0
to
none /dev/shm tmpfs defaults,nosuid,noexec,rw 0 0
then use this command:
mount -o remount /dev/shm
Click to expand...

For securing /tmp directory's (on dedicated servers):
dd if=/dev/zero of=/var/tmpMnt bs=1024 count=5000000
/sbin/mke2fs /var/tmpMnt
(this will give a chkdsk notice, just go on)
cd /
cp -a /tmp /tmp_backup
rm -rf /tmp/.??* /tmp/*
mount -o loop,noexec,nosuid,nodev,rw /var/tmpMnt /tmp
chmod 1777 /tmp
cp -a /tmp_backup/.??* /tmp_backup/* /tmp/
rm -rf /tmp_backup
echo "/var/tmpMnt /tmp ext2 loop,noexec,nosuid,nodev,rw 0 0" >> /etc/fstab
cp -a /var/tmp/.??* /var/tmp/* /tmp
rm -rf /var/tmp
ln -s /tmp /var/tmp
cp -a /home/tmp/.??* /home/tmp/* /tmp
rm -rf /home/tmp
ln -s /tmp /home/tmp
Click to expand...
Ready.

Now this uses a 5 GB /tmp partition, if you want smaller, you can adjust it. However, be sure to have it big enough or you will get in trouble with big DA backups bigger then this setup.
Another option is in the directadmin.conf to change the tempdir there to another one.
Have a good firewal like CSF/LFD which has more options then apf/bfd.

However, this is not a guarantee that nothing will happen again. Mostly Joomla and kindlike scripts (Wordpress etc.) are hacked because the users use insecure addons or do not update when updates are present.
If you really want to do something about this, learn your users to upgrade as soon as possible if an upgrade is present, especially from addons. And there are even some insecure themes around.

I just forgot to mention that this is on Centos servers.
You also might to have to fix logrotate when securing your temp folder:
nano -w /etc/cron.daily/logrotate

add this line:
export TMPDIR=/var/spool/logrotate/tmp

after that, create this directory:
mkdir -p /var/spool/logrotate/tmp
Click to expand...
And you should be fine.
 
Last edited:
Exter said:
Hi there ZEitEr!

0. I use PHP5-cgi today with SuPhP (standard in Directadmin!)
1. This i already tell you about : disable_functions = exec,system,passthru,shell_exec,escapeshellarg,escapeshellcmd,proc_close,proc_open,dl,popen,show_source
2. Of curse i have a firewall to this server (PF firewalls) well i cant see what that will help unfortunately...
3. Well can you describe this a lite bit more ? ( how did your fstab setup look like?
4. Well the problem is that the maldet do not working under a OpenVZ cluster :( so that wont help..

What will mod_ruid2 do to protect the server against enemies ? such joomla attackers?
Well the problem is that them start those script from the customers public_html directory and not the temp folders on the server.


/Best Regards
Click to expand...

What about modsecurity? All the time and effort to secure the box but you havent mentioned modsecurity.
 
With Custombuild 2.0 you can use clamav to check uploaded files via FTP:

Code: 
cd /usr/local/directadmin/custombuild/
./build update
./build set pureftpd_uploadscan yes
./build set clamav yes
./build clamav
./build pureftpd
 
You must log in or register to reply here.
Back
Top