How to disable find /

inferencia

inferencia

Verified User
Joined
Aug 21, 2005
Messages
677
Location
Spain
Hello guys,

I'm having a rough time with exploits lately, and they're all using the same crap find / index.* and cp an index.html with they're hack slogans and logos they lodged somewhere (usually on a vulnerable customer's site)

So I was thinking a good thing to do was disable the command find / xxxxxxxx

Any idea how to do this ?
 
http://help.directadmin.com/item.php?id=247

See steps 9 and 14. You can use step 14 also with find. If scripts are run by apache.
If not, why not rename find to a name you only know? Or would this give problems with installing something?
Or chmod 700 find if that wouldn't give any problems.
 
Last edited:
Hi Richard,

Thanks a lot for the help. Yes, we've followed that help item. We do have tmp as a separate partition with noexec and nosuid now.

My admins told me that renaming find could mess other things up that might need it. Placing it to 700 sounds good too, but I'm not that good as an admin (company owner) and not sure what effect could that have.

I have 2 questions:

1- The build secure_php, does that block php from using commands such as find? Where can I get a list of commands this places in php.ini ?

2- If we rename find, will it mess anything else in DA that needs to use it ?

Thanks for the help !!!
 
I don't know all of the options that secure_php does, but you could check or compare the php.ini files.
Most changes you will find in the php.ini at "disable_functions".
Find is not one of them.

But it could indeed be that find is being used by something else, that's why I suggested to use trick number 14 and do a chgrp apache on it with a 705 so apache can't use it anymore. I would rather use a 700 because then only root can use it.
But maybe JLasman or one of the other good guys can give you a more certain answer about changing the find rights.

Renaming could mess things up if DA needs to use it, but I'm not sure. Normally compilation is done from root. But since DA is doing also stuff, it could be that it's done via the DA user too.
So I'm curious about the answer to that too, I can't give you more certainty about that myself, sorry.
 
Don't know.

I can't see DirectAdmin using find at all, or if it does, using it as anything but root (if only to avoid errors when find tries moving through paths for which it has no rights.

But I really don't know with any certainty.

Jeff
 
cyberneticos said:
Hi Richard,

Thanks a lot for the help. Yes, we've followed that help item. We do have tmp as a separate partition with noexec and nosuid now.

My admins told me that renaming find could mess other things up that might need it. Placing it to 700 sounds good too, but I'm not that good as an admin (company owner) and not sure what effect could that have.

I have 2 questions:

1- The build secure_php, does that block php from using commands such as find? Where can I get a list of commands this places in php.ini ?

2- If we rename find, will it mess anything else in DA that needs to use it ?

Thanks for the help !!!
Click to expand...
Hello,

Clients and their scripts, as well as non-root programs are not likely in need of "find", so I would guess that setting it to 700 would be fine.

1) Yes, it would block php functions that allow system commands. To see a list, type:
Code: 
grep disable_functions /usr/local/lib/php.ini
grep disable_functions /usr/local/etc/php5/cgi/php.ini
the 2nd path is only if you're using suPhp.

2) The only find call I could find are /etc/logrotate.d/directadmin, squirrelmail.sh and fix_da_user.sh, which would be called as root, so 700 is ok.

John
 
You must log in or register to reply here.
Back
Top