Prevent 'walking the filesystem' with tools like FilesMan?

iworx

Verified User
Joined
Nov 21, 2006
Messages
97
Location
Belgium
I recently (or maldetect did) found some PHP scripts on one of my servers called FilesMan.
It was injected in a users infected WordPress site.

Since I was a little curious on the hows/whats of this type of tools - I copied it into a secure domain and started to play with it. The amount of tooling used in these scripts in horrible for any webhoster I think.

None of the 'security measures' (like SuPHP, CSF, LFD) implemented on the server seemed to be able to contain it to the users home directory / prevent it from doing brute force attacks on the FTP daemon, trying passwords on MySQL etc etc.

Is there a way to contain this type of tool - jail it or faster detect it than just using "Maldetect -m users" ?

If you want to test this script on your machine, to see how it behaves, just send me a PM.
 
The problem of course is Linux/Unix security. Much of the file system needs to be world readable on a shared hosting server.

And you can jail a user so no one else can get in, but you can't jail him so he (or a script running as him) can get out.

Various distributions, including Cloud Linux, can jail programs so only certain programs can do different things, but they're very hard to use in a shared hosting environment.

Search these forums for Cloud Linux.

Jeff
 
Most PHP shells becomes less dangerous if you disable some PHP functions.

a good idea is to add dangerous php functions to the disable_functions list

http://help.directadmin.com/item.php?id=247

Then a combination of maldet+mod_security+apache might protect you from uploading PHP shells onto your server.

And yes you've got always a risk to get hacked from inside, your users might run BASH, PERL, PHP scripts and other programs with cron. So you might want to try Kernel Based security measures mentioned by Jeff.
 
Back
Top