Prevent 'walking the filesystem' with tools like FilesMan?

iworx

Verified User
Joined
Nov 21, 2006
Messages
56
I recently (or maldetect did) found some PHP scripts on one of my servers called FilesMan.
It was injected in a users infected WordPress site.

Since I was a little curious on the hows/whats of this type of tools - I copied it into a secure domain and started to play with it. The amount of tooling used in these scripts in horrible for any webhoster I think.

None of the 'security measures' (like SuPHP, CSF, LFD) implemented on the server seemed to be able to contain it to the users home directory / prevent it from doing brute force attacks on the FTP daemon, trying passwords on MySQL etc etc.

Is there a way to contain this type of tool - jail it or faster detect it than just using "Maldetect -m users" ?

If you want to test this script on your machine, to see how it behaves, just send me a PM.
 

nobaloney

NoBaloney Internet Svcs - In Memoriam †
Joined
Jun 16, 2003
Messages
26,119
Location
California
The problem of course is Linux/Unix security. Much of the file system needs to be world readable on a shared hosting server.

And you can jail a user so no one else can get in, but you can't jail him so he (or a script running as him) can get out.

Various distributions, including Cloud Linux, can jail programs so only certain programs can do different things, but they're very hard to use in a shared hosting environment.

Search these forums for Cloud Linux.

Jeff
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
14,173
Location
GMT +7.00
Most PHP shells becomes less dangerous if you disable some PHP functions.

a good idea is to add dangerous php functions to the disable_functions list
http://help.directadmin.com/item.php?id=247

Then a combination of maldet+mod_security+apache might protect you from uploading PHP shells onto your server.

And yes you've got always a risk to get hacked from inside, your users might run BASH, PERL, PHP scripts and other programs with cron. So you might want to try Kernel Based security measures mentioned by Jeff.
 
Top