Saturday, January 10, 2015

Solutions for handling symlink attacks

1) He login to cPanel as a normal user http://ip-address/cpanel then type login and password to Login
2) Then he open File manager (show hidden files "dotfiles") and then creates new .htaccess file with following source:
#.htaccess file source
Options Indexes FollowSymLinks
DirectoryIndex doesnt-metter.htm
AddType txt .php
AddHandler txt .php

#End of .htaccess file
3) Then he creates symbalic link (soft link) with perl scripts or just uses CRON job to create symbalic link of top level directory "/" typing: "ln -s / topdir"
4) After that, he open browser and typing http://server-ip/~his-home-dir/topdi.../wp-config.php and then just looking source of the page, all data present as a TXT(text) data. That's all. User has been hacked.
-------------------------------------------------------------------------------------------------------
Solution:
1) Open you'r php.conf with you'r favorite editor: nano /usr/local/apache/conf/php.conf
2) Commit: #AddType application/x-httpd-php5 .php5 .php4 .php .php3 .php2 .phtml
3) Add these lines:
<FilesMatch "\.ph(p[2-6]?|tml)$"> # this equal to: .php, .php2, .php3, .php4, .php5, .php6 .phtml
SetHandler application/x-httpd-php5
</FilesMatch>

4) Save you'r changes and close php.conf
5) Restart httpd server typing: /etc/init.d/httpd restart
6) Done

No comments:

Post a Comment