I've been seeing a few issues lately on a few of my servers where an account gets hacked via outdated scripts, and the hacker uploads a cPanel / FTP Brute forcing PHP script inside the account.
The PHP File reads /etc/passwd to get the usernames, and than uses a passwd.txt file to try and brute force it's way in to 127.0.0.1:2082.
I'm trying to think of a way to block this. It doesn't POST anything except "GET /path/phpfile.php", so I can't use mod_security to block this.
I've been thinking of maybe changing permissions on /etc/passwd to 600, however I'm unsure how this will result in regards to my users.
I was also thinking of rate-limiting localhost connections to :2082, however I'm worried about mod_proxy being affected.
Any suggestions?
Answer
Run some form of auth that doesn't look at /etc/passwd for usernames such as LDAP. Also, I'd suggest activating SELinux so that such hacks break right at step 1 (httpd can't read /etc/passwd with the default rules), but cPanel is hateful of any advanced attempt to lock the system down.
No comments:
Post a Comment