Most server admins are aware of the latest vulnerability (often found on cPanel servers) which is been used by many attackers, to create symlinks pointing to the root (/) file system of the server. If an attacker finds the account password of just one user on the server, then he can create (anywhere in the user’s public_html folder) a symlink pointing to / which if opened with Apache allows them to browse the entire directory and file structure of the server, using their browsers.
To find if there are are symlinks pointing to / in any of the users’ public_html folders, run as root the following SSH command and wait patiently for the scan to complete.
root@serv [~]# find /home*/*/public_html -type l -exec ls -l {} ; | grep "-> /$"
If you don’t get any results, then relax.
If you get something like:
lrwxrwxrwx 1 user user 1 date time /home/user/public_html/folder -> /
Then immediately change the password of this user as it appears that somebody has found their password and created the symlink. Also delete the symlink by running (for the above example) the command:
root@servertechs [~]# rm /home/user/public_html/folder
and answer “y” if asked for a confirmation to remove the symlink
No comments:
Post a Comment