I have some clients running outdated php scripts. They have many bugs. Last week a website got hacked. The attacker uploaded a PHP shell and made a deface. I've personally uploaded a php shell and guess what, I can access even the root directory! What can I do? I've discovered spam sending scripts and bank scam pages on one of my personal websites. God knows what else could be affected. Please tell me what's wrong! I've installed ISPConfig on a virtual server. I have the same problem! Everything went normal with the installation!
http://docs.ispconfig.org/en-sandbox-dynamic-site/?page=faq You cannot blame ISPConfig for that hack because IMHO ISPConfig has nothing to do with that. You should Backup ISPConfig base and settings and do a fresh install. It the safest way. Hope this can help: http://howtoforge.com/forums/showthread.php?t=28258&highlight=backup+restore http://howtoforge.com/forums/showthread.php?t=23448&highlight=backup+restore
Well that part of your post I didnt understand. You installed new ISPConfig on virtual server and uploaded the attacker script and it works? or After a clean install and restore of ISPConfig settings script is still there?
The installation on the virtual server was just to find out if there was a problem with my server or with all ispconfig installations. You can test the bug on your own server. Just upload a c99 or r57 php shell script and change the working directory to /. you can look in /var/www and from there in all accounts, stealing passwords from configuration files, scripts...
main problem is how did that script get on your server. here is what i have found as ways to stop those scripts form working: http://www.webhostingtalk.com/showthread.php?p=5315461
An this has still nothing to do with ISPConfig as _X_ explained above. You are just saying that a hacker script that you uploaded to a php webspace is working, ispconfig is not envolved in executing that script at all. So, back to your original problem. If you want to prevent that a php script accesses the whole folder, you can do several things: 1) activate php safemode for the website. 2) update your php to the latest version. 3) Deactivate potential harmful functions in your php.ini lieke exec, passthru etc. 4) install security extensions for apache like mod_security 5) install suhosin for php.
the problem is that if you host, let's say, 10 websites and one person uploads a bad script you'll get in trouble! for example some cms scripts don't run if php is in safemode (joomla is one of them). please don't close the thread! I'll be back with information.
Sure, but why you blame ispconfig for joomla being insecure or not supporting safemode? Take a look at the points that I posted above to secure your php installation.
from what i know joomla can work and be safe with this settings in Apache Directives (Optional):: Options FollowSymLinks AllowOverride All php_admin_flag register_globals Off php_admin_value disable_functions "show_source system shell_exec passthru exec phpinfo popen proc_open" php_admin_flag allow_url_fopen Off php_admin_flag magic_quotes_gpc On php_admin_value session.save_path "/var/www/web1/phptmp/" php_admin_value open_basedir "/var/www/web1/" and PHP Safe Mode dissabled. Correct me if I'm wrong.
I guess this should work fine. To sum it up, if you want to run a hosting business, you should make yourself familar on how to secure the different applications on your server One note. I'am not sure if "AllowOverride All" is really nescessary, as this would allow an attacker to remove the security settings that you set in the apache directives field again in a .htaccess file.
on my test server it resulted with: Internal Server Error The server encountered an internal error or misconfiguration and was unable to complete your request. .htaccess: Options not allowed here maybe it has to do something with SEF on joomla?
Take a look in the error log of the website, there should be listed the exact option which caused the error and then it is better to allow overriding for just that option.
here goes htaccess: Options +FollowSymLinks RewriteEngine On RewriteBase / RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteCond %{REQUEST_URI} (/|\.htm|\.php|\.html|/[^.]*)$ [NC] RewriteRule ^(content/|component/) index.php RewriteCond %{REQUEST_URI} ^(/component/option,com) [NC,OR] RewriteCond %{REQUEST_URI} (/|\.htm|\.php|\.html|/[^.]*)$ [NC] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule (.*) index.php RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR] RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR] RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR] RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) RewriteRule ^(.*)$ index.php [F,L] i guess problem is in first line?
Yes, the directive "Options +FollowSymLinks" should not be put in an .htaccess file. Either you put it wrapped into a directory directive in the apache directives field or you enable "Options +FollowSymLinks" globally in the apache2.conf file for all sites.
Just to repeat for anyone interested into setting ISPConfig for Joomla 1.0.x: htaccess - with support for SEFurl plug-ins: Code: RewriteEngine On RewriteBase / RewriteRule ^(content/|component/) index.php RewriteCond %{REQUEST_URI} ^(/component/option,com) [NC,OR] RewriteCond %{REQUEST_URI} (/|\.htm|\.php|\.html|/[^.]*)$ [NC] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule (.*) index.php RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR] RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR] RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR] RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) RewriteRule ^(.*)$ index.php [F,L] Apache Directives (Optional): -change webXXX with your configuration Code: <Directory "/var/www/webXXX/web"> Options FollowSymLinks php_admin_flag register_globals Off php_admin_value disable_functions "show_source system shell_exec passthru exec phpinfo popen proc_open" php_admin_flag allow_url_fopen Off php_admin_flag magic_quotes_gpc On php_admin_value session.save_path "/var/www/webXXX/phptmp/" php_admin_value open_basedir "/var/www/webXXX/" </Directory> and PHP Safe Mode dissabled - Joomla 1.0.x doesnt work with this option enabled.
I found a solution: in /etc/apache2/apache2.conf replace Code: <Directory /var/www/*/web> Options +Includes -Indexes AllowOverride None AllowOverride Indexes AuthConfig Limit FileInfo Order allow,deny Allow from all <Files ~ "^\.ht"> Deny from all </Files> </Directory> With: Code: <Directory /var/www/*/web> Options +Includes -Indexes AllowOverride None AllowOverride Indexes AuthConfig Limit FileInfo Order allow,deny Allow from all php_admin_value open_basedir /var/www/web <Files ~ "^\.ht"> Deny from all </Files> </Directory> This should be included in the setup script for ISPConfig. [later edit] looks that this option can be bypassed with a simple script. i've even restricted some functions from php.ini
