Board index HACK Symlink Attack

How to find and prevent symlink attack

Postby a24uall » Wed Apr 24, 2013 12:37 pm

How to find if there is a symlink attack :
ls /var/cpanel/users | grep -v "\`\|\.\|cpanel\|root\|mysql\|nobody" | while read CPUSER; do find /home/$CPUSER -type l -not \( -lname "/home/$CPUSER/*" -o -lname "*rvsitebuilder*" -o -lname "[^/]*" -o -lname "/usr/local/apache/domlogs/*" -o -lname "/usr/local/urchin/*" \) ; done

Symlink attack can be prevented to an extend by editing the below lines in apache configuration file. Each server might have a different value depending on how apache was configured and you can change that to :

<Directory "/">
Options ExecCGI -FollowSymLinks Includes IncludesNOEXEC Indexes -MultiViews SymLinksIfOwnerMatch
AllowOverride AuthConfig FileInfo Limit Indexes Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,SymLinksIfOwnerMatch,MultiViews
Site Admin
Posts: 166
Joined: Sun Jul 01, 2012 9:07 am

Return to Symlink Attack

Who is online

Users browsing this forum: No registered users and 1 guest