Hi All,
In the last few weeks, i have experienced some HUGE server hacks being run from compromised websites hosted on our shared hosting webservers.Im a sysadmin at a local web development company in southern africa.
We've been using virtualmin pro for the last 4 years, running on debian web servers...of which we have around 15 high usage webservers at the moment.
The compromises consisted, of server takeover, spamming of addresses using the local smtp server, as well as bruteforcing other webserver using perl scripts.
After doing some major security audits on our servers, i thought i'd post some information that may be of use to other vmin users.
My servers are tightly firewalled, with ports filtered down to individual IP address for services such as ssh and mysql... however, PHP5 based CMS sites such as joomla, mambo etc, are particularly vulnerable to server hacks, because of the availability of 3rd party components and modules that provide doorways for hackers to get into web servers using basic PHP based functions.
Unfortunately, by default Virtualmin and Webmin enable ALL PHP functions on newly installed webservers. And its these very PHP functions that can be a cause of great concern to sysadmins.
A fast way to fix the situation, is to be pro-active and disable dangerous functions on a server wide level. i've put together a list of functions that can be deemed as hazardous below, and i'd recommend that these changes be done on new server installs:
gzinflate, gzdeflate, symlink, apache_child_terminate, apache_setenv, define_syslog_variables, escapeshellarg, escapeshellcmd, eval, exec, fp, ini_alter, ini_get_all, ini_restore, inject_code, mysql_pconnect, openlog, passthru, php_uname, phpAds_remoteInfo, phpAds_XmlRpc, phpAds_xmlrpcDecode, phpAds_xmlrpcEncode, popen, posix_getpwuid, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, posix_setuid, posix_uname, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, shell_exec, syslog, system, xmlrpc_entity_decode
to disable these commands, simply uncomment the following line to the vhosts php.ini file under "disabled functions", then add it as:
disable_functions = "gzinflate, gzdeflate, symlink, apache_child_terminate, apache_setenv, define_syslog_variables, escapeshellarg, escapeshellcmd, eval, exec, fp, ini_alter, ini_get_all, ini_restore, inject_code, mysql_pconnect, openlog, passthru, php_uname, phpAds_remoteInfo, phpAds_XmlRpc, phpAds_xmlrpcDecode, phpAds_xmlrpcEncode, popen, posix_getpwuid, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, posix_setuid, posix_uname, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, shell_exec, syslog, system, xmlrpc_entity_decode"
then restart apache.
on a new installation of virtualmin, you can add this line to:
/etc/php5/cgi/php.ini
then everytime you create a new vhost on the server, it will add these disabled functions as a default for that particular virtual host when using fcgid or cgi wrapper.
if a website is compromised, and a hacker does try and run any scripts that have functions such as shell_exec (which allows linux shell commands to be executed via PHP), the server will deny that script from running.
i have noticed that these functions disable the functions of legit apps such as phpmailer, which when you think of it, allows php to interface with the sendmail executable directly. it is possible, that a hacker can use these same functions to compromise a web server... so do keep that in mind. In most cases, PHP5 websites/components can be setup to use localhost smtp mail servers instead of phpmailer.
The great thing with virtualmin, is that when using fcgid or cgi wrapper for php execution, is that it allows individual php.ini files for vhosts, so if there is a case where a certain vhost requires a PHP function, that has been disabled, you can just delete the specific function from the list, then reload apache..without worrying about opening up PHP functions for other high risk sites that are residing on the same server.
regards, and all the best.
kt.