cPanel Admin Help
Server Hardening
Exploit Removal Instructions
From
LT's Forums∞
The following is a first step in finding and removing exploits and root kits on a Linux or BSD system.
- EXECUTE THE FOLLOWING COMMANDS TO HELP PREVENT UPLOADS OF EXPLOITS:
chmod 0750 `which curl` 2>&-; chmod 0750 `which fetch` 2>&-; chmod 0750 `which wget` 2>&-
- EXECUTE THE FOLLOWING COMMANDS TO CHECK FOR POSSIBLE EXISTING EXPLOITS:
sh
for x in "/dev/shm /tmp /usr/local/apache/proxy /var/spool /var/tmp"; do ls -loAFR $x 2>&- | grep -E "^$|^/| apache | nobody | unknown | www | web | htdocs " | grep -E "^$|^/|/$|\\\\*$|\\\\.pl$" | grep -Ev "sess_" | tee exploits.txt; done; echo -e "\\\\n\\\\nPossible Exploit Files and Directories: `grep -Ev "^$|^/" exploits.txt | wc -l | tr -d ' '`" | tee -a exploits.txt
exit
Lines ending with an asterisk '*', '.pl', or a slash '/' are possible exploit files or directories which should be investigated and removed followed by rebooting the server to kill any running exploit processes. You can refer to the exploits.txt file generated by the above commands for later reference.
- You should also install and run the progam called rkhunter.
Rootkit Hunter is scanning tool to ensure you for about 99.9% you're clean of nasty tools.
This tool scans for rootkits, backdoors and local exploits by running tests like:
- MD5/SHA1 hash compare
- Look for default files used by rootkits
- Wrong file permissions for binaries
- Look for suspected strings in LKM and KLD modules
- Look for hidden files
- Optional scan within plaintext and binary files
On BSD sytems:
cd /usr/ports/security/rkhunter; make install clean; rehash; rkhunter -c
(or for help with rkhunter arguments do: rkhunter -h)
On RedHat, Fedora, CentOS systems:
yum -y install rkhunter; rkhunter -c
(or for help with rkhunter arguments do: rkhunter -h)
If you cannot do this have a 3rd party company to do it.
If you cannot secure your server, and it is compromised, you should issue a Reload Request of your system.
WHM (CPanel) Hardening Guide
You should configure the following in your WHM (CPanel):
Main >
Server Configuration >
Tweak Settings
- Prevent the user 'nobody' from sending out mail to remote addresses (php and cgi scripts generally run as nobody if you are not using phpsuexec and suexec respectively.)
- MAKE SURE YOU ARE RUNNING phpSuExec if you do this!!!
- Track the origin of messages sent though the mail server by adding the X-Source headers (exim 4.34+ required)
Main >
Security >
Fix Insecure Permissions (Scripts)
Main >
Security >
Tweak Security
"Compilers are disabled for unpriviledge users"
Main >
Service Configuration >
Enable/Disable SuExec
suexec Status "enabled"
Main >
Account Functions >
Disable or Enable Demo Mode
Select from "Users" the "demo" account and click "Modify" then click "Disable" if it exists
Anti-Spam
See
rvskin∞ - and
Text Archived here
External mail
- Edit the dns zone to change the MX record. This cannot be an IP number so if this is what the client has, first create an A record with the IP (eg for 'exchange') then put this domain in the MX record (eg exchange.domain.com. - remember the dot at the end). When done, restart Bind.
- Remove the domain from the /etc/localdomains file on the server.
- Add the domain to /etc/remotedomains which makes sure that cPanel doesn't add it back to the localdomains file in scripts such as mailperm.
There are no comments on this page. [Add comment]