I've been watching this one for a while and wanted to share about it as I think it's critical to being able to provide secure hosting going forward. At the time of writing, my guesstimate is that around 40% of hosts have been hit widely by this exploit. The really scary thing is the evidence I'm seeing that even very large hosts are being hit by it!
In case you haven't heard of it, here's a quick summary:
- Hacker exploits one account on your server through conventional means - outdated WordPress or other CMS files, or stolen FTP password.
- They then access /etc/passwd and generate a series of symlinks to other accounts of the form fred.txt --> /home/account/public_html/wp-config.php
- They then visit the fed.txt file as a URL which shows them the wp-config.php file in plaintext, giving them the database username and password for the other account
- If the user has re-used their cPanel password as a database password, they then have access to cPanel
- They repeat this process until they have checked every single account on the server, looking for wp-config.php, configuration.php etc
- Hey presto - a single account hack has been escalated to 70% of the sites on your server
Personally I think this is the most dangerous exploit method in the history of shared Apache webhosting since the old suphp/nobody exploit.
Also, the methodology here works via other methods other than symlink, which I prefer not to share as I don't want to give anyone ideas.
In a way, this isn't new, but what's happening now is that the scale of it and the automation attached to it has multiplied.
I've written this up at my blogs, including patches for Apache and some scripts to change modes on your .php files to keep them safe - see this URL: http://whmscripts.net/misc/2013/apac...ssue-fixpatch/
If you're looking for a simpler intro to what this is all about, see this link: http://blog.whitedoggreenfrog.com/20...ting-industry/
The whmscripts link will also take you through to an overly long discussion at cpanel and another patch being developed which eliminates the race condition that can be used to work around the other patch.
Perhaps it's just me, but I've found cPanel's attitude to this issue to be deeply disappointing. Of course, it's not their code, but they distribute an integrated system based on Apache and they're too lazy to apply a fix? When thousands of hosts are getting hacked? I don't get it - they've patched Apache for other things before. Anyway, rant mode off ... sorry
I can't encourage you strongly enough to apply both the patch and the permission workaround. There are many hundreds of thousands of hosts hacked by this worldwide at present, you don't want yourself or your customers to be a victim when 30 minutes work will save your server!
So, perhaps I'm being sensational? What have others found happening in the wild? Otherwise unexplainable hacks on servers is a good clue!