You might have noticed a tremendous increase number of hack attacks on wordpress, joomla blogs and other content managing systems. What the hackers are doing is that instead of targeting the CMS itself meaning wordpress or joomla. They are targeting a vulnerable website on a server, Once they gain access to a single vulnerable website on the server, They upload a shell and with a method called "Symlink Bypass". They manage to extract the configuration files of another website hosted on that same server and later on using a simple MySQL interface they connect to that website.
What Is Symlink Bypass?
Well, I would not like to go into much detail. However for your understanding all you need to know is that symlink is a method to refrence other files and folders on linux. Just like a shortcut in windows. Symlink is necessary in order to make linux work faster. However symlink bypassing is a method which is used to access folders on a server which the user isn't permitted. For example the home directory can only be accessed by a root level user. However with symlink bypass you can touch files inside home directory.
Step 1 - The hackers searches for a vunerable website on a server. A hacker can get list of domains on a webserver by doing a reverse iP lookup.
Step 2 - Next the hacker hacks into any vulnerable website on the server and upload a PHP shell.
Step 3 - The above picture demonstrates two files one named .htacess and the second named jaugar.izri being uploaded to the server. Here is what Jaugar.izri looks like when it's made public by adding 0755 permissions.
Step 4 - The hacker connects to the izri script and then gives the following commands
Note: Password is jaguarhackerpro
mkdir 1111
cd 1111
ln -s / root
ls -la /etc/valiases/(site.com)
The first command creates a directory named 1111(Mkdir 1111). The next command navigates to the directory(cd 1111). The third command creates the symlink of the root. The fourth command will extract the user name of the website you put in place of site.com.
The target website is entered in ls - la /etc/valiases/site.com.
The above screenshot explains the whole story. The hacker then navigates to the "1111" directory and the configuration file of the target website is created there. The hacker downloads the configuration files and uses the information to access the database and there he can make any changes.
Download Link : http://www.4shared.com/rar/f4W3bsam/symlink.html
How To Be Protected?
There is nothing much you can do it on your end, else then renaming your config and moving it to a safer place. If you are worried about your website's security, Feel free to contact me.
About The Author:
Aitezaz Mohsin is a security researcher and currently is studying in Class 12th.
What is reverse ip look up?
ReplyDeleteu can do this to find other sites hosted on that server
DeleteCMS?
ReplyDeleteCMS= content management system
Deleteyou're really a excellent webmaster. The site loading velocity is amazing. It kind of feels that you are doing any unique trick. Moreover, The contents are masterpiece. you've performed a magnificent
ReplyDeleteprocess on this subject!
My page http://vayam.org.in/expression/profile/TangelaGcw
Thank you for the good writeup. It in fact was
ReplyDeletea amusement account it. Look advanced to far added agreeable from you!
By the way, how can we communicate?
My webpage ; tattoo removal cream
Great information. Lucky me I recently found your site by accident (stumbleupon).
ReplyDeleteI have saved as a favorite for later!
Feel free to surf my web page how to lose man boobs
When I originally commented I clicked the "Notify me when new comments are added" checkbox and now each time a comment is added I get four e-mails
ReplyDeletewith the same comment. Is there any way you can remove me from that service?
Appreciate it!
Feel free to surf my blog post ... http://www.eggfly.com/profiles/105846