On 19 Jun 2014, at 21:52, Matt <matt@xerad.com> wrote:

Lately I've been having some security issues with a software I am using, I believe the software might have some type of exploit that allows files to be uploaded to its root directory. I don't want to say the name of the software at this point until that vendor has fully checked into it, but as a temporary solution I thought it might be possible to restrict file names of PHP files that are allowed to run under my cpanel account. Is this possible?

You can certainly do this with ModSecurity, but it might be tedious to write the necessary rules for it, especially if you have a complex web application with a bad URL structure/API, which are most of them. In this situation, it might be easier to write a .htaccess file (assuming you are using Apache) which lists the allowed URIs and denies requests for everyone else.

Your web root directory should generally not be writable by the webserver, especially when running PHP that makes it easy to place executable code there. A normal user should own the directory and files, and they should not be writable by others. Maybe you must have some uploads directory that needs to have writability, but then only make that directory writable and protect it so that only safe extensions (image/txtÖ) are allowed. Again this could be done with ModSecurity rules or perhaps quicker with a .htaccess file.

However, the actual vulnerability lies in the software that put the files there. If itís a web application creating the files, the rogue files will be owned by the web server process owner. Do a find for all files which are owned by that user and maybe youíll find more rogue uploads. (Iíve seen Windows users getting a botnet infection that immediately attacked all their stored FTP passwords, so donít forget that the files could have gotten there in another way.)

If itís the webserver that created the file, you might be able to find the script by looking at the file creation times of rogue files you discovered. Hopefully, youíll find in the access_logs of your web server the scripts that were requested around those times.

Walter Hop | PGP key: https://lifeforms.nl/pgp