• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

From a Site Compromise to Full Root Access – Symlinks to Root – Part I

May 23, 2013Daniel Cid

FacebookTwitterSubscribe

When an attacker manages to compromise and get access to a website, they won’t likely stop there, they will aim to gain full root (admin) access to the entire server. If there are more websites hosted on the server being attacked, It is likely they will attempt to compromise every single one of them.

How can an attacker escalate their privileges? How can they go from FTP-only access to getting root on the server? In this series of articles we will show some techniques that attackers are using to go from confined FTP/web access, to full root level access on a server.

1- Symlinking to / (root)

Most shared hosts only provide restricted FTP access to their clients. Within these restricted FTP accounts an end-user can only see the content of their own websites, or shared space. This segmentation provides an additional level of security because end-users cannot use shell access to poke around the server.

However, there is an old technique that we still see often. What attackers will do is link a sub directory within the website to the root “/” directory allowing them to browse the whole server. All they do to execute this is run a simple PHP command:

symlink(“/”, “./symroot”);

What you see here is the directory symroot linking to the root “/” directory. What some hosts do is attempt to thwart this type of activity by employing tighter controls on their PHP settings by restricting file access to only the user home directory. This can be bypassed if the hosting provider supports custom cron jobs, custom procmail rules or even cgi-bin scripts (yes, we have seen it all). In some cases, the attackers can create a custom php.ini file to overwrite the default and more restrictive rules set by the server provider.

In the end, an attacker will take whatever you give them. On most shared servers (Even servers on some of the more popular hosting services), attackers can create a symlink like like we showed above to escalate access. In other cases it’s a bit more work to do but still very much possible.

Navigating through the file system

It doesn’t matter how the attacker manages to link the root, but once they do, they have the privileges to navigate through the file system using a plain old browser. In most of the attacks we’re seeing, attackers are also adding a .htaccess file that treats all files as plain text. The danger is that all files can then be viewed remotely.

Here is an example from a compromised server where the directory /sym was created and the file named root was added linking to /:

ncftp /www/ > cd sym
OK. Current directory is /www/sym
ncftp /www/sym > ls -la
drwxr-xr-x 2 userX userX 4096 May 19 10:47 .
drwxr-xr-x 36 userX userX 4096 May 19 10:47 ..
-rw-r–r– 1 userX userX 175 May 19 10:47 .htaccess
lrwxrwxrwx 1 userX userX 1 May 19 10:47 root -> /

If you look at the .htaccess file, it has custom rules to treat all PHP, Conf, .log and .sql files as plain text, so the content is visible in a regular browser:

Options all
DirectoryIndex Sux.html
AddType textplain .php
AddType textplain .conf
AddType textplain .sql
AddType textplain .log
AddHandler server-parsed .php
AddHandler txt .html
Require None
Satisfy Any

If you try to visit the /sym/root directory via the browser, this is what you get:

Symlink to root

Pretty awesome to see that you get access to all the directories on the server.

The user can even go to /etc/passwd to see the list of users:

Symlink - password

That’s not even the worse part. They can query configuration files, backup files and use this to try to steal the password for other users in the server.

Protecting against Symlink attacks

A quick solution for this specific attack is to prevent Apache from following symlinks (Options -FollowSymLinks). You can also prevent end-users from overwriting the default security rules (AllowOverride None). If you really need links, you can use the “SymLinksIfOwnerMatch” option to only allow links from within the same user (not to /).

This alone doesn’t solve the whole problem. The client still has PHP access and can just opendir(“/”) and access all directories. To prevent PHP from accessing any file outside of their directory, you need to specify the open_basedir setting to only have access to their directory.

Even then, this still doesn’t cover all angles if the client still has SSH access, can create custom cron jobs, or if you allow shell exec inside PHP (system, exec, “, etc).

Permissions!

The real solution against this problem is setting very tight permissions on your servers so that even if a bypass is found, attackers won’t be able to query or access any critical directories and/or files, or user information.

In the conclusion of this series, we will show our recommended permissions and setup to help address these issues.

FacebookTwitterSubscribe

Categories: Security Education, Website Malware Infections, Website SecurityTags: Hacked Websites, Malware Updates, Server Security, Webserver Infections

About Daniel Cid

Daniel B. Cid is Founder of Sucuri and the VP of Engineering for the GoDaddy Security Products group. He is also the founder of OSSEC and CleanBrowsing. You can find more about Daniel on his site dcid.me or on Twitter: @danielcid

Reader Interactions

Comments

  1. David Claxton

    May 23, 2013

    This is very informative and answers a lot of questions. I am wondering now how to check to make sure my server does not already have this “backdoor” present since I have had an issue about once a week with server wide hacks .

    • Daniel Cid

      May 23, 2013

      If you have SSH access to the server ,search for symlinks (find ./public_html -type l).

      thanks,

  2. Friv 10

    May 24, 2013

    Yes I would like to prevent being hacked. the virus is most

  3. Keith Davis

    May 26, 2013

    I’m thinking that I should send a link to this article to my Service provider.
    Appreciate the info Daniel.

  4. Friv 4

    May 27, 2013

    I appreciate your article it has many things that I need to study there. thank you for sharing

  5. Y8 Games

    May 29, 2013

    all files can then be viewed remotely. i had been got this trouble with my phone. somtimes, my friends recieve the link lead to some harmful websites and they were in virus. have you everexplain for me about this?

  6. prh47

    May 30, 2013

    “In the end, an attacker will take whatever you give them.”

    Give them as little as possible.

  7. Sergio Alfaro

    June 1, 2013

    thanks for share this usefull information. I was arrived here because I am working with aspiration hosting and they send an e-mail offering your products, very interesting.

  8. friv 3

    June 4, 2013

    Pretty impressive, would probably also sequel to the reader as we await.

  9. anonymous

    July 19, 2013

    How would the initial command execution (creating the symlink) would occur with only FTP access?

    • Inquisitor Ehrenstein

      January 15, 2014

      Viewing a PHP file in the browser will execute it, assuming it has the permissions to be executed.

      An attacker could upload a PHP file containing the command and then navigate to it using the browser.

  10. Ebaka

    July 23, 2013

    весь пост бред собачий от начала до конца) превед от рюзге хекеров!)

  11. friv 2 friv 3 friv 4

    January 24, 2014

    his is very informative and answers a lot of questions. I am wondering
    now how to check to make sure my server does not already have this
    “backdoor” present since I have had an issue about once a week with
    server wide hacks .

  12. frivcu

    April 11, 2015

    This is very informative and answers a lot of questions.

  13. Kato Katarsis

    July 26, 2015

    A really good and very well explained article… not another copy/paste. Is there a Part II?
    thx for share!

  14. sancoLgates

    November 9, 2015

    i like the way u explain… great post!

  15. Sex Kitten Party

    September 6, 2017

    ooooo cute and smart. Me likey

  16. kriya

    October 9, 2017

    Detail explanation. Very helpful post. Subscribing with host providing complete website security would be better for one who is not technically sound.

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Sucuri Sidebar Malware Removal to Signup Page

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2023 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.