Greeting from Nixlinux,
I really need to share this information with you guys as I got scared last week about an issue reported by my close friend, he was working on a shared server and he was actually studying about symlinks, just for a fun he thought to run a command on the server to list the symlinks on it. The result he got was suspicious. There were thousands of symlinks found under many accounts, it was a cPanel server having about 800 websites running on it.
If you do not have much idea about what is a symbolic link, I will try to shed some light on it. Pardon my ignorance, I am also a linux kid. 🙂
A symbolic link is also known as softlink which is actually a special file that refers to another file by name. It doesn’t contain any data on it but points to a real fine that has data. You can compare it with a shortcut you find in Windows or a Macintosh machine. When you clink on a shortcut it opens the contents in the real file.
When you delete a target file, symbolic links to that file become unusable or the symlinks became broken.
To create a symbolic link in Unix/Linux, at the prompt, enter:ln -s source_file myfile
In the above command replace source_file with the name of the existing file for which you want to create the symbolic link (this file can be any existing file or directory across the file systems). Replace myfile with the name of the symbolic link.
How do I delete a symbolic link?rm {link-name}
Let’s come to the topic, the symlink attack normally done by creating symlinks to the secured files or important files of the system.
For example, if the server security is low or if it allows symlink on the system a user can create a symlink that points to the /etc/passwd file or /etc/shadow file. This helps the attacker to steal data and user info from the server, this is very very dangerous as the attacker will bruteforce to the server as he got all the usernames, especially you have a cPanel server.
Checking for symlinks and delete them one by is not all an easy method for admins, but we can set alerts using a small shell script. Please find it below, the script will check for symlinks and will send alerts to your mail the account names under which symlinks are present.
SHELL SCRIPT TO PREVENT SYMLINK ATTACK:
I named the script as “symlnk_police.sh” 😉<strong>#!/bin/bash find /home/*/public_html/* -type l >> /root/symlinks.txt cat /root/symlinks.txt | cut -d"/" -f3 | uniq >> out.txt echo "ATTENTION:"|mail -s "symlinks found in $(hostname)" user@domain.com < /root/out.txt > /root/symlinks.txt > /root/out.txt</strong>
You can modify the script with the below line if you want to delete the symlinks at the time when you found it.# find -L /path/to/check -type l -delete
You can enable the script on the server with the help of a cronjob, I run it every morning at 8.30 AM. The cronjob for it is shown below.30 08 * * * sh /root/symlnk_police.sh
That’s all guys, thank you! 🙂
Please post your views in the comment section, I would be happy to check it! 🙂