Linux one-liner to detect Symlink Attack on web server

The symlink attack is an old favourite and still very much prevalent. This attack usually occurs after the attacker has been able to read the contents of the /etc/passwd file and has enumerated the server’s users.

The attacker then runs a script which blindly builds symbolic links (a bit like shortcuts on Windows or Aliases on a Mac) to locations where configuration files for commonly used CMS might be kept in each user’s home directory. For example,

  • WordPress config files are typically found at /home/user/public_html/wp-config.php
  • Joomla config files are typically found at /home/user/public_html/configuration.php
  • Magento config files are typically found at /home/user/public_html/app/etc/local.xml

It’s a numbers game – in most cases the symlinks created will point to nothing at all, but on a server with hundreds of users, it is likely that a number of hits will occur. If the permissions on these files allow the world to read the file – i.e. if the right most number that makes up the chmod permissions is anything more than 1.

Detecting the symlink attackMany hosts use CageFS or other systems that prevent this kind of attack from occurring. But, if you are running a server without such measures then this one-liner will help you track down any symlinks in your user accounts that link to files belonging to other user accounts.

While this may give the odd false positive, depending on your server’s configuration, if you do have a symlink attack it will almost certainly leave you in no doubt as such attacks usually produce pages and pages of results. Investigate everything. Enjoy!

Preventing symlink attacks

While the following steps won’t actually prevent an attacker from creating symlinks, it will prevent him from using apache to access and take advantage of them.

You can configure apache in such a way that it allows the SymLinksIfOwnerMatch directive instead of the FollowSymLinks directive in .htaccess files. The two are synonymous, but the former will only allow apache to follow the link if the target file has the same owner as the link.

For a cPanel server, go to WHM Main >> Service Configuration >> Apache Configuration >> Global Configuration you will find the settings for Directory “/” Options. Tick SymLinksIfOwnerMatch and untick FollowSymLinks.

For other apache servers, just include this before the virtual hosts in the httpd.conf – don’t forget to restart.

This might break some scripts, like Joomla, which use the FollowSymLinks directive in their standard .htaccess files. To avoid problems after implementing the above restrictions, you can search for FollowSymLinks and replace it with SymLinksIfOwnerMatch for all of your user accounts with this one liner:

,

No comments yet.

Leave a Reply

Time limit is exhausted. Please reload CAPTCHA.