Compromised Symlink Removal
What are symlinks?
In computing, a symbolic link (also symlink or soft link) is a special type of file that contains a reference to another file or directory in the form of an absolute or relative path and that affects pathname resolution.
What is Symlink Race Condition Vulnerability?
If you enable both of the configuration settings SymLinksIfOwnerMatch and FollowSymLinks, Apache will be vulnerable to a race condition through symlinks. This symlink vulnerability allows a malicious user to serve files from anywhere on a server that has not been protected by strict OS-level permissions, A security Vulnerability!
We need to enable both configuration because certain web applications require it, which subject our servers to this vulnerability. At such, we have a script that runs on every Sunday, that will pipe out a list of symlinks and we are required to remove them if it is to root (/) Directory.
Script to find symlink hack:
find /home/*/public_html -type l > /root/symlink.txt
cat symlink | cut -d “public” -f1 | sort | uniq -c | sort -n
Example:
/home/mvtheark/public_html/media/sym/root —> /
How do I clear it off?
Always be very careful when you are clearing off Symlinks! This is because, a wrong move, may either remove the contents of another account, or you may remove the whole root.
Based on the above example, you would want to run the following command to remove the symlink properly.
cd /home/mvtheark/public_html/media/sym/
rm -f * (the quicker method)
rm -f root
rm -f .htaccess
cd ..
* the directory sym has to be empty in order to remove.
rmdir sym/
Note that when you remove the symlink to root, i.e rm -f root, there are no -r operator (non recursive), and no trailing slash behind it.
This is because if you do have it, be prepared to have a shock of a lifetime for yourself, and for your colleagues because you will either remove the contents of another account, or you will remove the whole root, depending on where the symlink leads you to.
Once the above have been completed, you will have deemed to be completed the symlink removal. No other actions should be necessary with regards to the removal of symlinks.
Go a head and secure the server. Ensure you have covered the following.
—
-Install Modsecurity in the server.
-Ensure current PHP handler is set to Suphp.
-Conduct a scan to find all symlink files in /home with the command and verify them ==> find /home/*/public_html -type l
-Conduct a Rootkit scan and check any binary change has been taken place or not.
-Check with client and if he don’t need symlink server wide, go a head and disable symlink in Apache config (SymLinksIfOwnerMatch) else disable it in the infected account.
-Check if any account is enabled with Shell access, if yes, cross check with client and disable the same.
-Harden PHP to have a per user open_basedir (WHM >PHP open_basedir Tweak)
—
lxserver 