Simple Analysis of shared host server risks

The target audience of this article is the server administrator, website administrator, security enthusiast, and professional information security personnel. It mainly analyzes the risks of a host server.

Let's take a look at some reasons why your website is not so secure on a shared hosting server:

1. If any website on the server is cracked, other websites may also be attacked;

2. Users with malicious attacks can purchase virtual hosts from the host provider and then intrude into other websites on the same server;

3. the VM does not have sufficient permissions to perform security reinforcement settings for apache and mysql;

In this article, we hope to help you understand some common intrusion ideas of hackers, so as to better maintain your server security.

Reverse IP Lookup

This is one of the things that must be done in the information collection phase. You can search for IP addresses to quickly obtain the list of other websites on the server and prepare for future penetration tests.

There are several different methods for reverse IP Lookup:

A. Use a free service website

Http://www.yougetsignal.com/tools/web-sites-on-web-server/

B. Use dig in linux

Usage: Dig-x <ip address> + short

Example:

Nx4dm1n @:~ /Pentest/$ dig-x 74.125.236.1 + short

The following is a short shell script that receives an ip parameter to list all domain names on the server.

#! /Bin/bash
NET = $1
For n in $ (seq 1 254); do
ADDR =$ {NET}. $ {n}
Echo-e "$ {ADDR} \ t $ (dig-x $ {ADDR} + short )"
Done
Chmod + x subnetscan. sh

./Subnetscan. sh <IP Address>

C. Use the search engine to obtain the domain name list;

Find the cms program running on the server

Many websites use cms program modification or secondary development to facilitate website creation. However, some common cms often have some security vulnerabilities. If there are different cms on the same server, the security trend of the server will be relatively large.

Simple website source code and robotxs.txt file on the server, registration and logon rules such as UR column address, it is easy to tell which whole site cms program is used. For example:

<Meta name = "generator" content = "WordPress 3.5.1"/> wordpress homepage meta tag

<Meta name = "generator" content = "Joomla! 1.5-Open Source Content Management "/> Joomla homepage meta tagIn this way, the list of all cms instances used on the server is listed by using reverse IP Lookup. The following is a perl script that can receive an ip parameter to list all cms running on this IP address. is a Simple cms fingerprint recognition program that can be used to identify more cms programs by adding more cms-type features.Intrusion into known CMS programsYou can use sebug.net, wooyun.org, exploit-db.com to find known cms 0day and so on. If wordpress is running on the server, we can use wpscan for penetration: 1. List all the plug-ins used by wordpress; 2. List the topic names used by wordpress; 3, whether TimThumbs is used in the program topic; 4. enumerate all user names; if the wordpress background logon does not use additional authentication information, it is easy to use wpscan to brute force crack some simple passwords: after logging on to the background, you can easily obtain webshells by uploading and installing themes. Wordpress allows you to upload a topic in the zip format for installation, drop a sentence or copy the encrypted webshell to the topic directory, compress it into the zip format, and upload it for installation, the webshell path is wp-content/themes/topic name/xxx. php. php webshells often use system (), shell_exec (), exec (), and other common system functions. If these functions are not reinforced on the system, you can execute some simple linux commands:

Uname-

Linux studio4 2.6.18-274.12.1.el5 #1 SMP Tue Nov 29 13:37:46 EST 2011 x86_64 x86_64 x86_64 GNU/Linux

Id

Uid = 48 (apache) gid = 48 (apache) groups = 48 (apache)

Cat/etc/passwd

/Etc/passwd is readable by default, so even if you do not have the root permission, you can use this file to learn all the user names and other information on the server.

Bruce: x: 502: 502:/home/bruce:/bin/bash

Through a shared host server, different websites have corresponding users and corresponding root directories, and the files of the corresponding websites are stored in their own directories.

/Etc/valiases

This file will store mappings between the names of user accounts in all websites running on the server and their corresponding/etc/passwd files. If the attacker finds out that the server has a website named nxadmin.com, but does not know which user the website belongs to, the attacker can use the following command to view the user information of the website.

ls /etc/valiases/nxadmin.com-rw-r—– 1 bruce Mar 9 16:14 /etc/valiases/nxadmin.com