LinuxBabu ………..

Summary

A memory corruption vulnerability exists in Exim versions 4.69 and older (CVE-2010-4344). Exim is the mail transfer agent used by cPanel & WHM.

Security Rating

This update has been rated as Important by the cPanel Security team.

Description

A memory corruption vulnerability has been discovered in Exim. This vulnerability may lead to arbitrary code execution with the privileges of the user executing the Exim daemon. cPanel previously released RPMs that mitigated the severity of the vulnerability on December 9, 2010 (CVE-2010-4345). This notification is for the release of new RPMs which remove the remote memory corruption vulnerability in its entirety. The vulnerability relies upon “rejected_header” being enabled (default setting) in the log_selector configuration.

Solution

To resolve and work around the issue on Linux systems, cPanel has issued new Exim RPMs. Server Owners are strongly urged to upgrade to the following Exim RPM versions:

Systems configured to use Maildir: Exim 4.69-26

Systems configured to use mbox (deprecated): Exim 4.63-5

Exim RPMs will be distributed through cPanel’s package management system. All cPanel & WHM servers receiving updates automatically will receive the updated Exim RPM during normal update and maintenance operations (upcp). To begin an Exim update on cPanel systems immediately, run the following command as root:

/scripts/eximup

FreeBSD systems should be running Exim 4.72 by default, which is not affected by this issue.

FAQ

This notification covers CVE-2010-4344.

The notification release earlier on December 10, 2010 with the summary “A privilege escalation vulnerability exists in Exim, the mail transfer agent used by cPanel & WHM.” covers CVE-2010-4345. At the time of the earlier announcement, the CVE had not been assigned.

Source

“CPU/Memory/MySQL Usage” page blank

This is a common error across all cPanel releases. The most likely cause of this issue is related to the utility that actually generates the statistics. When cPanel is installed, several entries are added into crontab for the root user. The following is a list of the default crontab entries from a freshly installed cPanel server:

root@testbox [/etc/cron.hourly]# crontab -l | grep dcpumon

*/5 * * * * /usr/local/cpanel/bin/dcpumon >/dev/null 2>&1

root@testbox [/etc/cron.hourly]#

The dcpumon is the daemon that actually compiles the logs for the Usage page. If your Usage page is blank, it is normally because this utility is not running on the schedule that it is supposed to. The above crontab entry for dcpumon is set to run every five minutes, every hour.

Solution:
The most common resolution for this issue is to restart crond:

root@testbox [~]# /etc/init.d/crond restart
Stopping crond:[OK]
Starting crond:[OK]
root@testbox [~]#

The restart of cron should force all crontab entries to be processed normally again. If after this you are still not seeing statistics on the Usage page, you should force a cpanel update from command line with “/scripts/upcp –force”. This should download and install a new copy of the dcpumon binary.

Exim logs /var/log/exim_mainlog shows Berkeley DB error.

Berkeley DB error: PANIC: fatal region error detected; run recovery
Berkeley DB error: PANIC: fatal region error detected; run recovery
Berkeley DB error: PANIC: fatal region error detected; run recovery

Exim stores certain databases using BerkeleyDB (e.g. aliases file). These are due to corrupted Berkeley DB.

In cPanel server you can remove / move the DB and restart exim to fix.

mv /var/spool/exim/db /var/spool/exim/db.bak

/scripts/restartsrv_exim

Now confirm the errors are gone.

tail -f /var/log/exim_mainlog

Sometimes we may require to remove APF from the server. Here is a guide which shows how to remove APF completely from the server.

Stop the firewall first
service apf stop
/bin/rm -rfv /etc/apf
Remove the cron for APF
/bin/rm -fv /etc/cron.daily/fw
/bin/rm -fv /etc/init.d/apf
lastly disable at startup
chkconfig apf off

This should remove APF completely from the server as we removed the APF daemon, cron and files.

The cPanel user shell access gives error all of a sudden :

root@server [~]# su - user
-bash: fork: Resource temporarily unavailable

The culprit seems to be cPanel and its “Shell Fork Bomb Protection”. Logging into WHM >> Security >> Security Center >> “Shell Fork Bomb Protection” and clicking “Disable Protection” resolves the issue.

Shell Fork bomb Protection will prevent users with terminal access (ssh/telnet) from using up the server’s resources and possibly crashing the server.

Horde login error

Horde Login shows below error :

Warning: Unknown: write failed: Disk quota exceeded (122) in Unknown on line 0

Warning: Unknown: Failed to write session data (files). Please verify that the current setting of
session.save_path is correct (/var/cpanel/userhomes/cpanelhorde/sessions) in Unknown on line 0

Then try this cPanel script :

/scripts/autorepair phpapps_owner_fix

The above cPanel script will reset all the quotas for the cPanel users.

APF is a policy based iptables firewall system designed for ease of use and configuration. It employs a subset of features to satisfy the veteran Linux user and the novice alike. Packaged in tar.gz format and RPM formats, make APF ideal for deployment in many server environments based on Linux. APF is developed and maintained by R-fx Networks: http://www.rfxnetworks.com/apf.php

This guide will show you how to install and configure APF firewall, one of the better known Linux firewalls available.10

Requirements:
- Root SSH access to your server

Lets begin!
Login to your server through SSH and su to the root user.
cd /root/downloads or another temporary folder where you store your files.

2. wget http://www.rfxnetworks.com/downloads/apf-current.tar.gz

3. tar -xvzf apf-current.tar.gz

4. cd  apf-9.6-5/ or whatever the latest version is.

5. Run the install file: ./install.sh
You will receive a message saying it has been installed

Installing APF 9.6-5: Completed.
Installation Details:
Install path:         /etc/apf/
Config path:          /etc/apf/conf.apf
Executable path:      /usr/local/sbin/apf
Other Details
Listening TCP ports: 53,2086,2087,3306
Listening UDP ports: 53,39437
Note: These ports are not auto-configured; they are simply presented for information purposes. You must manually configure all port options.

6. Lets configure the firewall: nano -w /etc/apf/conf.apf
We will go over the general configuration to get your firewall running. This isn’t a complete detailed guide of every feature the firewall has. Look through the README and the configuration for an explanation of each feature.

We like to use DShield.org’s “block” list of top networks that have exhibited
suspicious activity.
FIND: USE_DS="0"
CHANGE TO: USE_DS="1"

7. Configuring Firewall Ports:

Cpanel Servers
We like to use the following on our Cpanel Servers

Common ingress (inbound) ports
# Common ingress (inbound) TCP ports -3000_3500 = passive port range for Pure FTPD
IG_TCP_CPORTS="21,22,25,53,80,110,143,443,2082,2083, 2086,2087, 2095, 2096,3000_3500"
#
# Common ingress (inbound) UDP ports
IG_UDP_CPORTS="53"

Common egress (outbound) ports
# Egress filtering [0 = Disabled / 1 = Enabled]
EGF="1"

# Common egress (outbound) TCP ports
EG_TCP_CPORTS="21,25,80,443,43,2089"
#
# Common egress (outbound) UDP ports
EG_UDP_CPORTS="20,21,53"

Ensim Servers
We have found the following can be used on Ensim Servers – although we have not tried these ourselves as I don’t run Ensim boxes.

Common ingress (inbound) ports
# Common ingress (inbound) TCP ports
IG_TCP_CPORTS="21,22,25,53,80,110,143,443,19638"
#
# Common ingress (inbound) UDP ports
IG_UDP_CPORTS="53"

Common egress (outbound) ports
# Egress filtering [0 = Disabled / 1 = Enabled]
EGF="1"

# Common egress (outbound) TCP ports
EG_TCP_CPORTS="21,25,80,443,43"
#
# Common egress (outbound) UDP ports
EG_UDP_CPORTS="20,21,53"

Save the changes: Ctrl+X then Y

8. Starting the firewall
/usr/local/sbin/apf -s

Other commands:
usage ./apf [OPTION]
-s|--start ......................... load firewall policies
-r|--restart ....................... flush & load firewall
-f|--flush|--stop .................. flush firewall
-l|--list .......................... list chain rules
-st|--status ....................... firewall status
-a HOST CMT|--allow HOST COMMENT ... add host (IP/FQDN) to allow_hosts.rules and
immediately load new rule into firewall
-d HOST CMT|--deny HOST COMMENT .... add host (IP/FQDN) to deny_hosts.rules and
immediately load new rule into firewall

9. After everything is fine, change the DEV option
Stop the firewall from automatically clearing itself every 5 minutes from cron.
We recommend changing this back to “0″ after you’ve had a chance to ensure everything is working well and tested the server out.

nano -w /etc/apf/conf.apf

FIND: DEVM="1"
CHANGE TO: DEVM="0"

10. Checking the APF Log

Will show any changes to allow and deny hosts among other things.
tail -f /var/log/apf_log

The reason for this issue due to missing some lines in httpd.conf.

Fix
====

1) Open the apache configuration file(httpd.conf) in your favorite editor.

2) Add the following lines in the httpd.conf.

===================================================================

ErrorDocument 400 /400.shtml
ErrorDocument 401 /401.shtml
ErrorDocument 403 /403.shtml
ErrorDocument 404 /404.shtml
ErrorDocument 500 /500.shtml
ScriptAlias /cgi-sys/ /usr/local/cpanel/cgi-sys/ Alias /sys_cpanel/ /usr/local/cpanel/sys_cpanel/ Alias /java-sys/ /usr/local/cpanel/java-sys/ Alias /img-sys/ /usr/local/cpanel/img-sys/ Alias /akopia/ /usr/local/cpanel/3rdparty/interchange/share/akopia/

Alias /neo-images/ /usr/local/cpanel/base/neomail/neo-images/
ScriptAliasMatch ^/cpanel/(.*) /usr/local/cpanel/cgi-sys/redirect.cgi
ScriptAlias /cpanel /usr/local/cpanel/cgi-sys/redirect.cgi
ScriptAlias /whm /usr/local/cpanel/cgi-sys/whmredirect.cgi
ScriptAlias /securewhm /usr/local/cpanel/cgi-sys/swhmredirect.cgi
ScriptAlias /webmail /usr/local/cpanel/cgi-sys/wredirect.cgi
ScriptAliasMatch ^/webmail/(.*) /usr/local/cpanel/cgi-sys/wredirect.cgi
ScriptAliasMatch ^/kpanel/(.*) /usr/local/cpanel/cgi-sys/redirect.cgi
ScriptAlias /controlpanel /usr/local/cpanel/cgi-sys/redirect.cgi
ScriptAlias /securecontrolpanel /usr/local/cpanel/cgi-sys/sredirect.cgi
Alias /mailman/archives/ /usr/local/cpanel/3rdparty/mailman/archives/public/
ScriptAlias /mailman/ /usr/local/cpanel/3rdparty/mailman/cgi-bin/
Alias /pipermail/ /usr/local/cpanel/3rdparty/mailman/archives/public/
Alias /interchange/ /usr/local/cpanel/3rdparty/interchange/share/interchange/
Alias /interchange-5/ /usr/local/cpanel/3rdparty/interchange/share/interchange-5/

===================================================================

3) Now restart the httpd service in the server.

This is usually a bug in the PhpMyAdmin configuration, whenever you receive the following error when accessing PhpMyAdmin either from WHM or cPanel, follow the steps given below for a fix

Warning: session_write_close() [function.session-write-close]: open(/var/cpanel/userhomes/cpanelphpmyadmin/sessions/sess_uPSQAGVEZx2uuePd7SpsgTHJ6X7, O_RDWR) failed: No such file or directory (2) in /usr/local/cpanel/base/3rdparty/phpMyAdmin/navigation.php on line 85

Manually edit /usr/local/cpanel/3rdparty/etc/phpmyadmin/php.ini file as follow:

1)Login to shell of the server using root login details and open the file “/usr/local/cpanel/3rdparty/etc/phpmyadmin/php.ini” using vi or any other editor.

2) Search for the [Session] variable & underneath it, change the following

Replace:
——————————-
session.save_handler = sqlite
session.save_path =/var/cpanel/userhomes/cpanelphpmyadmin/sessions/phpsess.sdb
——————————-
To:
——————————-
session.save_handler = files
session.save_path = /tmp
——————————-

By default, PhpMyAdmin uses sqlite as as the file handler, but it needs to be changed to files & the location of the session files to be stored needs to be changed to /tmp which is the standard/default place to store temporary files