Disabling Compilers
When the compiler is disabled, the hacker is not able to compile and make the exploit. This step will prevent “The ability to compile the file in the system”. Most of the hacking guides that is found in the net suggest of compiling the exploit in the system, and seldom a pre-compiled binary is distributed. Thus, either via shell access or daemon exploit or via cgi/php abuse, they will try to get hold of your compiler and compile the exploit. Normally, your users do not need access to the compiler, so it is safe to restrict/disable compilers
redhat & fedora
For installations via rpm, and for up2date to work, you do not need the compilers to be available.
To disable compilers for users, login as root in the system and give the following command:
Code:
cd /usr/bin/
chmod 000 perlcc byacc yacc bcc kgcc cc gcc i386*cc
chmod 000 *c++ *g++
chmod 000 /usr/lib/bcc /usr/lib/bcc/bcc-cc1
if exists,
Code:
chmod 000 /usr/i386-glibc21-linux/lib/gcc-lib/i386-redhat-linux/2.96/cc1
That will disable compiler access for all users.
Before upgrading apache or php; or if you need to install a programme, enter the following command to enable compiler access for the root user.
Code:
chmod 700 /usr/bin/cc
chmod 700 /usr/bin/gcc
On CPanel systems, You need access to the compiler when upgrading apache or installing vps/jsp, apache etc.
after upgrading apache via /scripts/easyapache, disable the compiler again.
Code:
chmod 000 /usr/bin/cc
chmod 000 /usr/bin/gcc
It indeed is a matter of preference of individual admins regarding the chmod 700 or chmod 000 of the compilers. It s your system, your decision. The recommended is however to chmod 000.
——————————————————————————–
debian & freebsd
Code:
chmod 000 /usr/bin/cc
chmod 000 /usr/bin/gcc
chmod 000 /usr/bin/c++
It indeed is a matter of preference of individual admins regarding the chmod 700 or chmod 000 of the compilers. It is your system, your decision. The recommended is however to chmod 000.
