Make it harder for attacker to hide phishing sites in the well-known directory.


Active Member

Reaction score: 56
Messages: 207

Our good friend "admin" posted this rather important article about Phishing sites taking advantage of the /.well-known/ directory that is used by the ACME protocols. While the article does suggest a change to the nature of the /.well-known/ directory, it doesn't talk about fixing the root cause of this issue.

These phishing sites are set-up, generally, by outsiders that have found a way to gain write access to the system and using that ability to drop their phishing site code.

This is often very easy to do because many web sites are set-up such that the content directories are writable by the web server user. Thus any weakness that allows a remote-write to happen give the hacker easy access to write to the content directories.

Likewise, many of us who make use of the ACME protocol don't want to run those scripts as 'root' and instead make the logical choice of going with our web server user account. Although simple, this is not a very secure option.

Many of the simplest of remote content dumping attacks can be avoided by preventing the system account(s) that serve the pages from having write access to the content directories. It is a bit more work to set-up but a lot more secure.

The 'apache' or 'webserver' account can be used to run the web server but should have read-only access to the document root and all sub-directories. It may be provided write access to a small subset of directories outside the document root for storing cookie files and other activities.

If server side scripts (php, perl, phyton, etc.) are used, run them under fast-cgi and use the fast-cgi feature of giving them their own system account. This account should not be able to write to directories in the document root either. If they have to write to the file system, write your code so that they store their data outside the document root.

The acme script can, and should, be treated the same way. It should have it's own user. That user has write access to a directory outside the document root. Aliases in the web server can be used for the specific files/directories needed by the acme protocol script. One could even consider putting a wrapper around the acme script (run by root) that change permissions restrict write access by the acme system account to only those times when it is running. We have the ability to run scripts as root that spawn scripts as other system accounts. We should use these tools.

The above won't stop your web server from being hacked and used as a phishing server. But it will make it more difficult for the attacker. Combining techniques such as above with good monitoring tools and alerting when suspicious activity occurs on your server can give you enough time to respond and block the attack before damage is done.

What are your thoughts?


Son of Beastie

Reaction score: 1,669
Messages: 3,509

My thoughts? I see your .well-known directory and raise you with a /tmp and/or /var/tmp directory which isn't only writable for the world, but more than often also allows files to be executed.

Another way to prevent this, as far as I can tell, would be to set up specific webserver permissions using .htpasswd which isn't writable by the webserver account. If that blocks the public usage of .well-known then you might still be confronted with unwanted garbage in there, but at least it won't find its way into the world (or actually the other way around I suppose).

(edit): I realize that this has the potential to mess up a few things for 3rd parties, but one has to wage how important that is.