Results 1 to 25 of 39
-
04-02-2003, 07:52 PM #1WHT Addict
- Join Date
- Jul 2002
- Posts
- 117
Hackers using myshell.php and other to gain access.. Need help
OK here is my delimma
i do ve some resellers and some of there clients are using scripts like cgishell
or
MyShell 1.1.0 build 20010923"
somethign like these.
Can please some one tell me the linux command to go through all the .php files in all homedirs and check for a string?
like as an example there is a file called user.php (which is in reality a shell script like myshell) and they r using it to gain shell access to the system ( php safe mode aint helping here) some how they get shadow or install something as nobody user gain root access wolaaaa.......
SO there is a file in /home/user10/public_html/user.php
however i do have some strings which are more likely same. like
$shellUser
$dirLimit = "";
$autoErrorTrap = 1;
$voidCommands = array("top","xterm","su","vi","pico","netscape");
$TexEd = "pico";
$editWrap ="wrap='OFF'";
or
Header('WWW-Authenticate: Basic realm="MyShell"');
this is part of a script.......
so i can trace those
just like it detect spam stuff and cpanel send u email
Is there a way or a command which will tell me or i can run a cron every now and then and see whois suing shell scripts etc etc
Can some one please write me a command like that. or any way how to add it into cpanel so cpanel can track it also
Thanks
-
04-02-2003, 10:44 PM #2WHT Addict
- Join Date
- Nov 2002
- Posts
- 151
Re: Hackers using myshell.php and other to gain access.. Need help
Originally posted by quicksols
Can please some one tell me the linux command to go through all the .php files in all homedirs and check for a string?
man grep
-
04-03-2003, 12:11 AM #3Aspiring Evangelist
- Join Date
- Jun 2002
- Location
- TO, Ontario, Canada
- Posts
- 372
Find the user account where the files are stored and suspend it.
Then check logs and see where the file came from - could be another script exploit they used from a user account or an actual user that is using the script.
-
04-03-2003, 01:55 AM #4Web Hosting Master
- Join Date
- Feb 2002
- Posts
- 3,729
I think he's asking how to logon as root, go through every file in the system checking if it has traces of the script's strings, and if it does, probably chmod the file to 700 and write the filename onto a file for review.
• Have • you • Floble'd • today? •
-
04-03-2003, 02:51 AM #5Junior Guru
- Join Date
- Jan 2002
- Posts
- 214
Scripts like these shouldn't be a problem. open_basedir limits them to their own home directory right?
Web-cp: an open source control panel: http://www.web-cp.net
-
04-03-2003, 04:05 AM #6learning is in the doing
- Join Date
- Sep 2000
- Location
- Alberta, Canada
- Posts
- 3,146
You can do the following and search for one word at a time. This is due to the fact that it could take 10 - 15 minutes for each search and is definitely going to increase your Server load, but not to an un-acceptable level if you do one word search at a time.
log in as 'root'
cd / << this will check the whole Server
find -type f -name '*.*' \
-exec grep -s autoErrorTrap {} \; -print
Search word examples would be:
shellUser
dirLimit
autoErrorTrap
voidCommands
TexEd
editWrap
WWW-Authenticate
If any files are found with the search word, shown in bold in the above example, then the file text will be shown and the file path directly underneath it. To save time, as lots & lots of text/files maybe found with that search word, you should do this:
find . -type f -name '*.*' \
-exec grep -s autoErrorTrap {} \; -print > search_autoErrorTrap.txt
Continuing with the above example, all results are put into a file called "search_autoErrorTrap.txt" which the above command also creates. By using the same "searchword" for each file name, it will help to know which word you were searching for.
Be paitent while this is going on and just wait till the command line shows again. You can then view the file online or download it.• PotentProducts.com - for all your Hosting needs
• Helping people Host, Create and Maintain their Web Site
• ServerAdmin Services also available
-
04-03-2003, 04:20 AM #7WHT Addict
- Join Date
- Jul 2002
- Posts
- 117
Thanks all for your help. Yes mainly i m looking to check it server wide. I do know those are .php files mainly looking to search for /home
By the way any idea where can i add those strings in CPANEL ... Just like it filter all EMAIL cgi check it can check this tooo
-
04-03-2003, 04:27 AM #8learning is in the doing
- Join Date
- Sep 2000
- Location
- Alberta, Canada
- Posts
- 3,146
This is not a Control Panel function as there as still lots of things one has to do manually, when one is a Server Admin.
• PotentProducts.com - for all your Hosting needs
• Helping people Host, Create and Maintain their Web Site
• ServerAdmin Services also available
-
04-03-2003, 10:02 AM #9Aspiring Evangelist
- Join Date
- Jun 2002
- Location
- TO, Ontario, Canada
- Posts
- 372
I thik open_basedir would solve the problem -
http://www.zend.com/manual/features....i.open-basedir
More security information.
http://www.zend.com/manual/features.safe-mode.php
-
04-03-2003, 02:48 PM #10WHT Addict
- Join Date
- Jul 2002
- Posts
- 117
openbase dir switch can i implement it globally?
If yes how i m sorry i m not a programmer and bugging u guys a lot
I did got this string also
find /home/*/public_html -name '*.php' -print | xargs grep -i -l 'dtinrg to find'
-
04-03-2003, 03:34 PM #11Retired Moderator
- Join Date
- Jan 2003
- Posts
- 9,049
Open your php.ini
It's usually found in /usr/local/lib/
Default I believe doesn't have the function at all. So just add
open_basedir = /home
(An example, or whereever your users partition is)
And all should be fine••• Like us on Facebook to qualify for discounts! •••
••• http://www.sprintserve.net •••
••• Offering: | Internap FCP Bandwidth! | Rebootless Kernel Updates! | Magento Optimized Hosting | Wordpress Hosting | •••
••• Services: | Managed Multiple Cores 64bit Servers | Server Management | •••
-
04-03-2003, 09:20 PM #12Web Hosting Guru
- Join Date
- Jan 2002
- Posts
- 261
Originally posted by sprintserve
Open your php.ini
It's usually found in /usr/local/lib/
Default I believe doesn't have the function at all. So just add
open_basedir = /home
(An example, or whereever your users partition is)
And all should be fine
--- > Nevermind. I RTFM and figured it out for myselfLast edited by cp1967; 04-03-2003 at 09:56 PM.
-
04-04-2003, 08:28 AM #13Web Hosting Master
- Join Date
- Apr 2002
- Posts
- 565
Open_basedir only works with PHP so hackers can still use CGIShell (written in Perl) to hack your server.
AceWebHosting.Com
Cheap Web Hosting - Multiple Domain Hosting - Reseller Hosting - Virtual Private Server
-
04-04-2003, 08:31 AM #14Retired Moderator
- Join Date
- Jan 2003
- Posts
- 9,049
That is correct. Take some basic precautions and CGI-shell should not be able to do much.
••• Like us on Facebook to qualify for discounts! •••
••• http://www.sprintserve.net •••
••• Offering: | Internap FCP Bandwidth! | Rebootless Kernel Updates! | Magento Optimized Hosting | Wordpress Hosting | •••
••• Services: | Managed Multiple Cores 64bit Servers | Server Management | •••
-
04-04-2003, 09:30 AM #15Web Hosting Master
- Join Date
- Feb 2003
- Posts
- 560
does open_basedir affect the /tmp directory.
Off Topic Web Forum - A forum for talking about anything!!
N.Z. Webmaster Community - Are you from New Zealand? Well signup to our forum!!!!
-
04-04-2003, 09:32 AM #16Retired Moderator
- Join Date
- Jan 2003
- Posts
- 9,049
Yes it will if you don't tweak it, as /home is outside of /tmp. It is the same with safe mode.
••• Like us on Facebook to qualify for discounts! •••
••• http://www.sprintserve.net •••
••• Offering: | Internap FCP Bandwidth! | Rebootless Kernel Updates! | Magento Optimized Hosting | Wordpress Hosting | •••
••• Services: | Managed Multiple Cores 64bit Servers | Server Management | •••
-
04-04-2003, 09:43 AM #17Web Hosting Master
- Join Date
- Feb 2003
- Posts
- 560
so its a good idea to have:
open_basedir = /home:/tmp
on a linux based system..Off Topic Web Forum - A forum for talking about anything!!
N.Z. Webmaster Community - Are you from New Zealand? Well signup to our forum!!!!
-
04-04-2003, 09:46 AM #18Web Hosting Master
- Join Date
- Feb 2003
- Posts
- 560
also can this command be added to the virtualhost in http.conf? That would be ideal!
Off Topic Web Forum - A forum for talking about anything!!
N.Z. Webmaster Community - Are you from New Zealand? Well signup to our forum!!!!
-
04-04-2003, 09:47 AM #19Retired Moderator
- Join Date
- Jan 2003
- Posts
- 9,049
Or: You can simply setup PHP to use another tmp directory. For example /home/tmp
••• Like us on Facebook to qualify for discounts! •••
••• http://www.sprintserve.net •••
••• Offering: | Internap FCP Bandwidth! | Rebootless Kernel Updates! | Magento Optimized Hosting | Wordpress Hosting | •••
••• Services: | Managed Multiple Cores 64bit Servers | Server Management | •••
-
04-04-2003, 10:38 AM #20Junior Guru
- Join Date
- Jan 2002
- Posts
- 214
Originally posted by PhilG
also can this command be added to the virtualhost in http.conf? That would be ideal!Web-cp: an open source control panel: http://www.web-cp.net
-
04-04-2003, 10:53 AM #21Web Hosting Master
- Join Date
- Apr 2002
- Posts
- 565
Originally posted by PhilG
also can this command be added to the virtualhost in http.conf? That would be ideal!
php_admin_value safe_mode 0
php_admin_value open_basedir "/home/user/:/tmp/"
to each virtual host configuration in httpd.conf.AceWebHosting.Com
Cheap Web Hosting - Multiple Domain Hosting - Reseller Hosting - Virtual Private Server
-
04-04-2003, 10:57 AM #22Retired Moderator
- Join Date
- Jan 2003
- Posts
- 9,049
If you are going to restrict all users then it make sense to make it global and using only the httpd.conf as exclusions... That will be how I would set it up.
••• Like us on Facebook to qualify for discounts! •••
••• http://www.sprintserve.net •••
••• Offering: | Internap FCP Bandwidth! | Rebootless Kernel Updates! | Magento Optimized Hosting | Wordpress Hosting | •••
••• Services: | Managed Multiple Cores 64bit Servers | Server Management | •••
-
04-04-2003, 03:32 PM #23WHT Addict
- Join Date
- Jul 2002
- Posts
- 117
OK lemme ask you this....
#1 How to set it Globally
#2 If we set open_base globally and restrict them to /home or /tmp will it secure the server from phpshell scripts???
-
04-04-2003, 05:11 PM #24Retired Moderator
- Join Date
- Jan 2003
- Posts
- 9,049
This is only a partial solution. Real server security goes far beyond this. But php did make it easy. Restricting them to /home will prevent though their ability to read or access files that's not in /home i.e all your system files. Therefore they would not be able to compromise anything.
To set it global you amend it in php.ini.••• Like us on Facebook to qualify for discounts! •••
••• http://www.sprintserve.net •••
••• Offering: | Internap FCP Bandwidth! | Rebootless Kernel Updates! | Magento Optimized Hosting | Wordpress Hosting | •••
••• Services: | Managed Multiple Cores 64bit Servers | Server Management | •••
-
04-04-2003, 05:16 PM #25WHT Addict
- Join Date
- Jul 2002
- Posts
- 117
Sorry to be too dumb
but can u tell me again what excatly i should change in php.ini
and what about /tmp then