Hackers using myshell.php and other to gain access.. Need help
OK here is my delimma
i do ve some resellers and some of there clients are using scripts like cgishell
MyShell 1.1.0 build 20010923"
somethign like these.
Can please some one tell me the linux command to go through all the .php files in all homedirs and check for a string?
like as an example there is a file called user.php (which is in reality a shell script like myshell) and they r using it to gain shell access to the system ( php safe mode aint helping here) some how they get shadow or install something as nobody user gain root access wolaaaa.......
SO there is a file in /home/user10/public_html/user.php
however i do have some strings which are more likely same. like
Header('WWW-Authenticate: Basic realm="MyShell"');
this is part of a script.......
so i can trace those
just like it detect spam stuff and cpanel send u email
Is there a way or a command which will tell me or i can run a cron every now and then and see whois suing shell scripts etc etc
Can some one please write me a command like that. or any way how to add it into cpanel so cpanel can track it also
Find the user account where the files are stored and suspend it.
Then check logs and see where the file came from - could be another script exploit they used from a user account or an actual user that is using the script.
I think he's asking how to logon as root, go through every file in the system checking if it has traces of the script's strings, and if it does, probably chmod the file to 700 and write the filename onto a file for review.
You can do the following and search for one word at a time. This is due to the fact that it could take 10 - 15 minutes for each search and is definitely going to increase your Server load, but not to an un-acceptable level if you do one word search at a time.
If any files are found with the search word, shown in bold in the above example, then the file text will be shown and the file path directly underneath it. To save time, as lots & lots of text/files maybe found with that search word, you should do this:
Continuing with the above example, all results are put into a file called "search_autoErrorTrap.txt" which the above command also creates. By using the same "searchword" for each file name, it will help to know which word you were searching for.
Be paitent while this is going on and just wait till the command line shows again. You can then view the file online or download it.
• PotentProducts.com - for all your Hosting needs
• Helping people Host, Create and Maintain their Web Site
• ServerAdmin Services also available
This is only a partial solution. Real server security goes far beyond this. But php did make it easy. Restricting them to /home will prevent though their ability to read or access files that's not in /home i.e all your system files. Therefore they would not be able to compromise anything.