hosted by liquidweb


Go Back   Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : Hackers using myshell.php and other to gain access.. Need help
Reply

Forum Jump

Hackers using myshell.php and other to gain access.. Need help

Reply Post New Thread In Hosting Security and Technology Subscription
 
Send news tip View All Posts Thread Tools Search this Thread Display Modes
  #1  
Old 04-02-2003, 07:52 PM
quicksols quicksols is offline
WHT Addict
 
Join Date: Jul 2002
Posts: 117
Question

Hackers using myshell.php and other to gain access.. Need help


OK here is my delimma
i do ve some resellers and some of there clients are using scripts like cgishell
or
MyShell 1.1.0 build 20010923"
somethign like these.

Can please some one tell me the linux command to go through all the .php files in all homedirs and check for a string?

like as an example there is a file called user.php (which is in reality a shell script like myshell) and they r using it to gain shell access to the system ( php safe mode aint helping here) some how they get shadow or install something as nobody user gain root access wolaaaa.......

SO there is a file in /home/user10/public_html/user.php

however i do have some strings which are more likely same. like

$shellUser
$dirLimit = "";
$autoErrorTrap = 1;
$voidCommands = array("top","xterm","su","vi","pico","netscape");
$TexEd = "pico";
$editWrap ="wrap='OFF'";

or
Header('WWW-Authenticate: Basic realm="MyShell"');

this is part of a script.......
so i can trace those
just like it detect spam stuff and cpanel send u email
Is there a way or a command which will tell me or i can run a cron every now and then and see whois suing shell scripts etc etc
Can some one please write me a command like that. or any way how to add it into cpanel so cpanel can track it also

Thanks



Sponsored Links
  #2  
Old 04-02-2003, 10:44 PM
heyzuess heyzuess is offline
WHT Addict
 
Join Date: Nov 2002
Posts: 151
Re: Hackers using myshell.php and other to gain access.. Need help

Quote:
Originally posted by quicksols
Can please some one tell me the linux command to go through all the .php files in all homedirs and check for a string?
ah, something like grep?

man grep

  #3  
Old 04-03-2003, 12:11 AM
TowerHost TowerHost is offline
Aspiring Evangelist
 
Join Date: Jun 2002
Location: TO, Ontario, Canada
Posts: 372
Find the user account where the files are stored and suspend it.
Then check logs and see where the file came from - could be another script exploit they used from a user account or an actual user that is using the script.

Sponsored Links
  #4  
Old 04-03-2003, 01:55 AM
Knogle Knogle is offline
Web Hosting Master
 
Join Date: Feb 2002
Posts: 3,727
I think he's asking how to logon as root, go through every file in the system checking if it has traces of the script's strings, and if it does, probably chmod the file to 700 and write the filename onto a file for review.

__________________
Have you Floble'd today?

  #5  
Old 04-03-2003, 02:51 AM
Gyrbo Gyrbo is offline
Junior Guru
 
Join Date: Jan 2002
Posts: 214
Scripts like these shouldn't be a problem. open_basedir limits them to their own home directory right?

__________________
Web-cp: an open source control panel: http://www.web-cp.net

  #6  
Old 04-03-2003, 04:05 AM
Website Rob Website Rob is offline
learning is in the doing
 
Join Date: Sep 2000
Location: Alberta, Canada
Posts: 3,109
You can do the following and search for one word at a time. This is due to the fact that it could take 10 - 15 minutes for each search and is definitely going to increase your Server load, but not to an un-acceptable level if you do one word search at a time.

log in as 'root'

cd / << this will check the whole Server

find -type f -name '*.*' \
-exec grep -s autoErrorTrap {} \; -print

Search word examples would be:

shellUser
dirLimit
autoErrorTrap
voidCommands
TexEd
editWrap
WWW-Authenticate

If any files are found with the search word, shown in bold in the above example, then the file text will be shown and the file path directly underneath it. To save time, as lots & lots of text/files maybe found with that search word, you should do this:

find . -type f -name '*.*' \
-exec grep -s autoErrorTrap {} \; -print > search_autoErrorTrap.txt

Continuing with the above example, all results are put into a file called "search_autoErrorTrap.txt" which the above command also creates. By using the same "searchword" for each file name, it will help to know which word you were searching for.

Be paitent while this is going on and just wait till the command line shows again. You can then view the file online or download it.

__________________
PotentProducts.com - for all your Hosting needs
Helping people Host, Create and Maintain their Web Site
ServerAdmin Services also available

  #7  
Old 04-03-2003, 04:20 AM
quicksols quicksols is offline
WHT Addict
 
Join Date: Jul 2002
Posts: 117
Thanks all for your help. Yes mainly i m looking to check it server wide. I do know those are .php files mainly looking to search for /home

By the way any idea where can i add those strings in CPANEL ... Just like it filter all EMAIL cgi check it can check this tooo

  #8  
Old 04-03-2003, 04:27 AM
Website Rob Website Rob is offline
learning is in the doing
 
Join Date: Sep 2000
Location: Alberta, Canada
Posts: 3,109
This is not a Control Panel function as there as still lots of things one has to do manually, when one is a Server Admin.

__________________
PotentProducts.com - for all your Hosting needs
Helping people Host, Create and Maintain their Web Site
ServerAdmin Services also available

  #9  
Old 04-03-2003, 10:02 AM
TowerHost TowerHost is offline
Aspiring Evangelist
 
Join Date: Jun 2002
Location: TO, Ontario, Canada
Posts: 372
I thik open_basedir would solve the problem -

http://www.zend.com/manual/features....i.open-basedir

More security information.

http://www.zend.com/manual/features.safe-mode.php

  #10  
Old 04-03-2003, 02:48 PM
quicksols quicksols is offline
WHT Addict
 
Join Date: Jul 2002
Posts: 117
openbase dir switch can i implement it globally?
If yes how i m sorry i m not a programmer and bugging u guys a lot
I did got this string also

find /home/*/public_html -name '*.php' -print | xargs grep -i -l 'dtinrg to find'

  #11  
Old 04-03-2003, 03:34 PM
sprintserve sprintserve is offline
Retired Moderator
 
Join Date: Jan 2003
Posts: 9,004
Open your php.ini
It's usually found in /usr/local/lib/

Default I believe doesn't have the function at all. So just add

open_basedir = /home

(An example, or whereever your users partition is)

And all should be fine

__________________
Like us on Facebook to qualify for discounts!
http://www.sprintserve.net
Offering: | Internap FCP Bandwidth! | Rebootless Kernel Updates! | Magento Optimized Hosting | Wordpress Hosting |
Services: | Managed Multiple Cores 64bit Servers | Server Management |

  #12  
Old 04-03-2003, 09:20 PM
cp1967 cp1967 is offline
Web Hosting Guru
 
Join Date: Jan 2002
Posts: 261
Quote:
Originally posted by sprintserve
Open your php.ini
It's usually found in /usr/local/lib/

Default I believe doesn't have the function at all. So just add

open_basedir = /home

(An example, or whereever your users partition is)

And all should be fine
What exactly will including "open_basedir = /home" do for php security?

--- > Nevermind. I RTFM and figured it out for myself


Last edited by cp1967; 04-03-2003 at 09:56 PM.
  #13  
Old 04-04-2003, 08:28 AM
LinuXpert LinuXpert is offline
Web Hosting Master
 
Join Date: Apr 2002
Posts: 565
Open_basedir only works with PHP so hackers can still use CGIShell (written in Perl) to hack your server.

__________________
AceWebHosting.Com
Cheap Web Hosting - Multiple Domain Hosting - Reseller Hosting - Virtual Private Server


  #14  
Old 04-04-2003, 08:31 AM
sprintserve sprintserve is offline
Retired Moderator
 
Join Date: Jan 2003
Posts: 9,004
That is correct. Take some basic precautions and CGI-shell should not be able to do much.

__________________
Like us on Facebook to qualify for discounts!
http://www.sprintserve.net
Offering: | Internap FCP Bandwidth! | Rebootless Kernel Updates! | Magento Optimized Hosting | Wordpress Hosting |
Services: | Managed Multiple Cores 64bit Servers | Server Management |

  #15  
Old 04-04-2003, 09:30 AM
PhilG PhilG is offline
Web Hosting Evangelist
 
Join Date: Feb 2003
Posts: 543
does open_basedir affect the /tmp directory.

__________________
Off Topic Web Forum - A forum for talking about anything!!
N.Z. Webmaster Community - Are you from New Zealand? Well signup to our forum!!!!

Reply

Related posts from TheWhir.com
Title Type Date Posted
Excessive Employee Privileges Bring Unnecessary Risk to Organizations: Study Web Hosting News 2013-10-22 16:04:58
SwaggSec Hackers Release 900 Admin Credentials from China Telecom Attack Web Hosting News 2012-06-04 15:24:03
CloudLinux Improves Virtualized File System for Shared Web Hosts Web Hosting News 2012-05-30 15:17:05
Authorities Arrest WHMCS Hacker Suspect Web Hosting News 2012-05-30 14:26:32
Juniper Networks Updated Mykonos Web Security Software Stops Hackers in Real-time Web Hosting News 2012-05-30 11:57:21


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Postbit Selector

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump
Login:
Log in with your username and password
Username:
Password:



Forgot Password?
Advertisement:
Web Hosting News:



 

X

Welcome to WebHostingTalk.com

Create your username to jump into the discussion!

WebHostingTalk.com is the largest, most influentual web hosting community on the Internet. Join us by filling in the form below.


(4 digit year)

Already a member?