Results 1 to 39 of 39
  1. #1

    Question Hackers using myshell.php and other to gain access.. Need help

    OK here is my delimma
    i do ve some resellers and some of there clients are using scripts like cgishell
    or
    MyShell 1.1.0 build 20010923"
    somethign like these.

    Can please some one tell me the linux command to go through all the .php files in all homedirs and check for a string?

    like as an example there is a file called user.php (which is in reality a shell script like myshell) and they r using it to gain shell access to the system ( php safe mode aint helping here) some how they get shadow or install something as nobody user gain root access wolaaaa.......

    SO there is a file in /home/user10/public_html/user.php

    however i do have some strings which are more likely same. like

    $shellUser
    $dirLimit = "";
    $autoErrorTrap = 1;
    $voidCommands = array("top","xterm","su","vi","pico","netscape");
    $TexEd = "pico";
    $editWrap ="wrap='OFF'";

    or
    Header('WWW-Authenticate: Basic realm="MyShell"');

    this is part of a script.......
    so i can trace those
    just like it detect spam stuff and cpanel send u email
    Is there a way or a command which will tell me or i can run a cron every now and then and see whois suing shell scripts etc etc
    Can some one please write me a command like that. or any way how to add it into cpanel so cpanel can track it also

    Thanks

  2. #2

    Re: Hackers using myshell.php and other to gain access.. Need help

    Originally posted by quicksols
    Can please some one tell me the linux command to go through all the .php files in all homedirs and check for a string?
    ah, something like grep?

    man grep

  3. #3
    Join Date
    Jun 2002
    Location
    TO, Ontario, Canada
    Posts
    372
    Find the user account where the files are stored and suspend it.
    Then check logs and see where the file came from - could be another script exploit they used from a user account or an actual user that is using the script.

  4. #4
    Join Date
    Feb 2002
    Posts
    3,727
    I think he's asking how to logon as root, go through every file in the system checking if it has traces of the script's strings, and if it does, probably chmod the file to 700 and write the filename onto a file for review.
    Have you Floble'd today?

  5. #5
    Scripts like these shouldn't be a problem. open_basedir limits them to their own home directory right?
    Web-cp: an open source control panel: http://www.web-cp.net

  6. #6
    Join Date
    Sep 2000
    Location
    Alberta, Canada
    Posts
    3,109
    You can do the following and search for one word at a time. This is due to the fact that it could take 10 - 15 minutes for each search and is definitely going to increase your Server load, but not to an un-acceptable level if you do one word search at a time.

    log in as 'root'

    cd / << this will check the whole Server

    find -type f -name '*.*' \
    -exec grep -s autoErrorTrap {} \; -print

    Search word examples would be:

    shellUser
    dirLimit
    autoErrorTrap
    voidCommands
    TexEd
    editWrap
    WWW-Authenticate

    If any files are found with the search word, shown in bold in the above example, then the file text will be shown and the file path directly underneath it. To save time, as lots & lots of text/files maybe found with that search word, you should do this:

    find . -type f -name '*.*' \
    -exec grep -s autoErrorTrap {} \; -print > search_autoErrorTrap.txt

    Continuing with the above example, all results are put into a file called "search_autoErrorTrap.txt" which the above command also creates. By using the same "searchword" for each file name, it will help to know which word you were searching for.

    Be paitent while this is going on and just wait till the command line shows again. You can then view the file online or download it.
    PotentProducts.com - for all your Hosting needs
    Helping people Host, Create and Maintain their Web Site
    ServerAdmin Services also available

  7. #7
    Thanks all for your help. Yes mainly i m looking to check it server wide. I do know those are .php files mainly looking to search for /home

    By the way any idea where can i add those strings in CPANEL ... Just like it filter all EMAIL cgi check it can check this tooo

  8. #8
    Join Date
    Sep 2000
    Location
    Alberta, Canada
    Posts
    3,109
    This is not a Control Panel function as there as still lots of things one has to do manually, when one is a Server Admin.
    PotentProducts.com - for all your Hosting needs
    Helping people Host, Create and Maintain their Web Site
    ServerAdmin Services also available

  9. #9
    Join Date
    Jun 2002
    Location
    TO, Ontario, Canada
    Posts
    372
    I thik open_basedir would solve the problem -

    http://www.zend.com/manual/features....i.open-basedir

    More security information.

    http://www.zend.com/manual/features.safe-mode.php

  10. #10
    openbase dir switch can i implement it globally?
    If yes how i m sorry i m not a programmer and bugging u guys a lot
    I did got this string also

    find /home/*/public_html -name '*.php' -print | xargs grep -i -l 'dtinrg to find'

  11. #11
    Open your php.ini
    It's usually found in /usr/local/lib/

    Default I believe doesn't have the function at all. So just add

    open_basedir = /home

    (An example, or whereever your users partition is)

    And all should be fine
    Like us on Facebook to qualify for discounts!
    http://www.sprintserve.net
    Offering: | Internap FCP Bandwidth! | Rebootless Kernel Updates! | Magento Optimized Hosting | Wordpress Hosting |
    Services: | Managed Multiple Cores 64bit Servers | Server Management |

  12. #12
    Originally posted by sprintserve
    Open your php.ini
    It's usually found in /usr/local/lib/

    Default I believe doesn't have the function at all. So just add

    open_basedir = /home

    (An example, or whereever your users partition is)

    And all should be fine
    What exactly will including "open_basedir = /home" do for php security?

    --- > Nevermind. I RTFM and figured it out for myself
    Last edited by cp1967; 04-03-2003 at 09:56 PM.

  13. #13
    Open_basedir only works with PHP so hackers can still use CGIShell (written in Perl) to hack your server.
    AceWebHosting.Com
    Cheap Web Hosting - Multiple Domain Hosting - Reseller Hosting - Virtual Private Server

  14. #14
    That is correct. Take some basic precautions and CGI-shell should not be able to do much.
    Like us on Facebook to qualify for discounts!
    http://www.sprintserve.net
    Offering: | Internap FCP Bandwidth! | Rebootless Kernel Updates! | Magento Optimized Hosting | Wordpress Hosting |
    Services: | Managed Multiple Cores 64bit Servers | Server Management |

  15. #15
    Join Date
    Feb 2003
    Posts
    543
    does open_basedir affect the /tmp directory.
    Off Topic Web Forum - A forum for talking about anything!!
    N.Z. Webmaster Community - Are you from New Zealand? Well signup to our forum!!!!

  16. #16
    Yes it will if you don't tweak it, as /home is outside of /tmp. It is the same with safe mode.
    Like us on Facebook to qualify for discounts!
    http://www.sprintserve.net
    Offering: | Internap FCP Bandwidth! | Rebootless Kernel Updates! | Magento Optimized Hosting | Wordpress Hosting |
    Services: | Managed Multiple Cores 64bit Servers | Server Management |

  17. #17
    Join Date
    Feb 2003
    Posts
    543
    so its a good idea to have:

    open_basedir = /home:/tmp

    on a linux based system..
    Off Topic Web Forum - A forum for talking about anything!!
    N.Z. Webmaster Community - Are you from New Zealand? Well signup to our forum!!!!

  18. #18
    Join Date
    Feb 2003
    Posts
    543
    also can this command be added to the virtualhost in http.conf? That would be ideal!
    Off Topic Web Forum - A forum for talking about anything!!
    N.Z. Webmaster Community - Are you from New Zealand? Well signup to our forum!!!!

  19. #19
    Or: You can simply setup PHP to use another tmp directory. For example /home/tmp
    Like us on Facebook to qualify for discounts!
    http://www.sprintserve.net
    Offering: | Internap FCP Bandwidth! | Rebootless Kernel Updates! | Magento Optimized Hosting | Wordpress Hosting |
    Services: | Managed Multiple Cores 64bit Servers | Server Management |

  20. #20
    Originally posted by PhilG
    also can this command be added to the virtualhost in http.conf? That would be ideal!
    Yes, this is possible. I believe it is php_admin_value open_basedir /home/domain1:/tmp
    Web-cp: an open source control panel: http://www.web-cp.net

  21. #21
    Originally posted by PhilG
    also can this command be added to the virtualhost in http.conf? That would be ideal!
    Yes and you should do that, it's more secure if you restrict each user to their home dir, on cpanel server you can add

    php_admin_value safe_mode 0
    php_admin_value open_basedir "/home/user/:/tmp/"

    to each virtual host configuration in httpd.conf.
    AceWebHosting.Com
    Cheap Web Hosting - Multiple Domain Hosting - Reseller Hosting - Virtual Private Server

  22. #22
    If you are going to restrict all users then it make sense to make it global and using only the httpd.conf as exclusions... That will be how I would set it up.
    Like us on Facebook to qualify for discounts!
    http://www.sprintserve.net
    Offering: | Internap FCP Bandwidth! | Rebootless Kernel Updates! | Magento Optimized Hosting | Wordpress Hosting |
    Services: | Managed Multiple Cores 64bit Servers | Server Management |

  23. #23
    OK lemme ask you this....
    #1 How to set it Globally
    #2 If we set open_base globally and restrict them to /home or /tmp will it secure the server from phpshell scripts???

  24. #24
    This is only a partial solution. Real server security goes far beyond this. But php did make it easy. Restricting them to /home will prevent though their ability to read or access files that's not in /home i.e all your system files. Therefore they would not be able to compromise anything.

    To set it global you amend it in php.ini.
    Like us on Facebook to qualify for discounts!
    http://www.sprintserve.net
    Offering: | Internap FCP Bandwidth! | Rebootless Kernel Updates! | Magento Optimized Hosting | Wordpress Hosting |
    Services: | Managed Multiple Cores 64bit Servers | Server Management |

  25. #25
    Sorry to be too dumb
    but can u tell me again what excatly i should change in php.ini
    and what about /tmp then

  26. #26
    Please reread the whole thread
    Like us on Facebook to qualify for discounts!
    http://www.sprintserve.net
    Offering: | Internap FCP Bandwidth! | Rebootless Kernel Updates! | Magento Optimized Hosting | Wordpress Hosting |
    Services: | Managed Multiple Cores 64bit Servers | Server Management |

  27. #27
    Originally posted by quicksols

    #2 If we set open_base globally and restrict them to /home or /tmp will it secure the server from phpshell scripts???
    Nope, hackers can still open your customers' files, if they run a PHPShell script on user1 they can still open user2's files for example: /home/user2/www/forums/config.php and they will know user2's MySQL password, etc. As I said before you should restrict users to their home directory (and /tmp) then phpshell scripts can do nothing with your server.
    AceWebHosting.Com
    Cheap Web Hosting - Multiple Domain Hosting - Reseller Hosting - Virtual Private Server

  28. #28
    Join Date
    Nov 2002
    Location
    Toronto, ON
    Posts
    441
    Originally posted by NetworksData
    Nope, hackers can still open your customers' files, if they run a PHPShell script on user1 they can still open user2's files for example: /home/user2/www/forums/config.php and they will know user2's MySQL password, etc. As I said before you should restrict users to their home directory (and /tmp) then phpshell scripts can do nothing with your server.
    Yes but that does not cover all your bases, proper permissions should be set for home and the users in it not to allow others to view.
    http://www.spingen.com :: Internet Solutions
    Multiple Domain Hosting Packages
    msn: [email protected]

  29. #29
    Originally posted by NetworksData
    Nope, hackers can still open your customers' files, if they run a PHPShell script on user1 they can still open user2's files for example: /home/user2/www/forums/config.php and they will know user2's MySQL password, etc. As I said before you should restrict users to their home directory (and /tmp) then phpshell scripts can do nothing with your server.
    Not if you set the permissions properly.
    Like us on Facebook to qualify for discounts!
    http://www.sprintserve.net
    Offering: | Internap FCP Bandwidth! | Rebootless Kernel Updates! | Magento Optimized Hosting | Wordpress Hosting |
    Services: | Managed Multiple Cores 64bit Servers | Server Management |

  30. #30
    I had something similiar, finds out that it was a trojan horse.

    Try "locate ..." if return any results, you might be infected.

  31. #31
    Originally posted by sprintserve
    Not if you set the permissions properly.
    Yes, that's right. Just remember that phpshell will run as web server's uid so anything the webserver's uid can read then phpshell can read
    AceWebHosting.Com
    Cheap Web Hosting - Multiple Domain Hosting - Reseller Hosting - Virtual Private Server

  32. #32
    There is only one way to really secure PHP and that is running it as CGI with a wrapper like suExec or CGIWrap.
    Web-cp: an open source control panel: http://www.web-cp.net

  33. #33
    Join Date
    Nov 2000
    Location
    Austin, TX
    Posts
    415
    Originally posted by sprintserve
    Not if you set the permissions properly.
    You're only partially right. A phpshell type of script would run as user nobody, allowing it to read every file that is readable by the web server, which is just about every file in a web hosting environment. The optimal way of doing this is to add the open_basedir to every virtual host, restricting it to the user's folder and tmp...or even better, set the tmp dir variable to a folder within the user's tree.
    Justin Bachus
    BlastHosting, LLC - Professional web hosting at a low price with
    PHP, MySQL, FreeBSD, and more!
    http://www.blasthosting.com

  34. #34
    Join Date
    Sep 2002
    Location
    Washington DC
    Posts
    2,514
    also there is phpsuexec, which runs php under the users own UID. CPanel offers this feature now.

  35. #35
    Join Date
    Nov 2000
    Location
    Austin, TX
    Posts
    415
    Originally posted by alapo
    also there is phpsuexec, which runs php under the users own UID. CPanel offers this feature now.
    That requires php to be run as a cgi module which considerably slows it down.
    Justin Bachus
    BlastHosting, LLC - Professional web hosting at a low price with
    PHP, MySQL, FreeBSD, and more!
    http://www.blasthosting.com

  36. #36
    Originally posted by jw
    That requires php to be run as a cgi module which considerably slows it down.
    That's the price you have to pay for security.
    Web-cp: an open source control panel: http://www.web-cp.net

  37. #37
    Join Date
    Jun 2002
    Posts
    80
    Originally posted by NetworksData
    Yes and you should do that, it's more secure if you restrict each user to their home dir, on cpanel server you can add

    php_admin_value safe_mode 0
    php_admin_value open_basedir "/home/user/:/tmp/"

    to each virtual host configuration in httpd.conf.
    Is there a setting in cpanel or whm? or you have to do it manually by modifying the httpd.conf file?

    Thanks.

  38. #38
    you have to manually edit httpd.conf
    Like us on Facebook to qualify for discounts!
    http://www.sprintserve.net
    Offering: | Internap FCP Bandwidth! | Rebootless Kernel Updates! | Magento Optimized Hosting | Wordpress Hosting |
    Services: | Managed Multiple Cores 64bit Servers | Server Management |

  39. #39
    Join Date
    Jun 2002
    Posts
    80
    Can you do something like

    <Directory "/home/*/">
    php_admin_value safe_mode 0
    php_admin_value open_basedir "/home/user/:/tmp/"
    </Directory>

    Will it work?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •