Results 1 to 11 of 11
  1. #1
    Join Date
    Jul 2013
    Posts
    63

    How to stop uploading malicious script

    Hi,

    I guess it's perfect section to raise this thread up, alright here's what am searching experts suggestions on :-

    We have a "Shared Hosting Nodes" which usually have some good customers, some abusers and some hackers or booter hosting users (unknowingly). So my question is how do i stop these "Hackers" uploading shell or any malicious scripts over our space, usually shell doesn't work as the servers are properly protected but it gives me nightmare when i just dream that what if it gets hacked :| as hackers are unstoppable.

    Is there anything which we can use to stop these scripts or shell's before uploading on server ? Also which is not that resource unfriendly else server will load up as people uploads alots of files daily, every min which can increase server load as it will keep scanning everything.

    We have also set a weekly cron for ClamAV but that doesn;t help as in a week we almost hit 50 new shared hosting customers :|

  2. #2
    Join Date
    Apr 2003
    Location
    Atlanta, Jawja
    Posts
    3,066
    First rule of thumb: EDUCATE YOUR CUSTOMERS. Stress the importance of them keeping all third party scripts up to date. Encourage them to join notification mailing lists for the various scripts they run so when an identified security hole is released, they can patch accordingly.

    Second rule of thumb: BE ACCESSIBLE TO YOUR CUSTOMERS. The more methods they have of interacting with you (email, tickets, forums, social media, etc), the more likely they're going to be to let you know when they see something suspicious.

    Thurd rule of thumb: COMMUNICATE WITH YOUR CUSTOMERS. The more you can foster a happy neighborhood/community type feel, the better chances you have of your customers working with not only you, but each other to help look out for each other.

    Fourth rule of thumb: BE HONEST WITH YOUR CUSTOMERS. This one gets most hosting providers in trouble if they're not honest or up front with customers. Your customers may not all want to know the nitty gritty details, but if you don't shy away from the tough questions and are honest with them, this will go a long way for strengthening your provider <-> client relationships.

    ClamAV is an anti-virus for email, not detecting potential exploits. You'll want to install RKHunter and probably a few other scripts to monitor for suspicious activity (such as ports being opened or unusual traffic patterns coming in or going out of your box. I would suggest you contact a server management company and explain your concerns and see what they would recommend. Most people do tend to offer SOME free advice/recommendations.

    Good luck!
    Douglas Hazard - Certifiable Sports Junkie and Sports Community Enthusiast

    Host of Two Cents Radio - Follow @TwoCentsRadio on Twitter (@BearlyDoug on Twitter)

  3. #3
    Join Date
    Apr 2013
    Location
    Data center
    Posts
    539
    How to stop them? Shut down your server.

    There can always be vulnerabilities and therefore dont assume you can do X, Y and Z to make it completely secure.

    you just have to keep a lookout on things and maybe toughen your server settings.

  4. #4
    Join Date
    Sep 2010
    Location
    /usr/bin/fail
    Posts
    858
    You might look at MalDet and set it running in realtime mode. Then it will scan files as they are uploaded.

    http://www.rfxn.com/projects/linux-malware-detect/

    It's not going to stop everything but it will help.
    Last edited by FLDataTeK; 09-24-2013 at 01:09 PM. Reason: added link

  5. #5
    Join Date
    May 2013
    Posts
    293
    Quote Originally Posted by CN-Jeremy View Post
    You might look at MalDet and set it running in realtime mode. Then it will scan files as they are uploaded.

    http://www.rfxn.com/projects/linux-malware-detect/

    It's not going to stop everything but it will help.
    How to set it running in realtime mode?
    Treat your password like your toothbrush. Don't let anybody else use it, and get a new one every six months.Sancte Michael Archangele, defende nos in proelio, contra nequitiam et insidias diaboli esto praesidium. Imperet illi Deus, supplices deprecamur: tuque, Princeps militiae coelestis, Satanam aliosque spiritus malignos, qui ad perditionem animarum pervagantur in mundo, divina virtute, in infernum detrude. Amen

  6. #6
    Join Date
    Sep 2010
    Location
    /usr/bin/fail
    Posts
    858
    Its in chapter 11 of the readme.

    .: 11 [ INOTIFY MONITORING ] The inotify monitoring feature is designed to monitor users in real-time for file creation/modify/move operations. This option requires a kernel that supports inotify_watch (CONFIG_INOTIFY) which is found in kernels 2.6.13+ and CentOS/RHEL 5 by default. If you are running CentOS 4 you should consider an inbox upgrade with: http://www.rfxn.com/upgrade-centos-4-8-to-5-3/

    There are three modes that the monitor can be executed with and they relate to what will be monitored, they are USERS|PATHS|FILES. e.g: maldet --monitor users e.g: maldet --monitor /root/monitor_paths e.g: maldet --monitor /home/mike,/home/ashton The options break down as follows: USERS - The users option will take the homedirs of all system users that are above inotify_minuid and monitor them. If inotify_webdir is set then the users webdir, if it exists, will only be monitored. PATHS - A comma spaced list of paths to monitor FILE - A line spaced file list of paths to monitor

  7. #7
    Join Date
    Jul 2013
    Posts
    63
    Quote Originally Posted by Douglas View Post
    First rule of thumb: EDUCATE YOUR CUSTOMERS. Stress the importance of them keeping all third party scripts up to date. Encourage them to join notification mailing lists for the various scripts they run so when an identified security hole is released, they can patch accordingly.

    Second rule of thumb: BE ACCESSIBLE TO YOUR CUSTOMERS. The more methods they have of interacting with you (email, tickets, forums, social media, etc), the more likely they're going to be to let you know when they see something suspicious.

    Thurd rule of thumb: COMMUNICATE WITH YOUR CUSTOMERS. The more you can foster a happy neighborhood/community type feel, the better chances you have of your customers working with not only you, but each other to help look out for each other.

    Fourth rule of thumb: BE HONEST WITH YOUR CUSTOMERS. This one gets most hosting providers in trouble if they're not honest or up front with customers. Your customers may not all want to know the nitty gritty details, but if you don't shy away from the tough questions and are honest with them, this will go a long way for strengthening your provider <-> client relationships.

    ClamAV is an anti-virus for email, not detecting potential exploits. You'll want to install RKHunter and probably a few other scripts to monitor for suspicious activity (such as ports being opened or unusual traffic patterns coming in or going out of your box. I would suggest you contact a server management company and explain your concerns and see what they would recommend. Most people do tend to offer SOME free advice/recommendations.

    Good luck!
    Good read Thanks for your points mate, made a note for them.

    Quote Originally Posted by CN-Jeremy View Post
    You might look at MalDet and set it running in realtime mode. Then it will scan files as they are uploaded.

    http://www.rfxn.com/projects/linux-malware-detect/

    It's not going to stop everything but it will help.
    Thanks, it helps atleast will help to reduce them instead of stopping them.

  8. #8
    Join Date
    Jul 2013
    Posts
    63
    Just wondering, how is this :- http://configserver.com/cp/exploit.html ? Does this works well ?

  9. #9
    Join Date
    Apr 2003
    Location
    Atlanta, Jawja
    Posts
    3,066
    CS puts out a good product. Yes, add that to your arsenal.
    Douglas Hazard - Certifiable Sports Junkie and Sports Community Enthusiast

    Host of Two Cents Radio - Follow @TwoCentsRadio on Twitter (@BearlyDoug on Twitter)

  10. #10
    Join Date
    Jul 2013
    Posts
    63
    Quote Originally Posted by Douglas View Post
    CS puts out a good product. Yes, add that to your arsenal.
    Thanks man, it works very well.

    Mods can close the thread.

  11. #11
    Join Date
    Apr 2005
    Posts
    45

    Maldet will fail in so many cases

    Reliance on signatures has proven to be very bad thing. Even AV companies admit it.

    With scripting - e.g. PHP - it is enough to change one symbol in a script and it would be undetecatble by Maldet.

Similar Threads

  1. Malicious Script or Not? Oxygen.o2?
    By CloudStats in forum Hosting Security and Technology
    Replies: 3
    Last Post: 05-02-2011, 08:08 AM
  2. Stop exploits and malicious execs: safe mode help needed.
    By feanorknd in forum Hosting Security and Technology
    Replies: 2
    Last Post: 03-08-2008, 06:28 PM
  3. Malicious Script detectiv program
    By horst in forum Hosting Software and Control Panels
    Replies: 0
    Last Post: 11-14-2005, 07:42 PM
  4. Uploader script and malicious codes
    By jay03 in forum Programming Discussion
    Replies: 3
    Last Post: 07-07-2005, 12:14 PM
  5. Malicious Script - Your advice please
    By cweb in forum Running a Web Hosting Business
    Replies: 16
    Last Post: 10-30-2003, 01:07 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •