In one of our servers I found a file in one of the clients directory called phpshell! I got a notification when user was trying to run it, I contacted the user and he declines it was him! now I want to know if there is any possible way of putting this file there without having FTP! does any one know what it is?
It can be uploaded via any PHP script, or CGI script, or something insecure that runs SSI commands, FTP, shell, frontpage (if you offer it), a control panel interface or filemanager, etc. Also, that one script might be it. Someone also might have guessed their password. It's hard to say without checking the logs. Check the FTP logs to see if it was uploaded, their command history file if they have shell, control panel access logs, and web access logs and look for any indications there. Someone uploaded it somehow. Check the time stamp to see (if it's at all true) how long ago it was modified, unless you've removed it or modified it since.
Thank you so much for comments.
I am using a program to stop hackers of this nature, the program have removed two files about this incedent. One is the phpshell.php from client directory, one is a .pl file which I have the source of it. Is it safe I post the source here?
While a program or some type of scanning tool might help locate scripts that have a specific file name or string, you're going to have to manually check for any it didn't detect, since it's not possible for it to find all the scripts. You should consider taking some measures to prevent this from being repeated or to cause a problem on your server if someone (say a client even) tried to run it. I don't see why it would be a problem attaching the script to the thread/post, but I don't see the point.
Seems like I am the activist for Chkrootkit and Root Kit Hunter lately... lol
Anyway go and download those two scripts and install them on your server. Set up a cron to run them each night and to email you the findings. This will help you to determine if your box has been rooted or not.
Google "Chkrootkit" and "Root Kit Hunter" for the web site addresses of the scripts.
Hopefully the scripts find nothing!
Mega Hosters Inc. - The Last Host You Will Ever Need!
Hsphere Control Panel, 24/7 Phone Support, EasyApp, Shared SSL, Daily Backups, Dedicated IPs, PHP4 & PHP5, FFMPEG, Legal Adult Content Allowed + More! Treating A Customer The Way They Should Be Treated For Over 5.5 Years Now!
MediaLayer, LLC - www.medialayer.comLearn how we can make your website load faster, translating to better conversion rates for your business!
The pioneers of optimized web hosting, featuring LiteSpeed Web Server & SSD Storage - Celebrating 10 Years in Business
While I'm a firm believer in using both chkrootkit and root kit hunter, they detect ROOT KITS.
They do not detect some of the other types of hacks; and this can lead to a false sense of security.
Security needs to be done in practical, manageable layers which are checked throughout the day.
Some of those layes should include securing /tmp, /var/tmp, /dev/shm (if Linux-based), setting root only access to compilers and fetch like utilities, and using mod_security with a good rule set that works with your customer and user base.
I recommend setting policies for the passwords, so they will be rejected if they try and set them to a weak password. Of course, if you have a control panel interface that doesn't allow you to do this, it's probably not much of an option unless you consider creating your own addon/module with its API, if it has one, and replace the password change feature with your own.
I wouldn't image the "hole" in this case was very relevant, as it was likely a script that allowed someone access or a weak password. Perhaps I'm wrong about it, but I'd bet money it was a common cause that's not specific, like a vulnerable script.