Results 1 to 16 of 16
  1. #1
    Join Date
    Mar 2004
    Location
    London, UK
    Posts
    285

    How to find malicious shell scripts on a server

    Hi,
    Does anyone know if there is any tool for finding malicious shell scripts on a linux server?

    It is unfortunate, but some hosted clients have unsecure scripts installed that allow uploading files by malicious hackers. In particular, some PHP scripts giving them shell access.

    Not really the clients fault, but exploits found in popular CMS applications do happen frequently.

    Is there anything I can run on a regular basis to find these, baring in mind they don't all have the same filename so need to identify them some other way?

    Failing that, is there a way to stop any PHP script from having shell access in the first place?

    I am sure there are many here would like to know how to do this.

    Many thanks,

    - Vince

  2. #2
    In your php.ini: disable_functions = shell_exec

    Restart apache after making the change.

  3. #3
    Join Date
    Mar 2005
    Location
    Maine, USA
    Posts
    302
    Hire a server management company or do a lot of research into how to properly secure php, mysql, and apache (plus other server hardening steps).

  4. #4
    Quote Originally Posted by thetimehascome
    In your php.ini: disable_functions = shell_exec

    Restart apache after making the change.
    Hello,

    I have tried this but the file is still allowed to be executed. The file that i am recently experianceing this with is the phpremoteview. I have the server configured so that they cant get past the directory that it is loade in but it still makes a headache.

    Any other ideas. I have been reaserching this for some time and cant get it licked. Every time i think i do i go about 3-5 months and it surfices again.

    Thanks for any and all advice here.

    Jonathan

  5. #5
    Join Date
    May 2002
    Location
    Kingston, Ontario
    Posts
    1,573
    shell_exec won't stop much since they use most of the important PHP functions in their scripts these days so they're hard to stop. You can setup a good mod_security ruleset which can stop most malicious PHP based scripts.
    Upload Guardian 2 - Malicious Upload Scanner - Windows and Linux!
    Instantly scan uploaded files
    Get notified when released

  6. #6
    Join Date
    Oct 2006
    Location
    arizona/romania
    Posts
    169
    disable_functions = system,exec,passthru,popen,escapeshellcmd,shell_exec

  7. #7
    Join Date
    Oct 2006
    Posts
    44
    You've gotten advice about stopping the hacker before they get in, which is the best option. But since you also asked about finding hacked files, I'd suggest an intrusion detection system. That is if you can install software on the server you're using.

    Things like samhain and tripwire are very effective at catching any changes in the files you specify, or in detecting additions to directories you want monitored, but you'll need root access to install something like that. Also I'm not sure how tightly these programs bind to system calls and kernel structures (I know samhain can be compiled to monitor the kernel), so you might have difficulties or limited functionality if you're running a VPS.

    There's also chkrootkit, which you might try. It doesn't run continuously like samhain or tripwire, but it should work in a VPS.

    Finally if you want to hunt for things manually, and you're on a *NIX system you could use 'find'. It has option to look for files that have been created or modified after a certain time, or are owned by a particular user. You'd probably get a lot info you'd have to weed through to find the files you were interested in, but it would work even if you don't have root access. And you don't have to install any software yourself.
    Andrew
    Spry VPS Hosting cPanel VPS, Plesk VPS, Webmin VPS, Shared, Domain Registration, Dedicated and Colo
    VPSLink Cheap VPS accounts CentOS, Fedora 4/5/6, RHEL, Gentoo, Debian, Ubuntu -- Dapper/Edgy, Slackware, OpenSUSE, LAMP + Ruby pre-installed available

  8. #8
    Some of these sound like important system needs, I guess i will reaserch them all.

    I have full root access and can add anything that is needed. I have rkithunter is that different crom chkithunter?

    So far you all seem to be a great help. I am not sure why i have not been here more?

  9. #9
    Join Date
    May 2002
    Location
    Kingston, Ontario
    Posts
    1,573
    Weird - my more recent reply seems to have been deleted. where did it go?
    Upload Guardian 2 - Malicious Upload Scanner - Windows and Linux!
    Instantly scan uploaded files
    Get notified when released

  10. #10
    Here are some more ideas:
    • if you don't give your clients SSH access, restrict access to wget, curl, locate and similar utilities if they are installed on your server.
    • make sure you mount world writable tmp partition with noexec
    • if possible, consider using PHP compiled as cgi rather than Apache module.

    Just my 2 cents...
    :: Mountain Network Systems :: 323-933-9291
    eCommerce solutions since 1995
    http://www.webcart.net/

  11. #11
    Join Date
    Aug 2004
    Posts
    105
    You may want to look into hiring a professional such as: http://www.configserver.com/cp/cpanel.html or similar. This is money well spent IMHO especially if you start learning how each of these tools can help you well into the future.

    Good luck!

  12. #12
    Join Date
    Oct 2002
    Location
    Hong Kong
    Posts
    165
    Disallowing the use of certain PHP functions prevents some 'exploits', however it also limits the functionality of a lot of other software. Enabling safe-mode also isn't a real option since this also limits too much functionality.

    A great way to limit exploits is by installing mod_security, this catches a lot of
    attempted attacks. Also make sure your magic_quote settings are correct and pipe all outgoing mail to a logfile before sending it out, allowing you to trace which script sends which emails.

    Tracking defacements is harder, we cross reference the modification date with
    dates and times in the apache forensic logs. This usually gives us the information
    we need as well.

    Disallow shell access in general, reguarly check for rootkits and keep an eye on
    running processes. Prevening execution rights in /tmp directories also prevents a lot.

  13. #13
    Join Date
    Jan 2005
    Location
    Scotland, UK
    Posts
    2,549
    Adjust fstab providing your kernel has acl support, add acl and mount -o remount the partition, alternavitly just do

    mount -o remount,acl /

    (Note you may have to do all partitions if you have them seperated), then just use posix acls on certain parts IE,

    setfacl -m u:nobody:--- `which uname`
    setfacl -m u:nobody:--- `which uptime`
    setfacl -m u:nobody:--- `which find`
    setfacl -m u:nobody:--- `which id`
    setfacl -m u:nobody:--- `whereis ls |awk '{print $2}'`
    setfacl -m u:nobody:--- `which dir`
    setfacl -m u:nobody:--- `which echo`
    setfacl -m u:nobody:--- `which wget`
    setfacl -m u:nobody:--- `which wget`
    setfacl -m u:nobody:--- `which ps`
    setfacl -m u:nobody:--- `which cat`

    Remember theres only so much you can do , because if you disable the actual binarys such as perl and run cPanel you will run into problems with the cPanel redirects(however if you change i to a seperate perl binary and chattr it you can get around that).

    The above goes on the fact you are not running suexec. Further to that it's easy enough to get around the majority of it with echo * since those functions are built into the shell.

    -Scott
    Server Management - AdminGeekZ.com
    Infrastructure Management, Web Application Performance, mySQL DBA. System Automation.
    WordPress/Magento Performance, Apache to Nginx Conversion, Varnish Implimentation, DDoS Protection, Custom Nginx Modules
    Check our wordpress varnish plugin. Contact us for quote: [email protected]

  14. #14
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,290
    just want to point out that many scripts are using alot more then wget:


    wget, lynx, GET, etc
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  15. #15
    Join Date
    Apr 2004
    Location
    Australia
    Posts
    448
    setfacl -m u:nobody:--- `which uptime`

    Whats the harm in users seeing your uptime?

  16. #16
    Join Date
    Jan 2005
    Location
    Scotland, UK
    Posts
    2,549
    Quote Originally Posted by scribby
    setfacl -m u:nobody:--- `which uptime`

    Whats the harm in users seeing your uptime?
    They were just things I was typing as I made them up, theres no point even using most of the ones I listed as they were only examples. Theres lots of others that need done also if that is the method to be used. It's not fool proof but it's better than nothing.

    Anyway like I said theres no point cuting and pasting an example I made.

    -Scott
    Server Management - AdminGeekZ.com
    Infrastructure Management, Web Application Performance, mySQL DBA. System Automation.
    WordPress/Magento Performance, Apache to Nginx Conversion, Varnish Implimentation, DDoS Protection, Custom Nginx Modules
    Check our wordpress varnish plugin. Contact us for quote: [email protected]

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •