Finding web shells on compromised linux servers

-
Finding web backdoor shells

(1)

grep -RPn
"(system|phpinfo|pcntl_exec|python_eval|base64_decode|gzip|mkdir|fopen|fclose|read
file|passthru)"

(2)

Install GIT and download git clone ssh://git@github.com:Neohapsis/NeoPI.git
(see the documentation)

(3)

grep -RPl --include=*.{php,txt,asp} "(passthru|shell_exec|system|phpinfo|base64_decode|chmod|mkdir|fopen|fclose|readfile) *\(" /var/www/
(4)
grep -RPnDskip "(passthru|shell_exec|system|phpinfo|base64_decode|chmod|mkdir|fopen|fclose|readfile) *\(" public_html/
Other Useful Links

Comments

Post a Comment

Popular posts from this blog

Redirect apache request to another domain

-
if you have example portal.tenerife.com portal.mazaredo.com portal.antolines.com and you want to redirect it to www.mazaredo.com in httpd.conf put this line RewriteEngine on RewriteCond %{HTTP_HOST} !^portal\.!^\.com$ [NC] RewriteRule ^(.*)$ http://www.mazaredo.com/$1 [R=301,L] As you can see the the url has 3 parts    portal, domain, com  !^portal\.!^\.com$ first part is !^portal\     you can also remove portal so any .com request going to your site will be redirected. second part is !^\ where it is like * anything. last part is .com$
Read more

Black screen after logging in on Windows 2012 R2 using domain credentials on remote desktop connection

-
https://support.microsoft.com/en-us/kb/970879 Blank Desktop on Windows Vista or Windows Server 2008  Email  Print Source:  Microsoft Support RAPID PUBLISHING RAPID PUBLISHING ARTICLES PROVIDE INFORMATION DIRECTLY FROM WITHIN THE MICROSOFT SUPPORT ORGANIZATION. THE INFORMATION CONTAINED HEREIN IS CREATED IN RESPONSE TO EMERGING OR UNIQUE TOPICS, OR IS INTENDED SUPPLEMENT OTHER KNOWLEDGE BASE INFORMATION. Symptom After logging on to a Windows Vista or Windows Server 2008 computer, you are presented with a blank screen with no Start Menu, shortcuts, or icons. If you reboot and use F8 to boot to Safe Mode with Networking, you will see your normal desktop.  You may see the following events in the Application log:  Log Name: Application  Source: Microsoft-Windows-Winlogon  Event ID: 4006  Level: Warning  User: N/A  Computer: M1.Contoso.com  Description:  The Windows logon process has failed to spawn a user applicati...
Read more

Can't use proxy because no authentication schemes are fully configured.

-
So you are having problems on webmin + squid authentication ? My current setup is below. I was eating my finger nails asking why before it was working and now it doesnt. System hostname localhost.localdomain (127.0.0.1) Operating system CentOS Linux 6.3 Webmin version 1.620 Virtualmin version 3.98.gpl GPL Earn  money  register free! [root@122 ~]# service squid start Starting squid:                                            [FAILED] 2013/02/23 00:17:00| Processing Configuration File: /etc/squid/squid.conf (depth 0) 2013/02/23 00:17:00| ERROR: '0.0.0.0/0.0.0.0' needs to be replaced by the term 'all'. 2013/02/23 00:17:00| SECURITY NOTICE: Overriding config setting. Using 'all' instead. 2013/02/23 00:17:00| WARNING: (B) '::/0' is a subnetwork ...
Read more