Finding web shells on compromised linux servers

-
Finding web backdoor shells

(1)

grep -RPn
"(system|phpinfo|pcntl_exec|python_eval|base64_decode|gzip|mkdir|fopen|fclose|read
file|passthru)"

(2)

Install GIT and download git clone ssh://git@github.com:Neohapsis/NeoPI.git
(see the documentation)

(3)

grep -RPl --include=*.{php,txt,asp} "(passthru|shell_exec|system|phpinfo|base64_decode|chmod|mkdir|fopen|fclose|readfile) *\(" /var/www/
(4)
grep -RPnDskip "(passthru|shell_exec|system|phpinfo|base64_decode|chmod|mkdir|fopen|fclose|readfile) *\(" public_html/
Other Useful Links

Comments

Post a Comment

Popular posts from this blog

Redirect apache request to another domain

-
if you have example portal.tenerife.com portal.mazaredo.com portal.antolines.com and you want to redirect it to www.mazaredo.com in httpd.conf put this line RewriteEngine on RewriteCond %{HTTP_HOST} !^portal\.!^\.com$ [NC] RewriteRule ^(.*)$ http://www.mazaredo.com/$1 [R=301,L] As you can see the the url has 3 parts    portal, domain, com  !^portal\.!^\.com$ first part is !^portal\     you can also remove portal so any .com request going to your site will be redirected. second part is !^\ where it is like * anything. last part is .com$
Read more

Can't use proxy because no authentication schemes are fully configured.

-
So you are having problems on webmin + squid authentication ? My current setup is below. I was eating my finger nails asking why before it was working and now it doesnt. System hostname localhost.localdomain (127.0.0.1) Operating system CentOS Linux 6.3 Webmin version 1.620 Virtualmin version 3.98.gpl GPL Earn  money  register free! [root@122 ~]# service squid start Starting squid:                                            [FAILED] 2013/02/23 00:17:00| Processing Configuration File: /etc/squid/squid.conf (depth 0) 2013/02/23 00:17:00| ERROR: '0.0.0.0/0.0.0.0' needs to be replaced by the term 'all'. 2013/02/23 00:17:00| SECURITY NOTICE: Overriding config setting. Using 'all' instead. 2013/02/23 00:17:00| WARNING: (B) '::/0' is a subnetwork ...
Read more

Close all open only ssh port

-
# Generated by iptables-save v1.4.12 on Wed Dec  7 20:10:49 2011 *filter :INPUT DROP [45:2307] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [1571:4260654] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m tcp -s 1xx.xx.xx.xx --dport 22 -j ACCEPT COMMIT # Completed on Wed Dec  7 20:10:49 2011
Read more