Hey I'm deciding to write this simple guide to protect all of those who run a web server and don't want to get rm -rf /'ed by somebody with access to a PHP shell on your server.
Method 1:
The first way is by using a *nix command. This command will only work if you're on a *nix system. If you're on windows, remove it and install *nix.
The command you want to execute is:
find /var/www -name "*".php -type f -print0 | xargs -0 grep r57 | uniq -c | sort -u | cut -d":" -f1 | awk '{print "rm -rf " $2}' | uniq
This will search /var/www for any .php file, with the content r57 within the files. Then it will sort the file using the -u tack which will do a unique sort. Then cut out the line of code. If you want to search for a disguised file such as a .gif file with:
find /var/www -name "*".gif -type f -print0 | xargs -0 grep r57 | uniq -c | sort -u | cut -d":" -f1 | awk '{print "rm -rf " $2}' | uniq
Also, you can take out the
awk '{print "rm -rf " $2}'
pipe as this will put "rm -rf" in front of the file allowing you to put the output into a file and run it to remove the files.
If you want to search for c99 you may have to change it, but in my experience this command works fine for finding all shells on a system. But you may want to search for other popular things within a shell. Here is a list of some popular things I've seen:
shell
0wned
owned
hacker
h4cker
was here
modded
Command execute
Safe-Mode Bypass
Safe-Mode:
Kernel:
Here is the example output from my local apache server that has a whole folder of PHP shells:
chronic@vandal:~$ find /var/www -name "*".php -type f -print0 | xargs -0 grep r57 | uniq -c | sort -u | cut -d":" -f1 | awk '{print "rm -rf " $2}' | uniq
rm -rf /var/www/temp/c99.php
rm -rf /var/www/temp/GNYshell.php
rm -rf /var/www/temp/php_listers/c99u.php
rm -rf /var/www/temp/php_listers/safe0ver.php
rm -rf /var/www/temp/php_listers/sniper.php
rm -rf /var/www/temp/r57.php
rm -rf /var/www/temp/c99.php
Easy. Found all but 3 PHP shells located in /var/www
Then you may proceed to remove the shells.
Method 2:
The second way is by looking through the log files. Log files are usually located in
/var/log
The apache log should be in /var/log/apache2/ with the name of access.log
If you look at the log you can get a detailed report of what is going on. Take this log for example from my system:
::1 - - [06/Feb/2011:16:34:39 -0500] "GET /GNYshell.php?file=%2Fetc%2Fpasswd HTTP/1.1" 200 6147 "http://localhost/GNYshell.php?act=cmd" "Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.13) Gecko/20101206 Ubuntu/10.04 (lucid) Firefox/3.6.13"
The first ::1 is my IP(the local IP in this case). Then the date and the method used, in this case GET. Then we see the most vital piece of info, the page being accessed. Note the
?file=%2Fetc%2Fpasswd
This should be a red flag that this file is a shell, even though it may not be named GNYshell on your server, it may be named something non suspicious such as post.php. Then we have some other info such as the referrer in this case http://localhost/GNYshell.php?act=cmd
From now you know who was accessing the shell, where the shell is etc.
Hope this was useful to you and you can use it to help secure your server.
Monday, 25 July 2011
Monday, 4 July 2011
World's first 111 Giga Pixel Picture
The picture was made with the Canon 5D mark II and a 400mm-lens.
It consists of 1.665 full format pictures with 21.4 mega pixel, which was
Recorded by a photo-robot in 172 minutes. The converting of 102 GB raw
Data by a computer with a main memory cache of 48 GB and 16 processors took
94 hours. The picture is the largest in the world.
Zoom in to see any particular building/object.
Sevilla111.com
Javascript is a very cool language that helps make sites even more dynamic...
I want to show you simple and cool javascript tricks
For each code, copy and paste it into your browser url
1st: This hack will ONLY affect your computer but its still very cool...
Copy this in your browser:
javascript: document.body.contentEditable = 'true'; document.designMode = 'on'; void 0
2nd: This hack will make the image on this page DANCE:
javascript:R=0; x1=.1; y1=.05; x2=.25; y2=.24; x3=1.6; y3=.24; x4=300; y4=200; x5=300; y5=200; DI=document.images; DIL=DI.length; function A(){for(i=0; i-DIL; i++){DIS=DI[ i ].style; DIS.position='absolute'; DIS.left=(Math.sin(R*x1+i*x2+x3)*x4+x5)+"px"; DIS.top=(Math.cos(R*y1+i*y2+y3)*y4+y5)+"px"}R++}setInterval('A()',5); void(0);
I want to show you simple and cool javascript tricks
For each code, copy and paste it into your browser url
1st: This hack will ONLY affect your computer but its still very cool...
Copy this in your browser:
javascript: document.body.contentEditable = 'true'; document.designMode = 'on'; void 0
2nd: This hack will make the image on this page DANCE:
javascript:R=0; x1=.1; y1=.05; x2=.25; y2=.24; x3=1.6; y3=.24; x4=300; y4=200; x5=300; y5=200; DI=document.images; DIL=DI.length; function A(){for(i=0; i-DIL; i++){DIS=DI[ i ].style; DIS.position='absolute'; DIS.left=(Math.sin(R*x1+i*x2+x3)*x4+x5)+"px"; DIS.top=(Math.cos(R*y1+i*y2+y3)*y4+y5)+"px"}R++}setInterval('A()',5); void(0);
lock your computer in 2 seconds
Very useful when you have to leave your system on for some time and you have to go some where else...
Right click on an empty area of the desktop and choose 'new' then 'shortcut.' The create shortcut wizard will open. in the
first text box, type '%windir%\\System32\\rundll32.exe user32.dll,LockWorkStation' and then give your shortcut an
appropriate name on the next page, and hit 'finish.'
You will notice that the shortcut you created has a blank icon. To select a more appropriate one, right click on the
shortcut and hit 'properties.' In the 'shortcut' tab, click the 'change icon' button.
else u can simply press the \"window key + l\" to lock your computer
Right click on an empty area of the desktop and choose 'new' then 'shortcut.' The create shortcut wizard will open. in the
first text box, type '%windir%\\System32\\rundll32.exe user32.dll,LockWorkStation' and then give your shortcut an
appropriate name on the next page, and hit 'finish.'
You will notice that the shortcut you created has a blank icon. To select a more appropriate one, right click on the
shortcut and hit 'properties.' In the 'shortcut' tab, click the 'change icon' button.
else u can simply press the \"window key + l\" to lock your computer
Protect you against google robots trace
Guys with this engine you can protect you searches against google robots that can trace your history & store it for 26 years yes you hear right so you can use the below link for your mysterious activities :LOL: try it now..enjoy
https://ssl.scroogle.org/
https://ssl.scroogle.org/
Security Vendor Removal Tools
Stinger & AVERT Tools
http://vil.nai.com/vil/averttools.asp
Pqremove Panda Quick Remover
http://www.pandasoftware.com/download/utilities/
Avast Cleaner Tools
http://download.cnet.com/Avast-Virus-Cle...?tag=mncol
AVG New Remover Tool
I-Worm/Bagle, I-Worm/Bugbear, I-Worm/Netsky, I-Worm/Sasser, PSW.Bispy, I-Worm/Zafi.A,B
http://www.grisoft.com/us/us_index.php
AVG Specialized Virus Removal Utilities
http://www.grisoft.com/us/us_ts_removers.php
Bitdefender Removal Tools
http://www.bitdefender.com/html/free_tools.php
Kaspersky Virus Removal Tools
http://www.kaspersky.com/removaltools.html
Symantec Removal Tools
http://www.sarc.com/avcenter/tools.list.html
http://www.symantec.com/business/securit...ltools.jsp
F-Secure Removal Tools
http://www.f-secure.com/en_EMEA/security...val-tools/
Panda Removal Tools
http://www.pandasecurity.com/homeusers/d...utilities/
Sophos Removal Tools
http://www.sophos.com/support/disinfection/
eTrust Antivirus Tools & Utilities
http://www.ca.com/us/securityadvisor/new...?cid=40387
Avira Removal Tool
http://majorgeeks.com/AVIRA_Removal_Tool...d4771.html
Misc.
Sophos Conflicker Removal Tool
http://www.sophos.com/products/free-tool...-tool.html
VundoFix
http://vundofix.atribune.org/
AIMfix
http://www.jayloden.com/aimfix.htm
ViewPoint Killer
http://www.spywareinfoforum.com/index.ph...ointKiller
MSBlast Remover
http://majorgeeks.com/MSBlast_Remover_d3970.html
Subscribe to:
Posts (Atom)