Portal Home > Knowledgebase > Articles Database > How to detect shell scripts !
How to detect shell scripts !
| Posted by ballighohosting, 10-22-2013, 08:52 PM |
| Hi,
is there a way to detect and delete the shell scripts on a Linux server ?? I've been suffering from people uploading stupid shell scripts and trying to screw up the server!
|
| Posted by HostMantis, 10-22-2013, 09:15 PM |
| May want to consider CXS:
http://configserver.com/cp/cxs.html
|
| Posted by ballighohosting, 10-22-2013, 10:40 PM |
| is there a free alternative?? I have many servers and can't afford to pay $50 a server..
|
| Posted by HostMantis, 10-22-2013, 11:12 PM |
| The more licenses you buy, the higher the discount:
License Pricing:
1 License:
$50.00 (Ex VAT)
2-4 licenses:
$47.50 each (Ex VAT)
5-9 licenses:
$45.00 each (Ex VAT)
10-19 licenses:
$40.00 each (Ex VAT)
20-49 licenses:
$35.00 each (Ex VAT)
50 or more licenses:
$30.00 each (Ex VAT)
|
| Posted by UnfinishedSentenc, 10-22-2013, 11:22 PM |
| Don't need to pay anything.
If you know what you are scanning for such as the most common (c99 or r57) use this.
http://www.xxxx***********/2010/06/1...and-txt-files/
There is a free scanner that looks for many more things. It can take awhile if you have a lot of files on your servers.
http://www.rfxn.com/projects/linux-malware-detect/
Last edited by Postbox; 05-06-2014 at 05:40 PM.
|
| Posted by Kailash12, 10-23-2013, 01:12 AM |
| Maldet should detect PHP shell and many other suspicious script. Also, you can install ClamAV. ClamAv + Maldet should be enough to find PHP shell and other suspicious files.
|
| Posted by ballighohosting, 10-23-2013, 01:13 AM |
| Thanks guys.. I'll try those..
|
| Posted by ballighohosting, 10-24-2013, 08:08 AM |
| maldet didn't find anything, while I manually detected over 30 shell scripts!!
|
| Posted by Kailash12, 10-24-2013, 08:45 AM |
| That's really strange. I never faced such issue.
|
| Posted by ballighohosting, 10-24-2013, 08:47 AM |
| OH MY GOD!!! NOBODY USES THIS STUPID DAMN SCRIPT!!! it killed all my sites!! what is does is looking for the word 'r57' inside the php files and delete them without previous warning!! it deleted many php files on my server because they have r57 inside their text!!!
THIS SUCKS!!!!!!!!!!!!
Last edited by Postbox; 05-06-2014 at 05:40 PM.
|
| Posted by huck, 10-24-2013, 09:08 AM |
| ClamAV can detect a limited number of PHP hide and PHP backdoors. While certainly not exhaustive it is free, easy to use and relatively fast.
We often run it as part of any security investigation. In about 25-30% of the cases, it clues us in on the scripts causing the issues. From there, we can dig further into the problem.
The challenge with most scanners is that they are signature based and most shell scripts are highly permutable. As a result, a simple change in a script can avoid detection.
For spam cases, newer versions of PHP have mail.add_x_header and mail.log. These can be very useful in tracking spam.
|
| Posted by karem, 10-24-2013, 10:29 AM |
| http://configserver.com/cp/cxs.html
|
| Posted by Mostly1, 10-24-2013, 01:00 PM |
| if you do a Google search for "findbot.pl" you will find a script written by CBL to locate specific parameters and print the file paths to the screen. This output can also be piped to a file for further review.
The link is below: (sorry about the format)
cbl dot abuseat dot org/findbot.pl
|
| Posted by UnfinishedSentenc, 10-24-2013, 01:56 PM |
| OMG the ALLCAPS must mean you know what you are talking about.
The script does not do that if you take the time to go through and look at it and read the detailed explanations. You can remove the rm -Rf part to avoid any possibility of selecting that after it runs if you want. You shouldn't just run it on a production server anyways without testing it first.
Last edited by UnfinishedSentenc; 10-24-2013 at 02:00 PM.
|
| Posted by ballighohosting, 10-24-2013, 03:57 PM |
| yeah stupid of me : (
that's why I warned the members here not to fall for this mistake ..
Thank god for backup ..
|
Add to Favourites 
Print this Article
Also Read
