Portal Home > Knowledgebase > Articles Database > Tight mod-sec, still got shell ...
Tight mod-sec, still got shell ...
| Posted by xeonfan, 07-23-2010, 07:35 PM |
| Got a csf warning and it was scary.
suspended the account, scanned it and its full of trojan and phpshell.
seems a weak password but i still want to double check what cause it.
can someone show some light whats made them run this
1st command when shell and many php functions are already disabled in php.ini
looks like trying to fetch kernel version but how it ran ?
server uses gotroot mod-sec rules, suphp, apache2.2, csf
php tightened.
|
| Posted by madaboutlinux, 07-24-2010, 01:09 AM |
| The uname and lynx command have 755 permissions so any normal user can execute them and mod_sec, suphp, csf, php security won't be able to deny users from executing those commands.
The better way is to change the permissions of such commands to 750 if you don't want to allow users to execute these commands.
See this (the test.sh contains the command in your CSF output):
Regarding any other phpshell, they can be uploaded but you need to check if they were succeeded in executing them. Have your hosting company OR a server management company look into it for you.
|
| Posted by JohnCS, 07-24-2010, 06:25 AM |
| Run the below command as root to prevent common shell attacks,
|
| Posted by Maxnet, 07-24-2010, 04:12 PM |
| What functions did you disable exactly?
And are you sure the shell command was executed through PHP?
Try matching the exact time of the CSF warning, with your HTTP access logs.
|
| Posted by xeonfan, 07-24-2010, 05:31 PM |
| madaboutlinux" and "linux2k" thanks for sharing the commands,
can you also clear what difference does the 700 and 750 would make as one of you suggested chmod 700 and other 750.
Maxnet, yes there's no one with shell access on that server.
disable function included.
correct me if i need more disabled functions.
|
| Posted by Maxnet, 07-24-2010, 06:18 PM |
| Disable list looks fine.
Also checked that php.ini was actually being loaded? ( phpinfo() )
But do not automatically assume that because you do not give users shell access, the script is being executed through PHP.
You wouldn't be the first person to spent a lot of time locking down PHP, but for example forgetting to disable the crontab option some hosting control panels offer.
Would still check the access logs.
Concerning the commands executed.
Your unwelcome visitor probably started this reverse shell perl script: www.webhostingtalk.com/showthread.php?t=727857
Last edited by Maxnet; 07-24-2010 at 06:32 PM.
|
| Posted by xeonfan, 07-24-2010, 07:16 PM |
| maxnet, you are right, as i was running suphp/suexec, i found the abused account and prevented further damage, from what it looks like till now.
csf already caught the file and removed it from tmp.
it was exactly
I did checked the tmp and there's no more sign of this.
server doesn't shows any sign of earlier connections attempts.
I did checked the logs but wasn't able to dig out info for the abusive files.
can you help with what exactly i should be looking in access logs ?
|
| Posted by Maxnet, 07-24-2010, 07:37 PM |
| Look at the date and exact time the CSF warning was sent.
I do not know when that was, as you only show a snippet of the warning.
But suppose it was at Saturday July 24th at 01:23:45.
Then go find the Apache access log of that day. Usually it is located in /var/log/apache2, but your hosting control panel might store those in a different location, or split the file by domain.
Open it in your favorite text-editor and look at what website page was accessed before 01:23:45.
With a bit of luck you then know if it was a PHP script, and which page had the vulnerability.
|
| Posted by Maxnet, 07-24-2010, 08:10 PM |
| The warning shows the perl script had already been running for 118 seconds.
So substract 118 seconds from the time the warning was sent, and look for that exact time in the logs.
|
| Posted by dmmcintyre3, 07-24-2010, 09:42 PM |
| On some hosts, if I upload a blank file named php.ini to the directory of the script, it disables any of the security done from your main php.ini like disable_functions.
|
| Posted by JohnCS, 07-26-2010, 03:57 AM |
| with 700 only root can run such shell command and with 750 other users (e.g cPanel users) may also run such shell commands.
|
Add to Favourites 
Print this Article
Also Read
