Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


How to remove or find Shell in server
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

How to remove or find Shell in server

zong11zong11 Member

Someone has added shell in my server. Thatswhy he is adding many php files in my all sites... is there anyway to find exact shell file or that shell php. Any command or any way to check that shell location???

Comments

  • noamannoaman Member

    Get yourself. Managed. Hosting.... Compromised. Server is tough to clean

    Thanked by 1netomx
  • How about check /var/log directory.

  • tommytommy Member

    rm -f

  • rm -rf --no-preserve-root
    Should work better than @tommy 's suggestion
    /S

    Thanked by 1netomx
  • Useless dicks :) Is it really too hard to be friendly and helpful?

  • DewlanceVPSDewlanceVPS Member, Patron Provider

    If you are using a cPanel server then install security tools, configure it and scan with anti malware software.



    You can use Anti Maldetect to find this type of script and it will automatically remove virus,etc.(You need to configure setting for automatic action)



    Make sure you are not accessing your website via normal FTP connection, Always use sFTP.

  • FlamesRunnerFlamesRunner Member
    edited May 2016

    I usually find them by analyzing the contents of any PHP files.

    I've written a small tool:

    #!/bin/bash
    
    LIST="$(find /home/*/public_html -name "*.php")"
    for i in "$LIST"; do
    
    contents=$(cat $i | grep "exec")
    
    if [ -z "$contents" ]; then
    
    else
    
    echo "Investigate $i."
    
    fi
    
    done
    

    No, it isn't the best script in the worls but it's how I investigate to see if I can find any PHP shells in the server.

    Like @DewlanceVPS said, FTP is not a very secure option in file transfer - I can sniff your packets and see your username/password.

    If FTP is absolutely necessary, (assuming you're using Filezilla) append ftpes:// behind your hostname. This will force your FTP session to use TLS encryption.

  • FalzoFalzo Member

    you may shorten your script to a single command:

    find /home/*/public_html -name "*.php" -exec grep "exec" {} \; -print

    this will print you the lines and filenames containing your searchterm "exec" - adjust path and search options to your needs of course....

    Thanked by 1FlamesRunner
  • @Rockster said:
    Useless dicks :) Is it really too hard to be friendly and helpful?

    Exactly, there is a little bit of 'snobbish' behaviour of late on these pages, it's not a good look :(

    Thanked by 1jar
  • zong11zong11 Member

    I m not getting these things... as i m newbie. I am using kloxo will you tell me which command will give me shell name so that i can easily remove that via kloxopanel

  • dailydaily Member

    @zong11

    My recommendation would be to start fresh. A really sucky thing about being compromised is that you can never 100% trust that machine ever again until it is completely wiped, especially if you are a "newbie" like you say. Reinstall the machine, load from a backup where you know the machine isn't compromised, and then through deductive reasoning, figure out what happened to get yourself in trouble.

  • @zong11 said:
    I am using kloxo will you tell me which command will give me shell name so that i can easily remove that via kloxopanel

    This is your second thread about which, I am assuming, is the same issue. You really need to switch to a managed or semi-managed provider and learn. There's nothing wrong with not knowing; we all start somewhere. But you're out of your element and a managed provider is there for this type of thing.

    Also, I don't use a panel but I have heard absolutely nothing good about Kloxo and it wouldn't surprise me if that was the point of entry. No panel is going to have a specific feature to remove the specific compromise on your system. Any tools will be generalized.

    At any rate, you probably need to erase and re-install, as others have said.

  • tommytommy Member

    No he wont :) hel'll asking another question, just wait :)

    Thanked by 1netomx
  • HybridHybrid Member

    @TriDoxiuM said:
    rm -rf --no-preserve-root
    Should work better than @tommy 's suggestion
    /S

    Just tested it on 3 VPSes. All clean now!

  • edited May 2016

    Here's another version of the posted script as a one liner but with with nicely formatted output showing line number of found string.

    LIST="$(find /home/*/public_html -name "*.php")"; for i in "$LIST"; do grep -in "exec" $i; done

  • raindog308raindog308 Administrator, Veteran
    edited May 2016

    globalRegisters said: Here's another version of the posted script as a one liner but with with nicely formatted output showing line number of found string.

    LIST="$(find /home//public_html -name ".php")"; for i in "$LIST"; do grep -in "exec" $i; done

    Any code that works is good code, but you don't actually need the var:

    for i in $(find /home/*/public_html -name "*.php") ; do grep -in "exec" $i; done
    

    or

    find /home/*/public_html -name "*.php" | while read file ; do grep -in "exec" $file ; done
    

    or just:

    find /home/*/public_html -name "*.php" -exec grep -in "exec" {} \;
    

    or simplest of all:

    grep -Rin "exec" /home/*/public_html | grep .php
    

    or there's xargs but I never got around to learning it.

    Note that this won't necessarily catch stuff in addon domains because you can choose the root folder. Personally I never put them under ~/public_html because that's just weird.

  • @raindog308

    Good call on not needing the var.

    The issue with the last one is that it takes longer to process because it searching every file in the dir.

    Thanked by 1raindog308
  • netomxnetomx Moderator, Veteran

    @apidevlab said:

    @Rockster said:
    Useless dicks :) Is it really too hard to be friendly and helpful?

    Exactly, there is a little bit of 'snobbish' behaviour of late on these pages, it's not a good look :(

    @FlamesRunner said:
    I usually find them by analyzing the contents of any PHP files.

    I've written a small tool:

    > #!/bin/bash
    > 
    > LIST="$(find /home/*/public_html -name "*.php")"
    > for i in "$LIST"; do
    > 
    > contents=$(cat $i | grep "exec")
    > 
    > if [ -z "$contents" ]; then
    > 
    > else
    > 
    > echo "Investigate $i."
    > 
    > fi
    > 
    > done
    > 

    No, it isn't the best script in the worls but it's how I investigate to see if I can find any PHP shells in the server.

    Like @DewlanceVPS said, FTP is not a very secure option in file transfer - I can sniff your packets and see your username/password.

    If FTP is absolutely necessary, (assuming you're using Filezilla) append ftpes:// behind your hostname. This will force your FTP session to use TLS encryption.

    @zong11 said:
    I m not getting these things... as i m newbie. I am using kloxo will you tell me which command will give me shell name so that i can easily remove that via kloxopanel

    I hope you're haopy, apidevlab

  • raindog308raindog308 Administrator, Veteran

    globalRegisters said: The issue with the last one is that it takes longer to process because it searching every file in the dir.

    Good point! Yeah, I don't think there is a way to say "recursively match all files that end in .php" in just shell expansion.

    Thanked by 1globalRegisters
  • FalzoFalzo Member
    edited May 2016

    @raindog308 said:

    that's what find -name "*.php" is for, isn't it? ;-)
    plain find command invoking grep only on hits should be a lot faster than double grepping everything...

    so go for this:

    find /home/*/public_html -name "*.php" -exec grep -in "exec" {} \;

    or maybe even find /home /var /usr /tmp ... to catch more possibilities of infected files.
    probably it is a good idea to narrow down the searchterm to.

    alternative maybe disallowing exec and other command within php and have a look at the error-log to see which files will try to use it.

  • FalzoFalzo Member

    PS: worth to mention that by far not every file using exec is malicious...

    1. Install clamav
    2. Install maldet and go scan
    3. Install rootkit hunter and go scan

    more better if you copy your data and reinstall

    Thanked by 1zafouhar
  • FalzoFalzo Member
    edited May 2016

    logaritse said: more better if you copy your data and reinstall

    which wont help a bit, if he does not understand what is wrong and copies the malicious files right away or at least leaves the same entry points open to possible attackers...

    PS: maldet is a good additional option though ;-)

  • fazarfazar Member

    afaik, clamav have good detections for php shells. btw, some exploiters also use other file extensions instead of php (eg. jpg, gif, etc).

  • JarryJarry Member

    Cleaning compromised server by using the very same compromised server is bull***t. Either reinstall from scratch, or restore from safe and clean backup...

Sign In or Register to comment.