New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
Get yourself. Managed. Hosting.... Compromised. Server is tough to clean
How about check /var/log directory.
rm -f
rm -rf --no-preserve-root
Should work better than @tommy 's suggestion
/S
Useless dicks Is it really too hard to be friendly and helpful?
If you are using a cPanel server then install security tools, configure it and scan with anti malware software.
You can use Anti Maldetect to find this type of script and it will automatically remove virus,etc.(You need to configure setting for automatic action)
Make sure you are not accessing your website via normal FTP connection, Always use sFTP.
I usually find them by analyzing the contents of any PHP files.
I've written a small tool:
No, it isn't the best script in the worls but it's how I investigate to see if I can find any PHP shells in the server.
Like @DewlanceVPS said, FTP is not a very secure option in file transfer - I can sniff your packets and see your username/password.
If FTP is absolutely necessary, (assuming you're using Filezilla) append ftpes:// behind your hostname. This will force your FTP session to use TLS encryption.
you may shorten your script to a single command:
this will print you the lines and filenames containing your searchterm "exec" - adjust path and search options to your needs of course....
Exactly, there is a little bit of 'snobbish' behaviour of late on these pages, it's not a good look
I m not getting these things... as i m newbie. I am using kloxo will you tell me which command will give me shell name so that i can easily remove that via kloxopanel
@zong11
My recommendation would be to start fresh. A really sucky thing about being compromised is that you can never 100% trust that machine ever again until it is completely wiped, especially if you are a "newbie" like you say. Reinstall the machine, load from a backup where you know the machine isn't compromised, and then through deductive reasoning, figure out what happened to get yourself in trouble.
This is your second thread about which, I am assuming, is the same issue. You really need to switch to a managed or semi-managed provider and learn. There's nothing wrong with not knowing; we all start somewhere. But you're out of your element and a managed provider is there for this type of thing.
Also, I don't use a panel but I have heard absolutely nothing good about Kloxo and it wouldn't surprise me if that was the point of entry. No panel is going to have a specific feature to remove the specific compromise on your system. Any tools will be generalized.
At any rate, you probably need to erase and re-install, as others have said.
No he wont hel'll asking another question, just wait
Just tested it on 3 VPSes. All clean now!
Here's another version of the posted script as a one liner but with with nicely formatted output showing line number of found string.
LIST="$(find /home/*/public_html -name "*.php")"; for i in "$LIST"; do grep -in "exec" $i; done
Any code that works is good code, but you don't actually need the var:
or
or just:
or simplest of all:
or there's xargs but I never got around to learning it.
Note that this won't necessarily catch stuff in addon domains because you can choose the root folder. Personally I never put them under ~/public_html because that's just weird.
@raindog308
Good call on not needing the var.
The issue with the last one is that it takes longer to process because it searching every file in the dir.
I hope you're haopy, apidevlab
Good point! Yeah, I don't think there is a way to say "recursively match all files that end in .php" in just shell expansion.
that's what find -name "*.php" is for, isn't it? ;-)
plain find command invoking grep only on hits should be a lot faster than double grepping everything...
so go for this:
or maybe even find /home /var /usr /tmp ... to catch more possibilities of infected files.
probably it is a good idea to narrow down the searchterm to.
alternative maybe disallowing exec and other command within php and have a look at the error-log to see which files will try to use it.
PS: worth to mention that by far not every file using exec is malicious...
more better if you copy your data and reinstall
which wont help a bit, if he does not understand what is wrong and copies the malicious files right away or at least leaves the same entry points open to possible attackers...
PS: maldet is a good additional option though ;-)
afaik, clamav have good detections for php shells. btw, some exploiters also use other file extensions instead of php (eg. jpg, gif, etc).
Cleaning compromised server by using the very same compromised server is bull***t. Either reinstall from scratch, or restore from safe and clean backup...