LinkBack URL
About LinkBacksHow do I block scripts like C99 Shell and such?
How do I block scripts like C99 Shell and such?
How do I block scripts like C99 Shell and such?
mod_security should help you there.
Hasn't helped me.Originally Posted by Infopro
We get shell scripts uploaded into accounts with 777 directory permissions from time-to-time.
- Vince
Use clamscan to scan your user accounts
Does that need to be setup as a cron job?
I have sometimes used ClamAV through cPanel on some accounts, and it does identify shell scripts.
But I find it uses loads of server resource, therefore would probably not be a good idea to scan all hosted accounts this way?
Appreciate any help.
- Vince
You really should be moving up to apache2 by now.
it's very resource intensive as are all virus scanners, however, it's probably something you should run on occasion.
if you've got the time, create a script to run find looking for things updated or created since the last scan and just pipe those to the scanner.
no sense re-running on everything, although you might want to on occasion in case someone shell's in and touches back the dates on something.
Response
You can run clamscan weekly on the entire /home directory safely (without overloading server) if you run it under cpanels cpuwatch script. Enter this line into crontab.
30 2 * * 1 /usr/local/cpanel/bin/cpuwatch 2 clamscan -ri /home >/root/clamscan.log 2>&1
This will run clamscan once a week (monday) at 2:30am and will pause each time the server load goes over 2 and will then resume again once the load is under 2. If you want it to run faster you could make the "2" a "3" or a "4".
Note this will only produce a log output file in /root/clamscan.log that lists all infected files it finds. It will not delete or remove infected files. Its NOT recommended to allow clamscan to delete infected files because this could end up deleting files that users need. If a 3rd party (hacker) is responsible for infecting a file and then you just automatically deleted it - that could be a users entire website you're deleting. Hackers usually target index.php or index.html files so I really wouldn't recommend allowing clamscan to delete infected files. Instead just look through the clamscan.log yourself and manually remove those files you know to be hacker shells etc.
it's probably best to put the log in /var/log/clamscan.log
and put an entry in /etc/logrotate.d just to make sure the logs get cleaned up when you dont have time to deal with them.
I would consider running as a cron once per day, but not ideal.
Is there no way that system can check for every file uploaded in realtime?
I realise this could cause a little resource issue, but this would be the only way to stop at source before any damage is done?
- Vince
You might want to check out this thread:
http://forums.cpanel.net/showthread.php?t=91161
there is.. and you can purchase upload guardian as mentioned in the other thread which seems to do the trick.
my guess is they're just using inotify and when a file is created, they run it through the scanner.
here's inoclam: http://www.inoclam.org/
my guess is this will do for free what upload guardian will do for a monthly fee.
Also, unless your server gets a lot of writes/updates, this shouldn't create a huge straing if you attached it to the public_html directoris inside users homedirectories.
running it against the entire home directory may be a problem, only because email files are updated constantly, and while logs are running the users tmp folder where the stats software stores it's info will be updated consantly, but the web roots are mostly static files which are read much more frequently than they're written.
On the other hand.. if there's a cheap product which deals with all the configuration hastles, it might well be worth the money, so investigate your options and let us all know what you find works best for you.
Keith
Reply With Quote