found php shells- how were they uploaded?

[Nishant80]

During recent security issues that I faced, a few sites were defaced using php shells. While scanning with ClamAV, I found the location.

What I want to know is HOW were they uploaded? And at what time?

 

[georgeb]

During recent security issues that I faced, a few sites were defaced using php shells. While scanning with ClamAV, I found the location.

What I want to know is HOW were they uploaded? And at what time?

Probably they used Wordpress, Joomla or other CMS outdated and uploaded the files, or maybe your server is compromised already, are many ways for them to upload malicious scripts. I'll go deeper and check logs to see at what level they succeed, maybe the hole server is compromised.


Regards

 

[quizknows]

During recent security issues that I faced, a few sites were defaced using php shells. While scanning with ClamAV, I found the location.

What I want to know is HOW were they uploaded? And at what time?

Hopefully you didn't move or remove the files yet. It's highly unlikely your whole server is hacked, likely just an outdated CMS that allowed the upload. Assuming you've ruled out the FTP and cPanel access logs (which are rarely used for PHP shell uploads) here's what you should do.

You need to log in to SSH and `stat` the files. Note BOTH the 'change' and 'modify' time of every malicious file you find. Normally the modify time is most relevant, but it can be spoofed. I've never seen the 'change' time spoofed, as the system updates this whenever any attributes (permissions, file name, etc) are changed. I.E. if you extract a zip file, the modify time will show the last time the extracted file was edited before it was zipped; however, the change time will tell you when it was placed on your system.

Often PHP shells are used to upload further shells. Take the oldest modify and change times you get from the malicious files, and go to the domains access logs. Hopefully you set up raw access log archiving in the affected domains cPanel accounts; if your log rotation is default in WHM it deletes the domlogs every 24h and you're going to be completely $expletive'd for investigating this. If this is the case I urge you to vote for this feature request: Better Apache Log Rotation | cPanel Feature Requests

Assuming you are one of the lucky few people on cPanel servers with domlogs that get saved, you should find a POST request (sometimes GET) within 1-2 seconds of the modify/change times of your shell(s). This will tell you what PHP page was exploited to upload the bad file(s). If the request is to another malicous file, `stat` that file and repeat the process.

 

[Nishant80]

Hopefully you didn't move or remove the files yet. It's highly unlikely your whole server is hacked, likely just an outdated CMS that allowed the upload. Assuming you've ruled out the FTP and cPanel access logs (which are rarely used for PHP shell uploads) here's what you should do.

You need to log in to SSH and `stat` the files. Note BOTH the 'change' and 'modify' time of every malicious file you find. Normally the modify time is most relevant, but it can be spoofed. I've never seen the 'change' time spoofed, as the system updates this whenever any attributes (permissions, file name, etc) are changed. I.E. if you extract a zip file, the modify time will show the last time the extracted file was edited before it was zipped; however, the change time will tell you when it was placed on your system.

Often PHP shells are used to upload further shells. Take the oldest modify and change times you get from the malicious files, and go to the domains access logs. Hopefully you set up raw access log archiving in the affected domains cPanel accounts; if your log rotation is default in WHM it deletes the domlogs every 24h and you're going to be completely $expletive'd for investigating this. If this is the case I urge you to vote for this feature request: Better Apache Log Rotation | cPanel Feature Requests

Assuming you are one of the lucky few people on cPanel servers with domlogs that get saved, you should find a POST request (sometimes GET) within 1-2 seconds of the modify/change times of your shell(s). This will tell you what PHP page was exploited to upload the bad file(s). If the request is to another malicous file, `stat` that file and repeat the process.

Voted for the request.
I see maldet already quarantined the file and I am new to "stat" command. Here is the output I get for this particular shell:

Access: (0644/-rw-r--r--) Uid: ( 508/mwebdire) Gid: ( 506/mwebdire)
Access: 2013-03-25 02:01:43.000000000 +0100
Modify: 2011-04-16 08:09:07.000000000 +0200
Change: 2013-03-11 09:44:48.000000000 +0100

 

[quizknows]

You would probably need stat before the quarantine. Had those stats been before quarantine, you would then run:

grep '11/Mar/2013:09:44:4' /home/$username/access-logs/$domain.$tld

If you got results showing an IP making a request to another PHP script at that time, that would tell you what page was used to upload the shell.

 

[CharlesBoyd]

I've never seen the 'change' time spoofed, as the system updates this whenever any attributes (permissions, file name, etc) are changed. I.E. if you extract a zip file, the modify time will show the last time the extracted file was edited before it was zipped; however, the change time will tell you when it was placed on your system.

Modifying the change time can be easily done...at least once server has been rooted.

This is a common thing for an attacker to do when they want to cover up their entry point.

touch2.c ≈ Packet Storm

 

[quizknows]

"at least once the server has been rooted"

Most of the time, investigating webapp compromises, you're not dealing with a rooted server. Spoofed modify times are much more common. Good info though, thanks!