The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

found php shells- how were they uploaded?

Discussion in 'Security' started by Nishant80, Mar 25, 2013.

  1. Nishant80

    Nishant80 Well-Known Member

    Joined:
    May 7, 2012
    Messages:
    63
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    During recent security issues that I faced, a few sites were defaced using php shells. While scanning with ClamAV, I found the location.

    What I want to know is HOW were they uploaded? And at what time?
     
  2. georgeb

    georgeb Well-Known Member

    Joined:
    May 23, 2010
    Messages:
    48
    Likes Received:
    1
    Trophy Points:
    8
    Location:
    Montreal, QC, Canada
    cPanel Access Level:
    Root Administrator
    Probably they used Wordpress, Joomla or other CMS outdated and uploaded the files, or maybe your server is compromised already, are many ways for them to upload malicious scripts. I'll go deeper and check logs to see at what level they succeed, maybe the hole server is compromised.


    Regards
     
  3. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Hopefully you didn't move or remove the files yet. It's highly unlikely your whole server is hacked, likely just an outdated CMS that allowed the upload. Assuming you've ruled out the FTP and cPanel access logs (which are rarely used for PHP shell uploads) here's what you should do.

    You need to log in to SSH and `stat` the files. Note BOTH the 'change' and 'modify' time of every malicious file you find. Normally the modify time is most relevant, but it can be spoofed. I've never seen the 'change' time spoofed, as the system updates this whenever any attributes (permissions, file name, etc) are changed. I.E. if you extract a zip file, the modify time will show the last time the extracted file was edited before it was zipped; however, the change time will tell you when it was placed on your system.

    Often PHP shells are used to upload further shells. Take the oldest modify and change times you get from the malicious files, and go to the domains access logs. Hopefully you set up raw access log archiving in the affected domains cPanel accounts; if your log rotation is default in WHM it deletes the domlogs every 24h and you're going to be completely $expletive'd for investigating this. If this is the case I urge you to vote for this feature request: Better Apache Log Rotation | cPanel Feature Requests

    Assuming you are one of the lucky few people on cPanel servers with domlogs that get saved, you should find a POST request (sometimes GET) within 1-2 seconds of the modify/change times of your shell(s). This will tell you what PHP page was exploited to upload the bad file(s). If the request is to another malicous file, `stat` that file and repeat the process.
     
  4. Nishant80

    Nishant80 Well-Known Member

    Joined:
    May 7, 2012
    Messages:
    63
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Voted for the request.
    I see maldet already quarantined the file and I am new to "stat" command. Here is the output I get for this particular shell:

    Access: (0644/-rw-r--r--) Uid: ( 508/mwebdire) Gid: ( 506/mwebdire)
    Access: 2013-03-25 02:01:43.000000000 +0100
    Modify: 2011-04-16 08:09:07.000000000 +0200
    Change: 2013-03-11 09:44:48.000000000 +0100
     
  5. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    You would probably need stat before the quarantine. Had those stats been before quarantine, you would then run:

    grep '11/Mar/2013:09:44:4' /home/$username/access-logs/$domain.$tld

    If you got results showing an IP making a request to another PHP script at that time, that would tell you what page was used to upload the shell.
     
  6. CharlesBoyd

    CharlesBoyd Member

    Joined:
    May 29, 2012
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Modifying the change time can be easily done...at least once server has been rooted.

    This is a common thing for an attacker to do when they want to cover up their entry point.

    touch2.c ≈ Packet Storm
     
  7. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    "at least once the server has been rooted"

    Most of the time, investigating webapp compromises, you're not dealing with a rooted server. Spoofed modify times are much more common. Good info though, thanks!
     
Loading...

Share This Page