The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Hacker Keyword Search

Discussion in 'General Discussion' started by bmcpanel, Mar 31, 2007.

  1. bmcpanel

    bmcpanel Well-Known Member

    Joined:
    Jun 1, 2002
    Messages:
    546
    Likes Received:
    0
    Trophy Points:
    16
    I am writing a bash script that uses egrep to search through server files with the .pl,.cgi and .php extensions. The script hunts for certain keywords that a hacker may use. So far, I have the script searching for the following keywords..

    c99shell
    r57shell
    webshell

    What I want to know is, what other keywords do you think I should use in the script? Keep in mind that the purpose of the script is to search for exploited files being used by hackers.

    Please share your ideas for keyword(s) which might benefit the search.

    Thanks
     
  2. kevinm

    kevinm Member

    Joined:
    Feb 22, 2006
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    1
    to save load on your disk subsystem each time you run the trawler, you could write an apache filter to do this on the request side, so the files cant be called .. (mod_perl could be your friend here ! )
     
  3. bmcpanel

    bmcpanel Well-Known Member

    Joined:
    Jun 1, 2002
    Messages:
    546
    Likes Received:
    0
    Trophy Points:
    16
    Thanks, I will look into it.
     
  4. bmcpanel

    bmcpanel Well-Known Member

    Joined:
    Jun 1, 2002
    Messages:
    546
    Likes Received:
    0
    Trophy Points:
    16
    Anyone want to share your idea for keywords to help find hacker files on a server? (The keyword would be contained within the content of the file itself).
     
  5. rejected

    rejected Well-Known Member

    Joined:
    Sep 19, 2006
    Messages:
    48
    Likes Received:
    0
    Trophy Points:
    0
    exec() system() passthru() /etc/passwd thats all I can think of at the moment
     
  6. bmcpanel

    bmcpanel Well-Known Member

    Joined:
    Jun 1, 2002
    Messages:
    546
    Likes Received:
    0
    Trophy Points:
    16
    Thanks.... good suggestions.
     
  7. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    667
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    Malicious list of stuff I often see in files used for attacks. That should help you get started

    cmd.txt
    c99
    void.ru
    kernel.c
    phpshell
    bash_history
    p0t_shellbot.pl
    dm.cgi
    *.gif.php
    Mysql.pm
    mysqlwrap
    shell.c
    0wn3d
    6667
    irc_socket
    getnick
    Defacing Tool
    vnS3cuRity
    r3v3ng4ns
    rm -f
    rm -rf
    BaCkd00r
    setsid
    0ldW0lf
     
  8. bmcpanel

    bmcpanel Well-Known Member

    Joined:
    Jun 1, 2002
    Messages:
    546
    Likes Received:
    0
    Trophy Points:
    16
    Good Stuff. Thanks.
     
  9. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    667
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    My pleasure let me know how the script turns out
     
Loading...

Share This Page