The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Help with r57 exploit checking script

Discussion in 'General Discussion' started by aarondwyer, May 11, 2008.

  1. aarondwyer

    aarondwyer Well-Known Member

    Joined:
    Mar 26, 2005
    Messages:
    73
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Brisbane
    cPanel Access Level:
    Root Administrator
    Code:
    find /home/ \( -name "*.cgi" -o -name "*.php" \) -print | xargs egrep -l 'c99shell|r57shell|WebShell|phpshell' >> /root/report.txt
    When I run this to check for exploits it fails after a while with this error and doesn't make it through all my /home accounts

    xargs: unmatched single quote

    Does anyone know of a way of making this command line better to ignore single quotes or make it continue after an error?

    I'm not very good with my sh scripting.

    Thanks
    Aaron
     
  2. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    Actually, you're doing pretty good here, I wouldn't diss yourself like that!

    This is kind of an obscure error and I'm not surprised you're stumped; I remember a large amount of pain the first time I hit this! The problem is that you've hit a filename with a single quote in it. You could remove the file, but find and xargs have a built in solution to just this exact problem:
    Code:
    find ... -print0 | xargs -0 ...
    In other words, just change your find "-print" to "-print0" and add the -0 option to xargs and you're good to go. What this will do for you is that find will delimit file names with a NULL (\0 character) and xargs will look for NULL terminated file names.

    Hope this helps ...
     
  3. aarondwyer

    aarondwyer Well-Known Member

    Joined:
    Mar 26, 2005
    Messages:
    73
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Brisbane
    cPanel Access Level:
    Root Administrator
    Abosultely brilliant, worked like a charm and I found some more compromised scripts on the server, thanks Brian.

    Aaron
     
  4. ffeingol

    ffeingol Well-Known Member
    PartnerNOC

    Joined:
    Nov 9, 2001
    Messages:
    215
    Likes Received:
    1
    Trophy Points:
    18
    cPanel Access Level:
    DataCenter Provider
    I have not tested this, but I think you could simply the process by running:

    Code:
    find /home/ \( -name "*.cgi" -o -name "*.php" \) -exec egrep -l 'c99shell|r57shell|WebShell|phpshell' >> /root/report.txt
    
    Frank
     
  5. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    Simpler in one sense, but many times slower as the grep is run for every single file; xargs runs the grep only for groups of files.
     
  6. ffeingol

    ffeingol Well-Known Member
    PartnerNOC

    Joined:
    Nov 9, 2001
    Messages:
    215
    Likes Received:
    1
    Trophy Points:
    18
    cPanel Access Level:
    DataCenter Provider
    my bad on the code. I would normally use:

    Code:
    find /home/ \( -name "*.cgi" -o -name "*.php" \) -exec egrep -l 'c99shell|r57shell|WebShell|phpshell' {} \; >> /root/report.txt
    
    Won't that only run for the files that match the .cgi or php?
     
  7. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    Correct; that's what you want though!
     
Loading...

Share This Page