Help with r57 exploit checking script

aarondwyer

Well-Known Member
Verifed Vendor
Mar 26, 2005
73
0
156
Brisbane
cPanel Access Level
Root Administrator
Code:
find /home/ \( -name "*.cgi" -o -name "*.php" \) -print | xargs egrep -l 'c99shell|r57shell|WebShell|phpshell' >> /root/report.txt
When I run this to check for exploits it fails after a while with this error and doesn't make it through all my /home accounts

xargs: unmatched single quote

Does anyone know of a way of making this command line better to ignore single quotes or make it continue after an error?

I'm not very good with my sh scripting.

Thanks
Aaron
 

brianoz

Well-Known Member
Mar 13, 2004
1,146
7
168
Melbourne, Australia
cPanel Access Level
Root Administrator
I'm not very good with my sh scripting.
Actually, you're doing pretty good here, I wouldn't diss yourself like that!

This is kind of an obscure error and I'm not surprised you're stumped; I remember a large amount of pain the first time I hit this! The problem is that you've hit a filename with a single quote in it. You could remove the file, but find and xargs have a built in solution to just this exact problem:
Code:
find ... -print0 | xargs -0 ...
In other words, just change your find "-print" to "-print0" and add the -0 option to xargs and you're good to go. What this will do for you is that find will delimit file names with a NULL (\0 character) and xargs will look for NULL terminated file names.

Hope this helps ...
 

aarondwyer

Well-Known Member
Verifed Vendor
Mar 26, 2005
73
0
156
Brisbane
cPanel Access Level
Root Administrator
Abosultely brilliant, worked like a charm and I found some more compromised scripts on the server, thanks Brian.

Aaron
 

ffeingol

Well-Known Member
PartnerNOC
Nov 9, 2001
629
205
343
cPanel Access Level
DataCenter Provider
I have not tested this, but I think you could simply the process by running:

Code:
find /home/ \( -name "*.cgi" -o -name "*.php" \) -exec egrep -l 'c99shell|r57shell|WebShell|phpshell' >> /root/report.txt
Frank
 

ffeingol

Well-Known Member
PartnerNOC
Nov 9, 2001
629
205
343
cPanel Access Level
DataCenter Provider
my bad on the code. I would normally use:

Code:
find /home/ \( -name "*.cgi" -o -name "*.php" \) -exec egrep -l 'c99shell|r57shell|WebShell|phpshell' {} \; >> /root/report.txt
Won't that only run for the files that match the .cgi or php?