The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How do I block scripts like C99 Shell and such?

Discussion in 'General Discussion' started by arberb, Jul 1, 2008.

  1. arberb

    arberb Member

    Joined:
    Nov 21, 2007
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    How do I block scripts like C99 Shell and such?
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,472
    Likes Received:
    200
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    mod_security should help you there.
     
  3. mambovince

    mambovince Well-Known Member

    Joined:
    Jan 15, 2005
    Messages:
    192
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    London, UK
    Hasn't helped me.
    We get shell scripts uploaded into accounts with 777 directory permissions from time-to-time.

    - Vince
     
  4. bjdea1

    bjdea1 Well-Known Member

    Joined:
    Mar 6, 2003
    Messages:
    83
    Likes Received:
    1
    Trophy Points:
    8
    Use clamscan to scan your user accounts
     
  5. mambovince

    mambovince Well-Known Member

    Joined:
    Jan 15, 2005
    Messages:
    192
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    London, UK
    Does that need to be setup as a cron job?
    I have sometimes used ClamAV through cPanel on some accounts, and it does identify shell scripts.

    But I find it uses loads of server resource, therefore would probably not be a good idea to scan all hosted accounts this way?

    Appreciate any help.

    - Vince
     
  6. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,472
    Likes Received:
    200
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    You really should be moving up to apache2 by now. ;)
     
  7. freedman

    freedman Well-Known Member

    Joined:
    Feb 13, 2005
    Messages:
    312
    Likes Received:
    1
    Trophy Points:
    18
    it's very resource intensive as are all virus scanners, however, it's probably something you should run on occasion.

    if you've got the time, create a script to run find looking for things updated or created since the last scan and just pipe those to the scanner.

    no sense re-running on everything, although you might want to on occasion in case someone shell's in and touches back the dates on something.
     
  8. bjdea1

    bjdea1 Well-Known Member

    Joined:
    Mar 6, 2003
    Messages:
    83
    Likes Received:
    1
    Trophy Points:
    8
    Response

    You can run clamscan weekly on the entire /home directory safely (without overloading server) if you run it under cpanels cpuwatch script. Enter this line into crontab.

    30 2 * * 1 /usr/local/cpanel/bin/cpuwatch 2 clamscan -ri /home >/root/clamscan.log 2>&1

    This will run clamscan once a week (monday) at 2:30am and will pause each time the server load goes over 2 and will then resume again once the load is under 2. If you want it to run faster you could make the "2" a "3" or a "4".

    Note this will only produce a log output file in /root/clamscan.log that lists all infected files it finds. It will not delete or remove infected files. Its NOT recommended to allow clamscan to delete infected files because this could end up deleting files that users need. If a 3rd party (hacker) is responsible for infecting a file and then you just automatically deleted it - that could be a users entire website you're deleting. Hackers usually target index.php or index.html files so I really wouldn't recommend allowing clamscan to delete infected files. Instead just look through the clamscan.log yourself and manually remove those files you know to be hacker shells etc.
     
  9. freedman

    freedman Well-Known Member

    Joined:
    Feb 13, 2005
    Messages:
    312
    Likes Received:
    1
    Trophy Points:
    18
    it's probably best to put the log in /var/log/clamscan.log

    and put an entry in /etc/logrotate.d just to make sure the logs get cleaned up when you dont have time to deal with them.
     
  10. mambovince

    mambovince Well-Known Member

    Joined:
    Jan 15, 2005
    Messages:
    192
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    London, UK
    I would consider running as a cron once per day, but not ideal.

    Is there no way that system can check for every file uploaded in realtime?
    I realise this could cause a little resource issue, but this would be the only way to stop at source before any damage is done?

    - Vince
     
  11. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,472
    Likes Received:
    200
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
  12. freedman

    freedman Well-Known Member

    Joined:
    Feb 13, 2005
    Messages:
    312
    Likes Received:
    1
    Trophy Points:
    18
    there is.. and you can purchase upload guardian as mentioned in the other thread which seems to do the trick.

    my guess is they're just using inotify and when a file is created, they run it through the scanner.

    here's inoclam: http://www.inoclam.org/

    my guess is this will do for free what upload guardian will do for a monthly fee.

    Also, unless your server gets a lot of writes/updates, this shouldn't create a huge straing if you attached it to the public_html directoris inside users homedirectories.

    running it against the entire home directory may be a problem, only because email files are updated constantly, and while logs are running the users tmp folder where the stats software stores it's info will be updated consantly, but the web roots are mostly static files which are read much more frequently than they're written.

    On the other hand.. if there's a cheap product which deals with all the configuration hastles, it might well be worth the money, so investigate your options and let us all know what you find works best for you.

    Keith
     
Loading...

Share This Page