The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

New Script that some of you might find useful.

Discussion in 'General Discussion' started by shaun, Jul 3, 2003.

  1. shaun

    shaun Well-Known Member

    Joined:
    Nov 9, 2001
    Messages:
    698
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    San Clemente, Ca
    I just wrote this script tonight, It's called chkformmailver. It's a script which scans for old vulnerable formmail scripts. More info on the page.

    http://www.cplicensing.net/extras/scripts.php

    cPanel.net Support Ticket Number:
     
  2. sexy_guy

    sexy_guy Well-Known Member

    Joined:
    Mar 19, 2003
    Messages:
    848
    Likes Received:
    0
    Trophy Points:
    16
    Can't locate File/Find/Rule.pm in @INC (@INC contains: /usr/lib/perl5/5.6.1/i686-linux /usr/lib/perl5/5.6.1 /usr/lib/perl5/site_perl/5.6.1/i686-linux /usr/lib/perl5/site_perl/5.6.1 /usr/lib/perl5/site_perl/5.6.0 /usr/lib/perl5/site_perl .) at ./formcheck.pl line 8.
    BEGIN failed--compilation aborted at ./formcheck.pl line 8.
    root@srv08 [/var/log]#

    I guess im missing this perl module!

    cPanel.net Support Ticket Number:
     
  3. shaun

    shaun Well-Known Member

    Joined:
    Nov 9, 2001
    Messages:
    698
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    San Clemente, Ca
    Just run /scripts/perlinstaller File::Find::Rule

    cPanel.net Support Ticket Number:
     
  4. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA
    damn fine scripts!! all of them ..

    by the way .which versions are old and insecure?

    cPanel.net Support Ticket Number:
     
  5. shaun

    shaun Well-Known Member

    Joined:
    Nov 9, 2001
    Messages:
    698
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    San Clemente, Ca
    from what i understand anything below 1.91

    cPanel.net Support Ticket Number:
     
  6. sexy_guy

    sexy_guy Well-Known Member

    Joined:
    Mar 19, 2003
    Messages:
    848
    Likes Received:
    0
    Trophy Points:
    16
    Great, still running. Lets see what i pulls out of 417 sites. :D

    Is there a way to run it as a cron and output the results to an email address?

    cPanel.net Support Ticket Number:
     
  7. sexy_guy

    sexy_guy Well-Known Member

    Joined:
    Mar 19, 2003
    Messages:
    848
    Likes Received:
    0
    Trophy Points:
    16
    Oops i didnt read the code, it already does that. Thanks for your hard work!!!

    cPanel.net Support Ticket Number:
     
  8. shaun

    shaun Well-Known Member

    Joined:
    Nov 9, 2001
    Messages:
    698
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    San Clemente, Ca
    lol, ya it does it all, even disables the script (chmod 0000) if you want it too...

    cPanel.net Support Ticket Number:
     
  9. shaun

    shaun Well-Known Member

    Joined:
    Nov 9, 2001
    Messages:
    698
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    San Clemente, Ca
    oh ya, it will take a while... it's basically searching every dir/file in your /home dir looking for *.cgi and *.pl files and then opening those files running thru them line by line.

    cPanel.net Support Ticket Number:
     
  10. sexy_guy

    sexy_guy Well-Known Member

    Joined:
    Mar 19, 2003
    Messages:
    848
    Likes Received:
    0
    Trophy Points:
    16
    Really? How do i tell the user the the script is not allowed and that its been disabled?

    cPanel.net Support Ticket Number:
     
  11. shaun

    shaun Well-Known Member

    Joined:
    Nov 9, 2001
    Messages:
    698
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    San Clemente, Ca
    The script will tell you where the file is, it shouldnt be very hard to tell from there who's script it is (ex: /home/user/path/to/script). If you set the script to disable the unsecure formmail scripts it does not inform the client, you will have to do that your self. Maybe i can add that later on.

    cPanel.net Support Ticket Number:
     
  12. sexy_guy

    sexy_guy Well-Known Member

    Joined:
    Mar 19, 2003
    Messages:
    848
    Likes Received:
    0
    Trophy Points:
    16
    Ok so i got these hits.

    Vulnerable FormMail Found at /home/xxx/public_html/cgi-bin/thesame.cgi Version(1.6)
    Vulnerable FormMail Found at /home/xxx/public_html/cgi-bin/thesame.cgi Version(1.6)
    Vulnerable FormMail Found at /home/xxx/public_html/secure/thesame.cgi Version(1.6)
    Vulnerable FormMail Found at /home/xxx/public_html/cgi-bin/thesame.cgi Version(1.6)
    Vulnerable FormMail Found at /home/xxx/public_html/cgi-bin/bFormMail.pl Version(1.9)

    did these users get an mail? Was i supposed to get one as well? I did not get one.

    cPanel.net Support Ticket Number:
     
    #12 sexy_guy, Jul 3, 2003
    Last edited: Jul 3, 2003
  13. shaun

    shaun Well-Known Member

    Joined:
    Nov 9, 2001
    Messages:
    698
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    San Clemente, Ca
    No the clients are not informed.

    Unless you set

    $emailresults = '1';

    you will not get a email. Also make sure that if you set $emailresults = '1'; that you also set the $admin_email = ''; to your email address.

    cPanel.net Support Ticket Number:
     
  14. sexy_guy

    sexy_guy Well-Known Member

    Joined:
    Mar 19, 2003
    Messages:
    848
    Likes Received:
    0
    Trophy Points:
    16
    Thanks for that Shaun. I did look at your watchmysql script. How do i run the watchmysql script as a cron every ten minutes if its already coded as running every 10min within?

    I do have a problem like this on one of my boxes, and im sure many other people do, where certain ips are openning around 30 or 40 HTTPD connections at once. The other day day i caught somebody doing this of course i had no clue who that was. All i know is there was one ip doing this constantly. Of couse we received a msg from Apache saying the number of connection was increased from 150 to 170 on that particular occasion.

    cPanel.net Support Ticket Number:
     
    #14 sexy_guy, Jul 3, 2003
    Last edited: Jul 3, 2003
  15. furquan

    furquan Well-Known Member

    Joined:
    Jul 27, 2002
    Messages:
    425
    Likes Received:
    0
    Trophy Points:
    16
    Fantastic Scripts you got there, will try them very soon. Hope more ppl like you can contribute more to the community out here.

    Regards,

    cPanel.net Support Ticket Number:
     
  16. sexy_guy

    sexy_guy Well-Known Member

    Joined:
    Mar 19, 2003
    Messages:
    848
    Likes Received:
    0
    Trophy Points:
    16
    HUH! What are you talking about? :confused:

    cPanel.net Support Ticket Number:
     
  17. X-Istencedotcom

    X-Istencedotcom Well-Known Member

    Joined:
    Apr 14, 2003
    Messages:
    223
    Likes Received:
    0
    Trophy Points:
    16
    Was pointed at the thread starter.

    cPanel.net Support Ticket Number:
     
  18. kcdworks

    kcdworks Well-Known Member

    Joined:
    Jul 28, 2002
    Messages:
    186
    Likes Received:
    0
    Trophy Points:
    16
    Trying to use your Fix404 script, and I'm getting the error "Bad Interpreter" ... I checked the path to perl (which was correct) and can't find anything else that was wrong. Any suggestions?

    EDIT: Nevermind, I got it working now. :)
     
  19. sexy_guy

    sexy_guy Well-Known Member

    Joined:
    Mar 19, 2003
    Messages:
    848
    Likes Received:
    0
    Trophy Points:
    16
    One of my users got pretty upset when we disabled his script.

    Vulnerable FormMail Found at /home/xxx/public_html/cgi-bin/bFormMail.pl Version(1.9)

    Notice it says 1.9? He was actually running 1.92 and the script reported he was running 1.9. So if the script searches for 1.9 it will also pick up 1.92 as being vuln?

    cPanel.net Support Ticket Number:
     
  20. shaun

    shaun Well-Known Member

    Joined:
    Nov 9, 2001
    Messages:
    698
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    San Clemente, Ca
    Sexy_guy: can you email me his script so i can see the guts of it. Shaun.Reitan@NDCHost.com. Also watchmysql isnt really ment to be run in a cron job, it runs as a background process.


    kcdworks: Did you edit that script in a windows editor? Usually that error happens when you edit the script in a ehriched editor. Delete the script, log into your server do a wget to grab it.

    cPanel.net Support Ticket Number:
     
Loading...

Share This Page