The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

script for finding exploits

Discussion in 'General Discussion' started by nxds, Jul 7, 2006.

  1. nxds

    nxds Well-Known Member

    Joined:
    Jan 6, 2006
    Messages:
    53
    Likes Received:
    0
    Trophy Points:
    6
    I wrote this script to help me find hacking tools and exploits on my servers. It basically just runs find/egrep to list php and cgi files containing certain strings. It will only report matching files that were not reported in a previous run and has options to send the output in an email and to display the matched lines with context. It can be run in a cronjob to alert you of dubious scripts that have been recently uploaded like this:

    Code:
    10,40 * * * * /usr/local/bin/sploitfind -c -m email@example.com
    Does anyone have ideas for things to put in the search pattern or suggestions for improvements?

    Code:
    #!/bin/sh
    # sploitfind: list possible exploit scripts and optionally email output
    # usage: sploitfind [-a] [-c] [-m <emailaddress>] [egrep pattern]
    #        -m : email output to <emailaddress> instead of writing to stdout
    #        -a : shows all files not just changes since last run
    #        -c : shows matching lines with context
    
    PATH=/bin:/usr/bin:/usr/local/bin
    export LANG=C
    
    # default pattern - modify this required
    sploitpattern='r0nin|m0rtix|r57shell|c99shell|phpshell|void\.ru|phpremoteview|directmail|bash_history|\.ru/|brute *force'
    
    # process command line options
    progname=$(basename $0)
    domail=false showall=false showcontext=false
    opts=$(getopt acm: "$@")
    if [ $? != 0 ]; then
            echo "$progname: usage: $progname [-a] [-c] [-m <emailaddress>] [egrep pattern]" >&2
            exit 1
    fi
    eval set -- "$opts"
    for i; do
       case "$i" in
               -a) showall=true; shift;;
               -c) showcontext=true; shift;;
               -m) domail=true; email=$2; shift; shift;;
               --) shift; break;;
       esac
    done
    if [ $# -gt 0 ]; then
            sploitpattern="$1"
    fi
    
    sploitdir=/var/run/sploitfind
    last=$sploitdir/last
    this=$sploitdir/this
    pid=$sploitdir/pid
    
    tmpout=/tmp/sploit.$$
    tmpout2=/tmp/sploit2.$$
    trap 'rm -f $tmpout $tmpout2' 0 1 2 3 15
    
    umask 077
    
    if [ ! -d $sploitdir ]; then
            mkdir $sploitdir || exit 2
    fi
    
    # exit if already running
    [ -f $pid ] && kill -0 $(cat $pid) >/dev/null 2>&1 && exit 3
    echo $$ > $pid
    
    # search for files containing sploitpattern
    find /home \( -regex '.*\.php$' -o -regex '.*\.cgi$'  \) -print0 | xargs -0 egrep -il "$sploitpattern" /dev/null | sort > $this
    
    if [ -f $last ] && ! $showall ; then
            # show only changes since last run
            comm -13 $last $this > $tmpout
    else
            # show all output
            cat $this > $tmpout
    fi
    mv $this $last
    
    if $showcontext; then
            while read filename; do
                    egrep -iC3 "$sploitpattern" "$filename" /dev/null
                    echo; echo "------"; echo
            done < $tmpout >> $tmpout2
            mv -f $tmpout2 $tmpout
    fi
    
    if $domail; then
            # send mail if there is any output
            if [ $(awk 'END {print NR}' $tmpout) -gt 0 ]; then
                     mail -s "Possible exploit scripts on $(hostname)" $email < $tmpout || exit 2
            fi
    else
            # output sent to stdout
            cat $tmpout
    fi
    exit 0
     
  2. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    667
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    Are you only searching .php and .cgi scripts with this ( looks like it).
    Maybe try searching for script names as well:

    EG: cmdtemp in /tmp which is a perl IRC bot etc

    Looks pretty good. If you want some help on it or have any plans to keep developing it get in touch me with
     
  3. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    38
    fantastic script ! :) Thank you!

    very useful also to find outdated scripts (old phpbb , formmail , and so on ) .THANK YOU!
     
    #3 Radio_Head, Jul 26, 2006
    Last edited: Jul 26, 2006
  4. LiNUxG0d

    LiNUxG0d Well-Known Member

    Joined:
    Jun 25, 2003
    Messages:
    206
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Gatineau, Quebec, Canada
    Hey there,

    Very nice script!

    In my experiences though, I think this is quite insufficient. You might want to write a script that finds the source that allow these files to appear in the /tmp folder. :)

    Agreed though, it will put a stop to some of the nasty stuff running or currently on the server. Keep in mind, a hacker could use different permutations of a script name and it will do the same thing as the original... IE: r0nin or ron1n

    Good job though, we need more security related articles here!

    Jamie
     
  5. arshem

    arshem Member

    Joined:
    Jul 16, 2006
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    any updates GREAT SCRIpT
     
  6. parser

    parser Member

    Joined:
    Aug 22, 2003
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Israel
    This script search all files

    PHP:
    rm resultlg.out
    cd 
    /home
    for i in `find /home -type d -perm -777`
            do

                    
    cd "$i"
                    
    #echo "$i ->"  >> /root/resultlg.out
                            
    for j in `find $i -type d`
                                    do
                                    
    #echo "$j <->"  >> /root/resultlg.out
                                     
    cd "$j/"
                                            
    if strings -* | grep /lib/ld-linux.so.2;
                                            
    then
                                                    
    echo "ld-linux.so.2 exist in: $j <->"  >> /root/resultlg.out
                                            fi

                                            
    if strings -* | grep gmon_start;
                        
    then
                            
    echo "gmon_start exist in: $j <->"  >> /root/resultlg.out
                        fi

                        
    if  grep exec *; 
                        
    then 
                            
    echo "exec exist in: $j <->"  >> /root/resultlg.out
                                            fi

                        
    if grep systemc * ;
                        
    then
                                                
    echo "system exist in: $j <->"  >> /root/resultlg.out
                                            fi
                        
    if grep passthr *;
                        
    then
                                                
    echo "passthr exist in : $j <->"  >> /root/resultlg.out
                                            fi
                        
    if grep stdio.*;
                        
    then
                                                
    echo "stdio.h exist in : $j <->"  >> /root/resultlg.out
                                            fi
                                            
    if grep /bin/bash *;
                        
    then
                                                
    echo "/bin/bash exist in : $j <->"  >> /root/resultlg.out
                                            fi

                        
    if grep /bin/sh * ;
                        
    then
                                                
    echo "/bin/sh exist in : $j <->"  >> /root/resultlg.out
                                            fi

                                            
    if grep /bin/perl *;
                        
    then
                                                
    echo "/bin/perl exist in : $j <->"  >> /root/resultlg.out
                                            fi

                                    cd 
    "$i/"
                                    
    done
                    cd 
    /home
            done


    How to run it:

    touch findexploit.sh
    insert this code to file
    chmod +x findexploit.sh
    ./findexploit.sh
     
    #6 parser, Aug 13, 2006
    Last edited: Sep 25, 2006
  7. t7doo

    t7doo Registered

    Joined:
    Oct 6, 2006
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Thanks . :) it's very good.
     
  8. Maximum

    Maximum Member

    Joined:
    Feb 14, 2007
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    1
    Thanks for your script
     
    #8 Maximum, May 11, 2007
    Last edited: May 11, 2007
  9. simpleupdates

    simpleupdates Member

    Joined:
    Jan 17, 2005
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    1
    How would I exclude file types?

    Hi there,

    Great Script!

    Thanks
     
    #9 simpleupdates, Jan 12, 2008
    Last edited: Jan 12, 2008
Loading...

Share This Page