script for finding exploits

[nxds]

I wrote this script to help me find hacking tools and exploits on my servers. It basically just runs find/egrep to list php and cgi files containing certain strings. It will only report matching files that were not reported in a previous run and has options to send the output in an email and to display the matched lines with context. It can be run in a cronjob to alert you of dubious scripts that have been recently uploaded like this:

10,40 * * * * /usr/local/bin/sploitfind -c -m [email protected]

Does anyone have ideas for things to put in the search pattern or suggestions for improvements?

#!/bin/sh
# sploitfind: list possible exploit scripts and optionally email output
# usage: sploitfind [-a] [-c] [-m <emailaddress>] [egrep pattern]
#        -m : email output to <emailaddress> instead of writing to stdout
#        -a : shows all files not just changes since last run
#        -c : shows matching lines with context

PATH=/bin:/usr/bin:/usr/local/bin
export LANG=C

# default pattern - modify this required
sploitpattern='r0nin|m0rtix|r57shell|c99shell|phpshell|void\.ru|phpremoteview|directmail|bash_history|\.ru/|brute *force'

# process command line options
progname=$(basename $0)
domail=false showall=false showcontext=false
opts=$(getopt acm: "[email protected]")
if [ $? != 0 ]; then
        echo "$progname: usage: $progname [-a] [-c] [-m <emailaddress>] [egrep pattern]" >&2
        exit 1
fi
eval set -- "$opts"
for i; do
   case "$i" in
           -a) showall=true; shift;;
           -c) showcontext=true; shift;;
           -m) domail=true; email=$2; shift; shift;;
           --) shift; break;;
   esac
done
if [ $# -gt 0 ]; then
        sploitpattern="$1"
fi

sploitdir=/var/run/sploitfind
last=$sploitdir/last
this=$sploitdir/this
pid=$sploitdir/pid

tmpout=/tmp/sploit.$$
tmpout2=/tmp/sploit2.$$
trap 'rm -f $tmpout $tmpout2' 0 1 2 3 15

umask 077

if [ ! -d $sploitdir ]; then
        mkdir $sploitdir || exit 2
fi

# exit if already running
[ -f $pid ] && kill -0 $(cat $pid) >/dev/null 2>&1 && exit 3
echo $$ > $pid

# search for files containing sploitpattern
find /home \( -regex '.*\.php$' -o -regex '.*\.cgi$'  \) -print0 | xargs -0 egrep -il "$sploitpattern" /dev/null | sort > $this

if [ -f $last ] && ! $showall ; then
        # show only changes since last run
        comm -13 $last $this > $tmpout
else
        # show all output
        cat $this > $tmpout
fi
mv $this $last

if $showcontext; then
        while read filename; do
                egrep -iC3 "$sploitpattern" "$filename" /dev/null
                echo; echo "------"; echo
        done < $tmpout >> $tmpout2
        mv -f $tmpout2 $tmpout
fi

if $domail; then
        # send mail if there is any output
        if [ $(awk 'END {print NR}' $tmpout) -gt 0 ]; then
                 mail -s "Possible exploit scripts on $(hostname)" $email < $tmpout || exit 2
        fi
else
        # output sent to stdout
        cat $tmpout
fi
exit 0

 

[ramprage]

Are you only searching .php and .cgi scripts with this ( looks like it).
Maybe try searching for script names as well:

EG: cmdtemp in /tmp which is a perl IRC bot etc

Looks pretty good. If you want some help on it or have any plans to keep developing it get in touch me with

 

[Radio_Head]

fantastic script ! Thank you!

very useful also to find outdated scripts (old phpbb , formmail , and so on ) .THANK YOU!

 

[LiNUxG0d]

Hey there,

Very nice script!

In my experiences though, I think this is quite insufficient. You might want to write a script that finds the source that allow these files to appear in the /tmp folder.

Agreed though, it will put a stop to some of the nasty stuff running or currently on the server. Keep in mind, a hacker could use different permutations of a script name and it will do the same thing as the original... IE: r0nin or ron1n

Good job though, we need more security related articles here!

Jamie

 

[arshem]

any updates GREAT SCRIpT

 

[parser]

This script search all files

rm resultlg.out
cd /home
for i in `find /home -type d -perm -777`
        do

                cd "$i"
                #echo "$i ->"  >> /root/resultlg.out
                        for j in `find $i -type d`
                                do
                                #echo "$j <->"  >> /root/resultlg.out
                                 cd "$j/"
                                        if strings -f * | grep /lib/ld-linux.so.2;
                                        then
                                                echo "ld-linux.so.2 exist in: $j <->"  >> /root/resultlg.out
                                        fi

                                        if strings -f * | grep gmon_start;
					then
						echo "gmon_start exist in: $j <->"  >> /root/resultlg.out
					fi

					if  grep exec *; 
					then 
					    echo "exec exist in: $j <->"  >> /root/resultlg.out
                                        fi

					if grep systemc * ;
					then
                                            echo "system exist in: $j <->"  >> /root/resultlg.out
                                        fi
					if grep passthr *;
					then
                                            echo "passthr exist in : $j <->"  >> /root/resultlg.out
                                        fi
					if grep stdio.h *;
					then
                                            echo "stdio.h exist in : $j <->"  >> /root/resultlg.out
                                        fi
                                        if grep /bin/bash *;
					then
                                            echo "/bin/bash exist in : $j <->"  >> /root/resultlg.out
                                        fi

					if grep /bin/sh * ;
					then
                                            echo "/bin/sh exist in : $j <->"  >> /root/resultlg.out
                                        fi

                                        if grep /bin/perl *;
					then
                                            echo "/bin/perl exist in : $j <->"  >> /root/resultlg.out
                                        fi

                                cd "$i/"
                                done
                cd /home
        done

How to run it:

touch findexploit.sh
insert this code to file
chmod +x findexploit.sh
./findexploit.sh

 

[t7doo]

Thanks . it's very good.

 

[Maximum]

Thanks for your script

 

[simpleupdates]

How would I exclude file types?

Hi there,

Great Script!

Thanks