The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Script to replace index file when hacked

Discussion in 'Data Protection' started by adapter, Mar 9, 2005.

  1. adapter

    adapter Well-Known Member
    PartnerNOC

    Joined:
    Sep 17, 2003
    Messages:
    391
    Likes Received:
    0
    Trophy Points:
    16
    Hi

    i am looking a script that will restore frm the weekly backup the index file and will replace it for all the sites in the /home someone can share it?

    thank u
     
  2. Creazioni

    Creazioni Well-Known Member

    Joined:
    Jan 5, 2003
    Messages:
    133
    Likes Received:
    0
    Trophy Points:
    16
    hi
    i find this

    pico /scrpts/nameyouwant



    #!/usr/bin/perl

    #version 2

    my $hasiozlib = 0;
    my $hasarchivetar = 0;
    eval {
    require IO::Zlib;
    $hasiozlib = 1;
    };
    eval {
    require Archive::Tar;
    $hasarchivetar = 1;
    };

    if (!($hasiozlib) || !($hasarchivetar)) {
    system("/scripts/perlinstaller","IO::Zlib","Archive::Tar");
    die "Please re-run this script. Modules were missing!\n";
    }

    use strict;

    my $dir = '/backup/cpbackup/weekly';

    opendir(CPB,$dir);
    my @FS = readdir(CPB);
    @FS = grep(/\.tar\.gz$/, @FS);
    closedir(CPB);
    my $restorecount = 0;

    foreach my $fs (@FS) {
    $fs =~ s/\.tar\.gz//g;

    next if (!getpwnam($fs));
    my $homedir = (getpwnam($fs))[7];
    my $uid = (getpwnam($fs))[2];
    my $gid = (getpwnam($fs))[3];


    print "$fs $homedir\n";
    my $tar = Archive::Tar->new;
    $tar->read("$dir/${fs}.tar.gz",1);


    print "Checking Archive for files!\n";
    my @files = $tar->get_files("${fs}/homedir/public_html/index.html",
    "${fs}/homedir/public_html/index.htm","${fs}/homedir/public_html/index.php");

    foreach my $ft (@files) {
    my $filename = $ft->name();
    if ($filename =~ /index.html$/) {
    open(RESTOREFILE,">${homedir}/public_html/index.html");
    chown $uid, $gid, "${homedir}/public_html/index.html";
    }
    if ($filename =~ /index.htm$/) {
    open(RESTOREFILE,">${homedir}/public_html/index.htm");
    chown $uid, $gid, "${homedir}/public_html/index.htm";
    }
    if ($filename =~ /index.php$/) {
    open(RESTOREFILE,">${homedir}/public_html/index.php");
    chown $uid, $gid, "${homedir}/public_html/index.php";
    }
    print "Restoring $filename\n";
    print RESTOREFILE $ft->get_content();
    close(RESTOREFILE);
    $restorecount++;

    }
    }

    print "$restorecount file(s) restored!\n";






    chmod 755 nameyouwant


    ./nameyouwant



    HEY!! read before to use, read script and choose directory:)
    problem: this is only for index into public_html and not ( :( ) for all index (subdir)
    I hope someone find solution for subdir

    Bye
     
  3. sleuth1

    sleuth1 Well-Known Member

    Joined:
    Mar 16, 2003
    Messages:
    75
    Likes Received:
    0
    Trophy Points:
    6
    Thanks for that script very useful

    Another one needed is this

    one that will grep " hacked text" and rm -f .hackedtext.file this should go through all directories , including .suspended page . index.html , if some one has done this successfully please publish


    Another one is a script or command block, that will prevent mass changing of .index html , or at least send an alert for the this action (not sure if this is possible or not)

    Also anyone have any useful methods of preserving the backup pages from defacement , this happened to me and is a real pain (for instance is it possible to make /hdb/backup read only until a restore is needed and associated commands . Thanks very much.
     
  4. adapter

    adapter Well-Known Member
    PartnerNOC

    Joined:
    Sep 17, 2003
    Messages:
    391
    Likes Received:
    0
    Trophy Points:
    16
    really u got the tar.gz file hacked?
     
  5. fusioncroc

    fusioncroc Well-Known Member

    Joined:
    Sep 28, 2004
    Messages:
    261
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    U.K.
    Well if your needing a script to reguarly replace defaced pages i think you need to look in to stopping them getting defaced in the first place :rolleyes:
     
  6. sleuth1

    sleuth1 Well-Known Member

    Joined:
    Mar 16, 2003
    Messages:
    75
    Likes Received:
    0
    Trophy Points:
    6
    Hi adapter , no they were not in compressed format, but yes they will be from now on, overlooked that simple and obvious solution .
     
  7. sleuth1

    sleuth1 Well-Known Member

    Joined:
    Mar 16, 2003
    Messages:
    75
    Likes Received:
    0
    Trophy Points:
    6
    No only once, and once is far too many times , scripts detailed above may be useful to others who WILL suffer the same fate , also unless you have something useful to add of a practical nature related to this thread , smug , superior comments are of no value whatso ever .

    Also since said attack logged 6 attempts to repeat the damage all blocked by tweaked mod_secuirity , which everyone should have installed , the fact that attacks are continuing leads to the conclusion that it may happen again , and if it did would like to be better prepared next time.
     
  8. wzd

    wzd Well-Known Member

    Joined:
    Dec 16, 2005
    Messages:
    118
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    South Africa
    cPanel Access Level:
    Root Administrator
    Content modification service

    Hi Guys,

    Found this thread with some searching and wanted to follow up - Any luck on this?
    It would be nice if cPanel could integrate something like this for additional security precuations:

    a) Content change notification service - If the index page of a site is changed a notification email is sent out to the contact person and server notification -

    b) Maybe insert a "magic cookie" into the header of each site automatically - If a site is defaced this comment line will not be there. The account can then be suspended to prevent further damage?

    c) Maybe use configserver LFD in conjunction with this?

    I've seen some providers do offer this service as uptime / hack service but would be nice to integrate into Cpanel.

    Any luck on the script that was being made?

    Thanks
     
  9. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,279
    Likes Received:
    8
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    Those are some very nifty suggestions. Since you would better be able to provide any needed clarification about this to our developers than I would, you may want to submit an official feature request for this at http://bugzilla.cpanel.net
     
  10. wzd

    wzd Well-Known Member

    Joined:
    Dec 16, 2005
    Messages:
    118
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    South Africa
    cPanel Access Level:
    Root Administrator
    Thanks David,

    I've opened the bug here http://bugzilla.cpanel.net/show_bug.cgi?id=6229

    In the meantime i'll post back here with some ideas on internal security policies that cPanel could implement and i hope everyone else can contribute

    :)
     
  11. madan.cpanelnet

    madan.cpanelnet Well-Known Member

    Joined:
    Apr 1, 2006
    Messages:
    69
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    INDIA
    Adapter,


    Here is that script ( USE it at your own risk , read, understand)



    root@maui [/backup/12345]# cat /root/x
    #!/bin/bash
    mkdir /backup/12345/, cd /backup/12345/
    user="whatchat"

    tar -tvzf /backup/cpbackup/weekly/$user.tar.gz | grep index.php |awk {'print $6'} > index.txt


    for extract in `cat index.txt`
    do
    tar -xzf /backup/cpbackup/weekly/$user.tar.gz $extract
    done


    mv $user/homedir/ /backup/12345/
    rm -fr /backup/12345/$user
    mv /backup/12345/homedir /backup/12345/$user
    rsync -vrplogDtH /backup/12345/$user/ /home/$user/

    chmod 711 /home/$user ; chown $user.$user /home/$user
    chmod 710 /home/$user/public_html ; chown $user.nobody /home/$user/public_html
    rm -fr $user
    echo " ################ index.php's copie for $user ############"
    root@maui [/backup/12345]#


    =============

    cat /etc/trueuserdomains | awk {'print $2}'

    will give the list of usernames on your server... each time replace the username in /root/x in the variable user=""


    you can automate this too.
     
  12. testtubebaby

    testtubebaby Member

    Joined:
    Jul 28, 2007
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
  13. wzd

    wzd Well-Known Member

    Joined:
    Dec 16, 2005
    Messages:
    118
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    South Africa
    cPanel Access Level:
    Root Administrator
    I've read through the script and tried to understand it but what are the criteria for replacing the current index file with the one from the backup ???
     
  14. testtubebaby

    testtubebaby Member

    Joined:
    Jul 28, 2007
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    say.. only index files are hacked or injected with malicios code or iframes. you can replace index.php to index.htm to copy html files.
     
  15. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,460
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    What is the criteria of setting the cookie? i.e. How does the cookie setter determine a site was defaced?

    If the cookie is set statically, as part of the file itself, once the defacers know about this, it's a simple mater to handle.

    If it is set dynamically, for example as part of some hypothetical mod_defacement Apache module, by what criteria would such functionality determine the site was defaced?


    Also, depending upon many factors, modification of user-owned files/content might be illegal in some jurisdictions, even if explicitly agreed to in TOS/AUP. Hence, such "magic cookie" tool might be dependent upon a user knowingly enabling the tool/inserting the cookie.
     
  16. konrath

    konrath Well-Known Member

    Joined:
    May 3, 2005
    Messages:
    367
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Brasil
    My version is working with the new cpanel backup. ;)
    --------------------------------------------------


    #!/bin/bash
    mkdir /backup/12345/
    cd /backup/12345/
    user="PUT_THE_USERNAME_HERE"

    tar -vzxf /backup/cpbackup/daily/$user.tar.gz
    tar -tvf /backup/12345/$user/homedir.tar | grep index.htm |awk {'print $6'} > index.txt
    tar -tvf /backup/12345/$user/homedir.tar | grep index.php |awk {'print $6'} >> index.txt
    tar -tvf /backup/12345/$user/homedir.tar | grep index.swf |awk {'print $6'} >> index.txt
    tar -tvf /backup/12345/$user/homedir.tar | grep index.jsp |awk {'print $6'} >> index.txt
    cp index.txt /backup/12345/$user
    cd /backup/12345/$user

    for extract in `cat index.txt`
    do
    tar -xvf homedir.tar $extract
    done

    cd ..


    mv $user/public_html/ /backup/12345/
    rm -fr /backup/12345/$user
    mv /backup/12345/public_html /backup/12345/$user
    rsync -vrplogDtH /backup/12345/$user/ /home/$user/public_html

    chmod 711 /home/$user ; chown $user.$user /home/$user
    chmod 710 /home/$user/public_html ; chown $user.nobody /home/$user/public_html

    cd /backup/
    rm 12345 -rf
    cd /
    cd scripts
    pico teste



    echo " ################ index.php's copie for $user ############"
     
    #16 konrath, Sep 19, 2009
    Last edited: Sep 7, 2010
  17. Nick

    Nick Member

    Joined:
    Dec 27, 2001
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    1
    updated one, it is much faster
    p.s. update kernels :(

    #!/bin/bash

    IFS=$(echo -en "\n\b,")

    user=$@
    user=${user%%.*}

    echo " # start index.php's copie for $user ############"

    tar -vzxf $user.tar.gz $user/homedir.tar

    tar -tf $user/homedir.tar | grep index > index.txt


    for extract in `cat index.txt`
    do
    unpac=$extract","$unpac
    copy=$user/$extract","$copy
    done

    tar -C $user -xf $user/homedir.tar $unpac
    rsync -vrplogDtHR $copy /home

    unset IFS


    echo " # end index.php's copie for $user ############"
     
    #17 Nick, Sep 4, 2010
    Last edited: Oct 1, 2010
  18. Nick

    Nick Member

    Joined:
    Dec 27, 2001
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    1
    use like
    cd /backup/cpbackup/daily
    for i in *.tar.gz; do ./2.sh $i; done;
     
  19. konrath

    konrath Well-Known Member

    Joined:
    May 3, 2005
    Messages:
    367
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Brasil
    Hello Nick. Excellent version but has 2 serious problem

    This script lost the owner of folders and files after restore.

    and

    Your script restored the index files in the wrong folder

    /home/user/user/public_html

    This line should be

    rsync -vrplogDtHR $copy /home/

    Konrath
     
    #19 konrath, Sep 7, 2010
    Last edited: Sep 7, 2010
  20. konrath

    konrath Well-Known Member

    Joined:
    May 3, 2005
    Messages:
    367
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Brasil
    -------------------------------------------------
    Care. The script provided by Nick still has a big problem.
    This script lost owner of folders and files
    Can anyone help????????????????????????????????
    -------------------------------------------------


    Instructions

    In ssh

    1) cd /backup/cpbackup/daily

    2) pico 2.sh

    3) Copy and paste the script provided by Nick in the 2.sh

    Code:
    #!/bin/bash
    
    IFS=$(echo -en "\n\b,")
    
    user=$@
    user=${user%%.*}
    
    echo " # start index.php's copie for $user ############"
    
    tar -vzxf $user.tar.gz $user/homedir.tar
    
    tar -tf $user/homedir.tar | grep index > index.txt
    
    
    for extract in `cat index.txt`
    do
    unpac=$extract","$unpac
    copy=$user/$extract","$copy
    done
    
    tar -C $user -xf $user/homedir.tar $unpac
    rsync -vrplogDtHR $copy /home/
    
    unset IFS
    
    
    echo " # end index.php's copie for $user ############"
    Save the file

    4) Execute
    chmod 755 2.sh

    and run

    cd /backup/cpbackup/daily
    for i in *.tar.gz; do ./2.sh $i; done;

    Code:
    NOTE: If there is little space on the HD backup I recommend putting this line
     rm $user -rf 

    Code:
    
    rsync -vrplogDtHR $copy /home/
    
    rm $user -rf
    
    unset IFS
    
    

    -------------------------------------------------
    Care. The script provided by Nick still has a big problem.
    This script lost owner of folders and files
    Can anyone help????????????????????????????????
    -------------------------------------------------

    Thank you
    Konrath
     
    #20 konrath, Sep 7, 2010
    Last edited: Sep 7, 2010
Loading...

Share This Page