Like most I'm running many sites using virtual hosting on our server.
Some of those sites get malicious php-scripts pushed onto them.
Luckily these scripts can be recognized easily as they have 'www-data' or 'apache' as its owner.
Of course I prefer to make it impossible for hackers to put those files in these folder.
One way of doing that is by changing the permissions, but somehow many sites can't work properly if they don't have everything open. Why is this?
Some sites even make PHP-files with that owner.
Should a good site be able to prevent such hacks even if some folders have r/w-access for all users or is r/w-access for all users always a no-go?
But the problem here is that I can't tell my clients to stop using these open folders.
Currently I have a cronjob that will scan all folders for these files and kill them.
Sometimes some slip through, but I will inspect them and change the script.
I prefer to know a bit more and hopefully I can prevent it.
# cat /usr/local/sbin/rename_php
Some of those sites get malicious php-scripts pushed onto them.
Luckily these scripts can be recognized easily as they have 'www-data' or 'apache' as its owner.
Of course I prefer to make it impossible for hackers to put those files in these folder.
One way of doing that is by changing the permissions, but somehow many sites can't work properly if they don't have everything open. Why is this?
Some sites even make PHP-files with that owner.
Should a good site be able to prevent such hacks even if some folders have r/w-access for all users or is r/w-access for all users always a no-go?
But the problem here is that I can't tell my clients to stop using these open folders.
Currently I have a cronjob that will scan all folders for these files and kill them.
Sometimes some slip through, but I will inspect them and change the script.
I prefer to know a bit more and hopefully I can prevent it.
# cat /usr/local/sbin/rename_php
Code:
#!/bin/sh
APACHE_USER=`ps aux | egrep '/(apache2|httpd)' | awk '{print $1}' | sort | uniq -c | sort -n | tail -n1 | awk '{print $2}'`
if [ -z "${APACHE_USER}" ] ; then
echo -e "I could not obtain the user of the Apache webserver\r\nI will do nothing!" >&2
exit 1
fi
EXCEPTIONS=`mktemp`
STRING=`mktemp`
# remove at least the write flags from the root folder
find /var/www/vhosts -type d -name httpdocs -exec chgrp psaserv {} \;
find /var/www/vhosts -type d -perm /go=w -group psaserv | grep -v anon_ftp | xargs -I{} chmod og-w {}
echo 'Yahoo!!!
eval
Array
\.\$j51.*\.\$j51.*\.\$j51.*\.\$j51.*GLOBALS
s20=strtoupper
array_diff_ukey
perchd
chr.102.*chr.108.*chr.116.*chr.101.*chr.54
Obfuscat
certsbus.com
examsbibles.com
php include.*/.*\.jpg
php include.*/.*\.png
is_uploaded_file.*FILES.*tmp
\\x65\\x76\\x61\\x6C\\x28\\x67\\x7A\\x69\\x6E\\x66\\x6C\\x61\\x74\\x65\\x28\\x62\\x61\\x73\\x65\\x36\\x34\\x5F\\x64\\x65\\x63\\x6F\\x64\\x65\\x28
\\x62\\x61\\x73\\x65\\x36\\x34\\x5f\\x64\\x65\\x63\\x6f\\x64\\x65
\\x63\\x72\\x65\\x61\\x74\\x65\\x5f\\x66\\x75\\x6e\\x63\\x74\\x69\\x6f\\x6e
echo stripslashes
hashcracking.ru
md5.rednoize.com
crackfor.me
Bruteforce
read.*write.*execute
chr.[0-9]*.*chr.[0-9]*.*chr.[0-9]*.*chr.[0-9]*
Array..1.=>..., .0.=>...,
php eval.\".>\".base64_decode
auth_pass=.*default_action=.*FilesMan.*preg_replace
GIF89a1
Hacked by
disable_functions.*echo.*DisablePHP
subject = stripslashes .*POST
gzinflate.base64_decode
HTTP_USER_AGENT.*array.*Google.*MSNBot
eval.*\(.*base64_decode.*\(
base64_decode.*base64_decode.*base64_decode.*base64_decode
isset.*REQUEST.*REQUEST.*fwrite
urldecode.*Message-ID.*Subject:.*base64_decode
auth_pass = \"[0-9a-f]+\"' >${STRING}
echo 'exception.php' >${EXCEPTIONS}
find /var/www/vhosts/ -type f -user ${APACHE_USER} -name \*php | xargs -I{} egrep -lif ${STRING} {} | grep -vf ${EXCEPTIONS} | xargs -I{} mv {} {}x
echo 'RewriteCond.*HTTP_REFERER.*google.*icq' >${STRING}
find /var/www/vhosts/ -type f -user ${APACHE_USER} -name .htaccess -mtime -1 | xargs -I{} egrep -lf ${STRING} {} | xargs -I{} mv {} {}x
rm ${STRING}
rm ${EXCEPTIONS}
Last edited: