Security | Recovering from an exploit
Posted: Sun Jul 06, 2008 10:17 pm
For anyone who has been exploited here is something you can do to check for a common shell script if you continue to have issues after the exploit has been fixed:
I recently had some issues with my server being compromised due to previous CMS exploits... The problem didn't stop even after fixing the exploit due to a shell script. I found that script today and a find recipe that will search for it:
http://forums.digitalpoint.com/showthread.php?t=575793
find /var/www/ -name "*".php -type f -print0 | xargs -0 grep r57 | uniq -c | sort -u | cut -d":" -f1 | awk '{print "rm -rf " $2}' | uniq
find /var/www/ -name "*".txt -type f -print0 | xargs -0 grep r57 | uniq -c | sort -u | cut -d":" -f1 | awk '{print "rm -rf " $2}' | uniq
If you're searching for a c99shell, replace grep r57 with c99shell in codes.
I recently had some issues with my server being compromised due to previous CMS exploits... The problem didn't stop even after fixing the exploit due to a shell script. I found that script today and a find recipe that will search for it:
http://forums.digitalpoint.com/showthread.php?t=575793
find /var/www/ -name "*".php -type f -print0 | xargs -0 grep r57 | uniq -c | sort -u | cut -d":" -f1 | awk '{print "rm -rf " $2}' | uniq
find /var/www/ -name "*".txt -type f -print0 | xargs -0 grep r57 | uniq -c | sort -u | cut -d":" -f1 | awk '{print "rm -rf " $2}' | uniq
If you're searching for a c99shell, replace grep r57 with c99shell in codes.