Sunday, February 3, 2013

Detect malicious PHP shells and quarantine them on Shared Server


Detect malicious PHP shells and quarantine them on Shared Server

Here i have use perl code from  http://ketan.lithiumfox.com/doku.php/phpshell_scanner  to detect malicious php shells and i have written shell script to do further processing after the bad shell is found.

-----------------------------------------------------------------------------------------------------------
# ./execute_findshell.sh

#!/bin/bash

ECHO=/bin/echo
TIME=`/bin/date`
MAIL=/usr/bin/mail
MV=/bin/mv
Quarantine_Dir=/tmp #Directory where quarantine file goes to
WEB_ROOT=/var/www #Web root to watch for changes
LOG=badshell.log
FIND=/usr/bin/find
GREP=/bin/grep
AWK=/usr/bin/awk
LS=/bin/ls
CAT=/bin/cat
SORT=/usr/bin/sort
FILE_INDEX=file_index
TMP_FILE_INDEX=tmp_file_index
CHANGES_IN_INDEX=changes_in_index
MD5_SUM=/usr/bin/md5sum
WC=/usr/bin/wc
DIFF=/usr/bin/diff
TR=/usr/bin/tr

#Execute file checker on shared hosting server on file changes using their checksum values
#*/1 * * * * cd /home/user/scripts; ./execute_findshell.sh > /dev/null 2>&1 

#
#Php shell finder-----
#

check_for_php_shells(){

FILE_NAME=$1
FINDSHELL_OUTPUT=`perl findshell.pl  10 ${FILE_NAME}`

#echo "${FILE_NAME}"

if [ "${FINDSHELL_OUTPUT}" ];then
echo "bad shell found\n"
echo "${FINDSHELL_OUTPUT}" 
${MV} ${FILE_NAME} ${Quarantine_Dir}
${ECHO} "Possible Backdoor Found,and Quarantined. Please Verify...${FINDSHELL_OUTPUT} -  ${TIME} " | ${MAIL} -s 'Possible Back door Found On  Server'  email@address.com
else
echo "bad shell not found \n"
fi


}


#----------------------

#Build file index
NO_OF_FILES=`${FIND} ${WEB_ROOT}  -type f  |${WC} -l`
if [ -f "${FILE_INDEX}" ];then
#if File exist, check for new entrie
#Create tmp file index and compare
${FIND}  ${WEB_ROOT} -type f -exec ${MD5_SUM} {} \; > ${TMP_FILE_INDEX}

${DIFF} ${TMP_FILE_INDEX} ${FILE_INDEX} > ${CHANGES_IN_INDEX}
if [ -s "${CHANGES_IN_INDEX}" ];then
echo "integrity changed \n"
CHANGES_IN_INDEX_ARRAY=(`${CAT} ${CHANGES_IN_INDEX} |${AWK} {'print $3'}| ${GREP} -P '(\/\w+\/.*)' | ${SORT} -u | ${TR} '\n' ' '`)

#Going through changes files
for i in "${CHANGES_IN_INDEX_ARRAY[@]}"
do
check_for_php_shells $i
done
else
echo "no changes found\n"
fi

else
#create file index
${FIND}  ${WEB_ROOT} -type f -exec ${MD5_SUM} {} \; > ${FILE_INDEX}
fi

-----------------------------------------------------------------------------------------------------------
#Perl code
#findshell.pl  

http://ketan.lithiumfox.com/doku.php/phpshell_scanner

------------------------------------------------------------------------------------------------------------

2 comments:

Blogger said...

Bluehost is definitely one of the best hosting company for any hosting services you might require.

hema said...

Great Post with valuable information. Thank you for the knowledge.
PHP Online Classes
online php course with certificate