Sunday, February 3, 2013

Detect malicious PHP shells and quarantine them on Shared Server


Detect malicious PHP shells and quarantine them on Shared Server

Here i have use perl code from  http://ketan.lithiumfox.com/doku.php/phpshell_scanner  to detect malicious php shells and i have written shell script to do further processing after the bad shell is found.

-----------------------------------------------------------------------------------------------------------
# ./execute_findshell.sh

#!/bin/bash

ECHO=/bin/echo
TIME=`/bin/date`
MAIL=/usr/bin/mail
MV=/bin/mv
Quarantine_Dir=/tmp #Directory where quarantine file goes to
WEB_ROOT=/var/www #Web root to watch for changes
LOG=badshell.log
FIND=/usr/bin/find
GREP=/bin/grep
AWK=/usr/bin/awk
LS=/bin/ls
CAT=/bin/cat
SORT=/usr/bin/sort
FILE_INDEX=file_index
TMP_FILE_INDEX=tmp_file_index
CHANGES_IN_INDEX=changes_in_index
MD5_SUM=/usr/bin/md5sum
WC=/usr/bin/wc
DIFF=/usr/bin/diff
TR=/usr/bin/tr

#Execute file checker on shared hosting server on file changes using their checksum values
#*/1 * * * * cd /home/user/scripts; ./execute_findshell.sh > /dev/null 2>&1 

#
#Php shell finder-----
#

check_for_php_shells(){

FILE_NAME=$1
FINDSHELL_OUTPUT=`perl findshell.pl  10 ${FILE_NAME}`

#echo "${FILE_NAME}"

if [ "${FINDSHELL_OUTPUT}" ];then
echo "bad shell found\n"
echo "${FINDSHELL_OUTPUT}" 
${MV} ${FILE_NAME} ${Quarantine_Dir}
${ECHO} "Possible Backdoor Found,and Quarantined. Please Verify...${FINDSHELL_OUTPUT} -  ${TIME} " | ${MAIL} -s 'Possible Back door Found On  Server'  email@address.com
else
echo "bad shell not found \n"
fi


}


#----------------------

#Build file index
NO_OF_FILES=`${FIND} ${WEB_ROOT}  -type f  |${WC} -l`
if [ -f "${FILE_INDEX}" ];then
#if File exist, check for new entrie
#Create tmp file index and compare
${FIND}  ${WEB_ROOT} -type f -exec ${MD5_SUM} {} \; > ${TMP_FILE_INDEX}

${DIFF} ${TMP_FILE_INDEX} ${FILE_INDEX} > ${CHANGES_IN_INDEX}
if [ -s "${CHANGES_IN_INDEX}" ];then
echo "integrity changed \n"
CHANGES_IN_INDEX_ARRAY=(`${CAT} ${CHANGES_IN_INDEX} |${AWK} {'print $3'}| ${GREP} -P '(\/\w+\/.*)' | ${SORT} -u | ${TR} '\n' ' '`)

#Going through changes files
for i in "${CHANGES_IN_INDEX_ARRAY[@]}"
do
check_for_php_shells $i
done
else
echo "no changes found\n"
fi

else
#create file index
${FIND}  ${WEB_ROOT} -type f -exec ${MD5_SUM} {} \; > ${FILE_INDEX}
fi

-----------------------------------------------------------------------------------------------------------
#Perl code
#findshell.pl  

http://ketan.lithiumfox.com/doku.php/phpshell_scanner

------------------------------------------------------------------------------------------------------------

1 comment:

hema said...

Great Post with valuable information. Thank you for the knowledge.
PHP Online Classes
online php course with certificate