Date:  Sun, 26 Mar 2006 15:21:07 -0800
From:  "Bruce Timberlake" <brucetimberlake (at mark) gmail.com>
Subject:  [coba-e:04368] Re: Monitoring Ports, Processes
To:  coba-e (at mark) bluequartz.org
Message-Id:  <f76f5d3e0603261521vc1d7939sdf28ddbee7ad2659 (at mark) mail.gmail.com>
In-Reply-To:  <7.0.0.16.2.20060326113809.05061fa8 (at mark) muntada.com>
References:  <200603251503203.SM00400 (at mark) virus>	 <002801c65033$a1094010$2f427dd1 (at mark) chrism>	 <7.0.0.16.2.20060326095022.055d8928 (at mark) muntada.com>	 <f76f5d3e0603261256i455e91c2w69ec28062c7f9cae (at mark) mail.gmail.com>	 <7.0.0.16.2.20060326113809.05061fa8 (at mark) muntada.com>
X-Mail-Count: 04368

Can you just do a site-wide grep for anyplace that lets you do a file
upload and check that code? You'd be looking for a form type of
"multipart/form-data" (and a text field of 'type="file"', but that's a
bit harder to search for unless you know what quote style they are
using, single or double). Make a shell script (I'll call it
file_upload_find.sh):

vi ~/file_upload_find.sh

#!/bin/sh
for search in pl cgi php
do
  # first build a list of file names for each type
  MATCHES=`find . -name "*.${search}" -exec grep -il
'multipart/form-data' {} \;`

  if [ "x$MATCHESx" != "xx" ]; then
    # show all the lines in each file that match
    for file in $MATCHES
    do
      echo "File: $file"
      grep -in "multipart/form-data" "$file"
    done
  fi

done


Make it executable:

chmod +x ~/file_upload_find.sh


Then go to the site's web root and run it:

cd /home/sites/www.example.com/web
~/file_upload_find.sh

You should see output like this:

File: ./filemanager.php
11:    echo "<form action=\"" . $PHP_SELF . "\" method=\"POST\"
ENCTYPE=\"multipart/form-data\">";
File: ./fileupload.php
56:  <form name="uploadform" action="fileupload.php" method="POST"
enctype="multipart/form-data">

That will give you a list of all .php/.cgi/.pl files with the string
in them, and tell you the line number(s) of each file that it exists
at. Then check those files to see what kind of input validation they
are doing, etc., and fix any errors...


If the IRC bot is always named the same, you could set up a cron job
to look for it and email you if it appears - that might let you catch
someone in the act.  Make a shell script like this (I'll call it
botwatch.sh):

vi ~/botwatch.sh

#!/bin/sh

FILE_TO_FIND="/tmp/filename"

if [ -f $FILE_TO_FIND ]; then
  NOW=`date +%c`
  echo $NOW | mail -s "$FILE_TO_FIND found - exploit in progress!" \
    you (at mark) example.com
fi


Set the script to be executable:

chmod +x ~/botwatch.sh

See where it is:

pwd

Then set up a cron job to run every minute to execute the script:

crontab -e
* * * * * /path/to/botwatch.sh > /dev/null

where "/path/to" is whatever the pwd command gave you.

Be aware that you will get an email every minute that the file exists,
so until you clean it up, you will continue to receive emails. If you
want to tone it down a bit, just alter the cron interval:

crontab -e
2,32 * * * * /path/to/botwatch.sh > /dev/null

will run it every half hour at :02 and :32 past the hour.


Alternatively if you set up the cronjob under the root user, it can
just delete the file for you:

#!/bin/sh

FILE_TO_FIND="/tmp/filename"
ME="me (at mark) example.com"

if [ -f "$FILE_TO_FIND" ]; then
  # capture all running processes
  PS_LIST=`ps afx`
  /bin/rm "$FILE_TO_FIND"
  # you will need to add some process killing here too

  # see if we actually got rid of it
  if [ -f "$FILE_TO_FIND" ]; then
    echo $PS_LIST | mail -s "$FILE_TO_FIND found, NOT DELETED!" $ME
  else
    echo $PS_LIST | mail -s "$FILE_TO_FIND found and deleted" $ME
  fi
fi