Article 4370 at 06/03/27 09:16:12 From: webmaster (at mark) muntada.com Subject: [coba-e:04370] Re: Monitoring Ports, Processes

Index: [Article Count Order] [Thread]
Date:  Sun, 26 Mar 2006 14:21:32 -1000
From:  MuntadaNet Webmaster <webmaster (at mark) muntada.com>
Subject:  [coba-e:04370] Re: Monitoring Ports, Processes
To:  coba-e (at mark) bluequartz.org
Message-Id:  <7.0.0.16.2.20060326142113.050ed178 (at mark) muntada.com>
In-Reply-To:  <f76f5d3e0603261521vc1d7939sdf28ddbee7ad2659 (at mark) mail.gmail.com >
References:  <200603251503203.SM00400 (at mark) virus> <002801c65033$a1094010$2f427dd1 (at mark) chrism> <7.0.0.16.2.20060326095022.055d8928 (at mark) muntada.com> <f76f5d3e0603261256i455e91c2w69ec28062c7f9cae (at mark) mail.gmail.com> <7.0.0.16.2.20060326113809.05061fa8 (at mark) muntada.com> <f76f5d3e0603261521vc1d7939sdf28ddbee7ad2659 (at mark) mail.gmail.com>
X-Mail-Count: 04370

<html>
<body>
Excellent suggestion. Will try and let you know about success
level.<br><br>
-Rashid<br><br>
At 01:21 PM 3/26/2006, you wrote:<br>
<blockquote type=cite class=cite cite="">Can you just do a site-wide grep
for anyplace that lets you do a file<br>
upload and check that code? You'd be looking for a form type of<br>
&quot;multipart/form-data&quot; (and a text field of
'type=&quot;file&quot;', but that's a<br>
bit harder to search for unless you know what quote style they are<br>
using, single or double). Make a shell script (I'll call it<br>
file_upload_find.sh):<br><br>
vi ~/file_upload_find.sh<br><br>
#!/bin/sh<br>
for search in pl cgi php<br>
do<br>
&nbsp; # first build a list of file names for each type<br>
&nbsp; MATCHES=`find . -name &quot;*.${search}&quot; -exec grep -il<br>
'multipart/form-data' {} \;`<br><br>
&nbsp; if [ &quot;x$MATCHESx&quot; != &quot;xx&quot; ]; then<br>
&nbsp;&nbsp;&nbsp; # show all the lines in each file that match<br>
&nbsp;&nbsp;&nbsp; for file in $MATCHES<br>
&nbsp;&nbsp;&nbsp; do<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; echo &quot;File: $file&quot;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; grep -in &quot;multipart/form-data&quot;
&quot;$file&quot;<br>
&nbsp;&nbsp;&nbsp; done<br>
&nbsp; fi<br><br>
done<br><br>
<br>
Make it executable:<br><br>
chmod +x ~/file_upload_find.sh<br><br>
<br>
Then go to the site's web root and run it:<br><br>
cd
/home/sites/<a href="http://www.example.com/web" eudora="autourl">
www.example.com/web</a><br>
~/file_upload_find.sh<br><br>
You should see output like this:<br><br>
File: ./filemanager.php<br>
11:&nbsp;&nbsp;&nbsp; echo &quot;&lt;form action=\&quot;&quot; .
$PHP_SELF . &quot;\&quot; method=\&quot;POST\&quot;<br>
ENCTYPE=\&quot;multipart/form-data\&quot;&gt;&quot;;<br>
File: ./fileupload.php<br>
56:&nbsp; &lt;form name=&quot;uploadform&quot;
action=&quot;fileupload.php&quot; method=&quot;POST&quot;<br>
enctype=&quot;multipart/form-data&quot;&gt;<br><br>
That will give you a list of all .php/.cgi/.pl files with the string<br>
in them, and tell you the line number(s) of each file that it exists<br>
at. Then check those files to see what kind of input validation they<br>
are doing, etc., and fix any errors...<br><br>
<br>
If the IRC bot is always named the same, you could set up a cron job<br>
to look for it and email you if it appears - that might let you
catch<br>
someone in the act.&nbsp; Make a shell script like this (I'll call
it<br>
botwatch.sh):<br><br>
vi ~/botwatch.sh<br><br>
#!/bin/sh<br><br>
FILE_TO_FIND=&quot;/tmp/filename&quot;<br><br>
if [ -f $FILE_TO_FIND ]; then<br>
&nbsp; NOW=`date +%c`<br>
&nbsp; echo $NOW | mail -s &quot;$FILE_TO_FIND found - exploit in
progress!&quot; \<br>
&nbsp;&nbsp;&nbsp; you (at mark) example.com<br>
fi<br><br>
<br>
Set the script to be executable:<br><br>
chmod +x ~/botwatch.sh<br><br>
See where it is:<br><br>
pwd<br><br>
Then set up a cron job to run every minute to execute the
script:<br><br>
crontab -e<br>
* * * * * /path/to/botwatch.sh &gt; /dev/null<br><br>
where &quot;/path/to&quot; is whatever the pwd command gave you.<br><br>
Be aware that you will get an email every minute that the file
exists,<br>
so until you clean it up, you will continue to receive emails. If
you<br>
want to tone it down a bit, just alter the cron interval:<br><br>
crontab -e<br>
2,32 * * * * /path/to/botwatch.sh &gt; /dev/null<br><br>
will run it every half hour at :02 and :32 past the hour.<br><br>
<br>
Alternatively if you set up the cronjob under the root user, it can<br>
just delete the file for you:<br><br>
#!/bin/sh<br><br>
FILE_TO_FIND=&quot;/tmp/filename&quot;<br>
ME=&quot;me (at mark) example.com&quot;<br><br>
if [ -f &quot;$FILE_TO_FIND&quot; ]; then<br>
&nbsp; # capture all running processes<br>
&nbsp; PS_LIST=`ps afx`<br>
&nbsp; /bin/rm &quot;$FILE_TO_FIND&quot;<br>
&nbsp; # you will need to add some process killing here too<br><br>
&nbsp; # see if we actually got rid of it<br>
&nbsp; if [ -f &quot;$FILE_TO_FIND&quot; ]; then<br>
&nbsp;&nbsp;&nbsp; echo $PS_LIST | mail -s &quot;$FILE_TO_FIND found, NOT
DELETED!&quot; $ME<br>
&nbsp; else<br>
&nbsp;&nbsp;&nbsp; echo $PS_LIST | mail -s &quot;$FILE_TO_FIND found and
deleted&quot; $ME<br>
&nbsp; fi<br>
fi</blockquote>
<x-sigsep><p></x-sigsep>
***************************************************************** <br>
MuntadaNet Web Hosting and Web Design Services<br>
<font color="#0000FF"><u>
<a href="http://www.muntada.com/" eudora="autourl">
http://www.muntada.com<br><br>
</a></u></font>Sales - sales (at mark) muntada.com <br>
Support - support (at mark) muntada.com <br>
Billing - billing (at mark) muntada.com<br><br>
Main Office - 808-689-6092<br>
Fax - (808) 356-0279<br>
*****************************************************************<br><br>
</body>
</html>