hello guys A guy has successfully upload a shell to my server. My question is: How dangerous is it? I have since deleted his file and change the pemission to 755. toby
very, most major defacements begin with placing a shell on the box. you can access MySQL databases, read all the files (being the config.php for the most important), and if the prems are right, you can upload more malicous files. Once you have a shell on the box, it is just a question of skill; does the attacker know enough to get root or cpanel access? or is it a skiddie who will only deface?
thanks for the input so what is the most basic and advance way to prevent someone uploading the shell to my server?
The best way to prevent a shell to be uploaded to your server is to only run secured software. The problem is most people do not take the time to do this, especially if they are providing hosting for other people The best soltuion would be to install mod_secuirty if you are running Apache. You will also need a good ruleset to protect your server. Modsec does a good job at protecting a server by not allowing remote exploits to be ran. http://www.modsecurity.org/ http://www.gotroot.com/
The permission change you made was for the folder he uploaded into ? Which user owns that folder ? If it's the same user that runs Apache, then you haven't stopped anything. The most important thing is to figure out how he got the file onto your server. Once you have mitigated that attack vector, you can then role a dice to decide whether he installed a root kit or not and re-install your machine from scratch.
thanks guy for input. The thing is how can i figure out HOW he got the file to my sever? and yes, it's a 777 permission so for some reason, which i do not knwo , he is successfully upload the file over but how i know which method he used? Also people suggest me to look at the log. The question is: what type of information i need to look at, in the log? and which log? Waht is root kit? I hope to learn more about managing linux and apache from you thanks a million,.!
Some shells in Australia I heard are quite dangerous and can get you killed ! I hope I answered your question ?
There are lots of surprisingly deadly things in Australia for a country with no lions or tigers or bears. I think iatbm might have been referring to these: http://www.aims.gov.au/pages/research/project-net/dma/pages/coneshell-01.html As far as logs are concerned, there should be an access log for your website that contains every request your server responded to. It's often in /var/log/apache2/access_log. See if you can find the entry that matches the timestamp on the shell file he uploaded. Hopefully, that will tell you which PHP script on your site is the culprit.
hi thanks ladada Wonder if there is a linux command to check all my directory to see if there is a shell script? reason is that because inside the box, there are many sites and it is tedious to go one by one.
get mod_security. if you have any questions or need help writing the rules, I will send you my "locked down" config file for mod_security for free. It will stop a lot of attacks, as well as spam and other garbage, and present raw data logs which can be very important in tracking the attacker or methods used for an attack..
zebulon, appreciate you to send me the lock down config file plz. and please let me know how to upload those file too. Wonder if there is a way to stop the shell attack? I mean even though the shell file get uploaded, is there a way NOT allow them to get execute?
One way to detect if your website has been modified is to use a source control system. Keep all of your website in something like subversion. Any changes you make, you commit to subversion. To deploy your site. simply check out a copy into your document root. Have a cron job that runs "svn status" in the document root every day and emails you if anything shows up. It's not difficult for an attacker to get around this, but the chances are very good that he won't even know that he has to, and you will know within a day exactly which file has changed on your website.
ladadda, I like the svn status command. Can you help giving the whole cron code? again, it's not that I don't wanna to google myself, I just want to make sure thing work perfectly fine and especially I want to learn from the best. And according to what all of you have given inputs, I really think you guys are the best and expert in this area and hopefully i can learn from you. Also what does it mean by subversion? I knwo it's something to do with svn but can i just setup the svn status in cron job and NOT doing the subversion? Another point is that: do i have to setup cron job in all my site? Any way to set it up once for every changes?
Subversion is a complete source code control and versioning system. It's not designed for security but for this particular threat it can help. It worthwhile using a source code control system, even if you are the only developer writing code. About half-way down the first day of the Symfony Askeet tutorial you will find instructions about how to start using Subversion. You can ignore all the stuff about pear and symfony, just start with the svn stuff. Of course, before that you will need to install it, usually with sudo apt-get install subversion Code (markup): Once you have installed it, "svn" is the command you use to control it. Useful commands are: To add a new file to your local checked-out copy: svn add newfile.php Code (markup): To commit a newly added file to the main repository: svn commit -m 'My message about this file.' newfile.php Code (markup): To remove a file from your local checked-out copy: svn rm oldfile.php Code (markup): To see what changes you have made to your local checked-out copy that haven't been committed yet: svn status Code (markup): To update a checked-out copy to the latest revision: svn update Code (markup): There's a good book on subversion from red-bean that's also available online.
a shell is a php script which allows file upload,gives out server info and even allows you to run cmd commands while a rootkit once installed on your computer listens on the ports specified by the hacker, and can also send data from the speific port rootkits are more dangerous than shells, and mostly shells are used to upload rootkits, so if you spot a shell there ought to be rootkit on ur server also run a virus scan and check for services in taskmanager, rootkits run on some services like "winback" winlogon" etc
Oh, and for the cron job, you'll want a bash script that looks something like this: SVNSTATUS=`cd /var/www/htdocs && /usr/bin/svn status 2>&1` if [ $SVNSTATUS -ne "" ] echo $SVNSTATUS | mail -s "WARNING: Somebody has modified my website !" toby@example.com fi Code (markup): and a crontab entry that looks something like: 5 6 * * * /usr/local/toby/check_svn_status.sh Code (markup):