Question about malware php shell

scottcris

• April 07, 2014 17:54

Hello, Today I found a exploited account on my dedicated server, I then decided I was going to look at the php files in the webbrowser and found they were all webshells. While navigating around the directories on this I noticed I could see all of the users home directories, while I could not enter them it also displayed their domain name as well. My question is would there be any way to keep this type of information from being shown should something like this occur again, which I am guessing it will. Currently we are using suPHP, and php 5.3/5.4 on the server and have suexec disabled. I was reading on mod_ruid and that seems that may be the way to go to protect against symlink attacks and such but am not sure it will protect this data. Thanks

• 

  scottcris

  • April 07, 2014 23:46

  additionally I guess my second question is how does this shell pull in the domain names? It looks like mod_ruid fixed it from see what the user directories are but still shows the domain names on the server which is odd, I'm guessing its pulling the info from somwhere I am just not sure where. Thanks again!

  0
• 

  Infopro

  • April 07, 2014 23:52

  [QUOTE]While navigating around the directories on this I noticed..
  Not a great idea to use this sort of script yourself when finding it. These scripts can phone home with details of it's use, and who used it.

  0
• 

  scottcris

  • April 08, 2014 00:25

  Well I did take some steps beforehand to make sure that a. the user account could not be accessed outside the network and b. the server would not let traffic go anywhere besides the network for that account. Its a no brainer that they can phone home if accessed, I guess I should have provided more details on how I secured the account before accessing it but didnt think it was really needed when Im just looking for an answer.

  0
• 

  scottcris

  • April 08, 2014 01:24

  well obviously. I did take some steps beforehand however I was looking for more an answer to my question than a quick you shouldnt do that quote.

  0
• 

  ThinIce

  • April 08, 2014 11:34

  If you haven't already take a gander at it really is the thread to end all threads :) I have seen skepticism about mod_ruid, praise for cagefs and several chickens sacrificed to the idea of easily getting a grsec kernel working for CentOS for the average mortal

  0
• 

  scottcris

  • April 08, 2014 12:15

  I Thank you for your answer and providing me with a step in the right direction, its much appreciated. :)

  0

Please sign in to leave a comment.