Prevent Of Execution Trojan Shell Scripts, Like R57shell And Other?
Which configuration for php and server that prevent execute shell scripts?
Which funstions you recommend to disable?
Like shell_exec, passthru, proc_open, proc_close, proc_get-status, proc_nice, proc_terminate, exec, system, suexec, popen, pclose, dl, ini_set, virtual, set_time_limit
View Complete Thread with Replies
Sponsored Links:
Related Forum Messages:
How To Prevent Shell Hacking Like C.100 / R57 Exploit?
one of my client account has just been hacked with c.100 exploit. This method injects 1 php file that acts like fully featured file manager. This hacker use my client account to place multiple scam & phissing sites now i'm wondering if this kind of exploit hacking have a way to counter them as my friend that there aren't any proved method untill now :-/ This is the php file i've recovered: <<url removed>> FYI, my server configuration: - apache 2.2.11 - centos 5.2 - cpanel + whm 11.24.4 - suphp, clamav & modsec enabled
View Replies!
View Related
PHP Execution Lags / Installation
problem on some big DB driven sites in PHP. Lets say I have a file, doesnt even need to have any PHP functions in the document, could be just pure CSS / images. Say I have a copy of this file named something.html and a copy named something.php, the php one takes about 5 times longer to load than the html page. You can see 90% of the page loads and then it sticks with the loading bar nearly fininshed, waits a while and then pings to finished and the remaining parts of the site load (usually footer links etc). This has me stumped, even has my hosts stumped. Would any one have any idea why this may happen? Something to do with the installation directory of PHP or location of php.ini? This is on a Windows 2003 machine running IIS6, I have tested the same files on a Linux installation and its perfectly fine.
View Replies!
View Related
Extending Max Execution Time
I am trying to run a php script on our server to split a very large file. As a result of the file size the script is timing out with this error: Fatal error: Maximum execution time of 30 seconds exceeded in [url]on line 155 How can I extend the server execution time to the script can complete? I have cpanel with WHM installed.
View Replies!
View Related
Server Issues / Execution Time
During the last couple of weeks my main server has started acting weird. Sometimes(often) when accessing my site, I get a page saying that server or location could not be found. Reload and "bam" page loads again. Average load on the server is 0.50 When executing scripts (I.E uploading files using web2ftp or cp file manager) server shuts the connection after a few seconds and say page cannot be found. I set the execution time in php to 60sec, so this is not the issue. When I ping the server, I do not get any packet losses.
View Replies!
View Related
Maximum Execution Time .. In My Vps
i always get :- Fatal error: Maximum execution time of 30 seconds exceeded in /home/ante/public_html/me/classes/http.php on line 418 Warning: fclose(): supplied argument is not a valid stream resource in /home/ante/public_html/me/classes/other.php on line 145 when i try upload big files (up 140mb to my vps using RapidLeech and here my php.ini [url] i chnaged the php.ini to the new value and restart http only my vps info safe mod : on Operating system: Linux PHP version: 5.2.5 Apache version: 1.3.41 (Unix)
View Replies!
View Related
Why Can't Umask Set Execution Privs On Files
Before this thread happens, don't tell me to chmod the file to have execution privs. I want umask to work properly, with no seperarate chmod required. For some reason, on every single system i've tested this on, linux, freebsd, vps, standalone server, fresh install of operating system, any time I test this, it ends up with the same issue. Running `umask 000` should result in files created from that point on having a chmod of rwxrwxrwx. However, they always end up having a chmod of rw-rw-rw. If I create a directory after setting the same umask setting, the directory ends up with rwxrwxrwx. Code: root@bonkers[/usr/local/etc/php/umask] $ umask 000 root@bonkers[/usr/local/etc/php/umask] $ touch 000 root@bonkers[/usr/local/etc/php/umask] $ mkdir d0 root@bonkers[/usr/local/etc/php/umask] $ ls -la total 10 drwxrwxrwx 5 root wheel 512 Dec 6 03:31 . drwxr-xr-x 4 root wheel 512 Dec 6 03:21 .. -rw-rw-rw- 1 root wheel 0 Dec 6 03:31 000 drwxrwxrwx 2 root wheel 512 Dec 6 03:21 d0
View Replies!
View Related
Trojan C99Shell
I just installed zen cart on my webhosting and after few days later i saw some file written like core1405.php and when i open to view the file it is actually trojan c99shell. I have deleted all of the core file. Now how can i prevent it from happen again? Cause it is too much work to clean up the hosting server.
View Replies!
View Related
LKM Trojan?
I just installed a fresh copy of centos 4.5, updated some programs and installed chkrootkit. When i run # ./chkproc, it shows the following output: # ./chkproc You have 14 process hidden for readdir command You have 14 process hidden for ps command Searching for LKM trojans shows the following output: # ./chkrootkit -x lkm EXE 9994: /usr/sbin/named CWD 9995: /var/named EXE 9995: /usr/sbin/named CWD 9996: /var/named EXE 9996: /usr/sbin/named CWD 9997: /var/named EXE 9997: /usr/sbin/named CWD 9998: /var/named EXE 9998: /usr/sbin/named CWD 26293: /var/lib/mysql EXE 26293: /usr/sbin/mysqld CWD 26294: /var/lib/mysql EXE 26294: /usr/sbin/mysqld CWD 26295: /var/lib/mysql EXE 26295: /usr/sbin/mysqld CWD 26296: /var/lib/mysql EXE 26296: /usr/sbin/mysqld CWD 26297: /var/lib/mysql EXE 26297: /usr/sbin/mysqld CWD 26298: /var/lib/mysql EXE 26298: /usr/sbin/mysqld CWD 26299: /var/lib/mysql EXE 26299: /usr/sbin/mysqld CWD 26300: /var/lib/mysql EXE 26300: /usr/sbin/mysqld When i stop mysql and named, and run # ./chkrootkit -x lkm again, it doesn't show anything. When i turn mysql and named back on, it starts complaining about compromises again. Can it be a false alarm, or should i really be worried? What do you advise me to do now?
View Replies!
View Related
Trojan-Downloader.JS.Psyme.hz
I have an hosting account at OXEO.com and I have trojan problems on all my websites The index files of all my websites show a Trojan program called Trojan-Downloader.JS.Psyme.hz I checked my websites on Google and Google is warning users for this kind of problems for one of my websites Does anybody here has experienced the same problem?
View Replies!
View Related
How-to - Rootkit Scan (trojan Etc)
What is a rootkit? The following link is a very good read to answer that question. http://linux.oreillynet.com/pub/a/li...4/rootkit.html In Summary, a rootkit is a trojan installed on your Linux server after someone has broken into it. These files are used to cover the hackers tracks, and to give the hacker tools to do more dirty work from your server. Usage: 1. su - (change to root user) 2. mkdir /usr/local/chkrootkit 3. wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz 4. tar -xvzf chkrootkit.tar.gz 5. cd chkrootkit* 6. cp * /usr/local/chkrootkit 7. cd /usr/local/chkrootkit 8. make sense Now scan your system: 1. cd /usr/local/chkrootkit 2. ./chkrootkit chkrootkit may from time to time give false positives. If you ever get a positive or "infected hit" scan a second time. If you do get a positive hit, google the hit to research the issue and steps to correct. Part 2 - automated chkrootkit, and emailed results. I'm lazy, and like my server to do the work for me so I have it scan every day, and email me the results. Usage: 1. vi /etc/cron.daily/chkrootkit 2. add the following code. Code: #!/bin/bash (cd /usr/local/chkrootkit; ./chkrootkit -q 2>&1 | mail -s "Daily chkrootkt scan" you@yourdomain.com) 3. chmod 0755 /etc/cron.daily/chkrootkit This will email you@yourdomain.com every morning with your chkrootkit results. the -q option will only show you exploits. Removal: If you don't like getting the emails or just want to remove this from your server: 1. rm /etc/cron.daily/chkrootkit 2. rm -rf /usr/local/chkrootkit All files will now be deleted from your server.
View Replies!
View Related
15 POSSIBLE Trojan Detected WHM
i have an site on my server when i open it the kaspersky anti viruss detect there is an trojan in this site .. ( see the picture in the attachment ) and i checked the server from the whm and there is result 15 POSSIBLE Trojans Detected How i can solve this ?? and remove this trojans .
View Replies!
View Related
PHP.Backdoor.Trojan
As usually I do monthly scan to all files on my site,today I download all backup site into my PC,then scanning them using Norton Antivirus and on one site files Norton detected PHP.Backdoor.Trojan. I take a look file location and found current file with name xTgsj78Jn.txt Then I go to my server where site hosted,and i go to the directory and found file above stay on there,I try many time to delete it but always get an error message "Permission denied",I try to change permission but always returned an error. When deleted it i use command rm -r with root access,then I do ls -l and found details file like below. -rwxrwxrwx 1 nobody nobody 137787 Mar 19 20:14 xTgsj78Jn.txt* Please help me to delete this file. FYI this file uploaded to my hosting file site.
View Replies!
View Related
Possible Trojan List By WHM - Do I Need To Worry?
I ran the Trojan scan in WHM and it came up with the list below. I have a strong feeling WHM is mis-reporting these as trojans, but I thought I would ask the experts here: Scan for Trojan Horses Appears Clean /dev/stderr Scanning for Trojan Horses..... Possible Trojan - /usr/bin/cpan Possible Trojan - /usr/bin/instmodsh Possible Trojan - /usr/bin/prove Possible Trojan - /usr/bin/xmlcatalog Possible Trojan - /usr/bin/xmllint Possible Trojan - /usr/bin/xml2-config Possible Trojan - /usr/lib/libxml2.la Possible Trojan - /usr/bin/mysqlhotcopy Possible Trojan - /usr/bin/Wand-config Possible Trojan - /usr/bin/animate Possible Trojan - /usr/bin/compare Possible Trojan - /usr/bin/composite Possible Trojan - /usr/bin/conjure Possible Trojan - /usr/bin/convert Possible Trojan - /usr/bin/display Possible Trojan - /usr/bin/identify Possible Trojan - /usr/bin/import Possible Trojan - /usr/bin/mogrify Possible Trojan - /usr/bin/montage Possible Trojan - /usr/bin/curl-config Possible Trojan - /usr/bin/curl Possible Trojan - /usr/lib/libcurl.so.3.0.0 Possible Trojan - /usr/lib/python2.3/site-packages/libxml2mod.la Possible Trojan - /usr/lib/python2.3/site-packages/libxml2mod.so Possible Trojan - /usr/sbin/pureauth 25 POSSIBLE Trojans Detected Is there anything that looks fishy here?
View Replies!
View Related
Websites Infected With Trojan How To Solve?
i see my websites are infected with some trojan. there are some iframe tag simlilar to this in all index files <iframe src="http://traff<<removed>>.cn/in.cgi?27" width=100 height=80></iframe> any idea how might this iframe inserted in my codes. i have tried to format my systems and remove all saved ftp passwords , but still this virus is comming back and the strange thing is i have website on different servers infected with same virus any idea how this is happened and how to avoide this?
View Replies!
View Related
Trojan-Clicker.HTML.Iframe.g In My Website? What Is This??
I have a website and all works fine, but an user said me that uses kaspersky said me my website has an trojan i don't understand how this is possible, and i'l really worried. the trojan that appears to my user is: Trojan-Clicker.HTML.Iframe.g someone know why i have this trojan? Now the users refuses to open my website!! i'm more than worried this is an printscreen of the error: ...
View Replies!
View Related
Trojan Detected On Initial Load Of Site
I have 2 reseller accounts with one provider, and in the last several days I have noticed that when you visit the site for the first time, my AV software detects a trojan on the site, but the code & html files are 100% clean! I'm suspecting that there is something being injected into the scripts from the server daemons that's either running or something else. Anyone have any suggestions?
View Replies!
View Related
Trojan-Clicker.HTML.IFrame.amh
I am not that technically proficient so I have to resort to shared hosting solutions...I am currently with Bluehost. Problem: I have a small site with minimal needs in terms of storage and bandwidth, but the site is controversial and gets hacked and attacked a lot. I need a shared hosting provider which ranks higher than most in terms of security. Recently the site was attacked such that any user going to the site was infected with Trojan horse viruses. Donno if it's useful or not but here are the files from my PC antivirus which was infected when I went to the site with IE: File generated by Rogers Online Protection Anti-Virus C:Documents and SettingsuserLocal SettingsTemporary Internet FilesContent.IE5PG8E0SM0gifimg[1].htm Trojan-Clicker.HTML.IFrame.amh Deleted 11/5/2009 12:21:25 AM C:Documents and SettingsuserLocal SettingsTemporary Internet FilesContent.IE5GC9JZWI3gifimg[2].htm Trojan-Clicker.HTML.IFrame.amh Deleted 11/5/2009 12:21:27 AM C:Documents and SettingsuserLocal SettingsTemporary Internet FilesContent.IE5QBPA1ELgifimg[1].htm Trojan-Clicker.HTML.IFrame.amh Deleted 11/5/2009 12:21:27 AM C:Documents and SettingsuserLocal SettingsTemporary Internet FilesContent.IE56SLECSUQgifimg[5].htm Trojan-Clicker.HTML.IFrame.amh Deleted 11/5/2009 12:21:28 AM C:Documents and SettingsuserLocal SettingsTemporary Internet FilesContent.IE5EKTEAS82gifimg[5].htm Trojan-Clicker.HTML.IFrame.amh Deleted 11/5/2009 12:21:28 AM C:Documents and SettingsuserLocal SettingsTemporary Internet FilesContent.IE5P5098OY4gifimg[4].htm Trojan-Clicker.HTML.IFrame.amh Deleted 11/5/2009 12:21:29 AM C:Documents and SettingsuserLocal SettingsTemporary Internet FilesContent.IE5IPGNWAB0gifimg[1].htm Trojan-Clicker.HTML.IFrame.amh Deleted 11/5/2009 12:21:30 AM C:Documents and SettingsuserLocal SettingsTemporary Internet FilesContent.IE55VT8B104gifimg[1].htm Trojan-Clicker.HTML.IFrame.amh Deleted 11/5/2009 12:21:30 AM C:Documents and SettingsuserLocal SettingsTemporary Internet FilesContent.IE543XUDX83gifimg[2].htm Trojan-Clicker.HTML.IFrame.amh Quarantined 11/5/2009 12:21:31 AM C:Documents and SettingsuserLocal SettingsTemporary Internet FilesContent.IE56SLECSUQgifimg[5].htm Trojan-Clicker.HTML.IFrame.amh Quarantined 11/5/2009 12:22:18 AM C:Documents and SettingsuserLocal SettingsTemporary Internet
View Replies!
View Related
/tmp/clamav-77e7bfdbb2d3872b/test2.exe: Trojan.Taskkill.A FOUND
What is the mining of following lines in temp folder. If i have been check daily /tmp folder many /tmp/clamav are presented in mail server, and occupied the large amount of space in temp folder /tmp/clamav-77e7bfdbb2d3872b/test1.exe: Worm.Mydoom.U FOUND /tmp/clamav-77e7bfdbb2d3872b/test2.exe: Trojan.Taskkill.A FOUND /tmp/clamav-77e7bfdbb2d3872b/test3.exe: Worm.Nyxem.D FOUND /tmp/malware.zip: Infected.Archive FOUND
View Replies!
View Related
Trojan Activity - Running Perl With High CPU Usage, With User Apache
Running programs named Perl with Heavy CPU usage, with the ownership of user apache. We found the problem on Fedora 3 and Fedora 6. In our case, it was the result of a Trojan activity. Quick Solution Check the cron jobs of user apache crontab -u apache -e */1 * * * * perl /tmp/.tmp/tmpfile delete the cronjob entry. Also delete the file /tmp/.tmp/tmpfile also added "apache" to the file /etc/cron.deny That's all Problem and solution in detail....
View Replies!
View Related
How To Prevent Rm -rf /
Does anyone know anyway that "rm -rf /" can be disabled? OR any selinux rule or something to prevent this? Or if I wanted to prevent a certain directory from being deleted like backups but something unlike chattr that someone can figure out quickly. Im sure LOTS of people would like to know about this. Ive searched around and only somewhat useful thing I have found is an rm wrapper that sends everything to a trash file in the root of the mount point.
View Replies!
View Related
Prevent Phishing
I'm not that techy I'd like to ask why this person downloaded the file below before uploading some phishing webpages on my account ? I've changed my password numerious times from different computers and even from mobile phone just to check if the person can still get in. But again it is no use the person were able to upload phishing pages. logs: May 25 21:50:42 server100 pure-ftpd: (weblogin100@62.56.133.36) [NOTICE] /home/weblogin100//.htpasswds/update/Login.php downloaded (21251 bytes, 755.78KB/sec) Right now I deleted all other scripts on the account and remain some htmls. Folder were also set to 644 no 777, while waiting if the person can still upload his phishing pages please help me why he downloaded the file above. I've check the file on my account and I cannot see Login.php. By the way I have a root login and only two accounts were a constant phishing victims.
View Replies!
View Related
How Prevent Hackers Away
I am giving few tips on securing your server against hack attempts. You must check these inspite of other securities like firewall, rootkits detectors etc. 1. Most Important, do not disable safe_mode under php.ini. If any customer asks to disable it, turn it off on his account only, not on whole server. As most of the time attack is done using shellc99 (phpshell) script. In case safe_mode is off on server and there are public dirs with 777 permission, he can easily hack through. 2. Compile apache with safe mode as well. 3. In cpanel under tweek settings, turn on base_dir, if someone requests to turn off, turn it off on his/her account only. As using phpshell one can easily move to main server dirs like /etc, /home. 4. Do not allow Anonymous Ftp on your server. You can turn it off from ftp config under WHM Service Configuration. If its allowed, one can easily bind port using nc tool with your server and gain root access. Always keep it disabled. 5. Make sure /tmp is secured. You can easily do that by running this command /scripts/securetmp using ssh. But do make sure, /tmp is secured. Else one can upload some kind of perl script in /tmp dir and can deface or damage all data on the few/all accounts on your server. keeping your server secure from hack attempts.
View Replies!
View Related
How To Prevent Nobody To Move In Server
i have my own box for my forum .. now i shared my box with friend's , but in reall they a freak friend's , just to be in safe brother, am looking to know what function i can disable in php.ini or any problem/tool to prevent anybody / attacker * nobody* permission to move in the server via his shell script.. as we know some attacker's use them own php-shell to hack site's * shared hosting *, so they can move to any account after they know the user account name * /etc/passwd * .. so as i say before is there any good functions to prevent these attacker to move in the server? so i can disable it .. or install any good tool * else modsecurity * in the system to prevent them *nobody* of that?
View Replies!
View Related
Mod_security To Prevent Some Script
I try to use mod_security to prevent some script in some files, imagine I want to block all scripts includes "test" in the body so if code of script.php is: HTML Code: <html> <p>test</p> </html> and someone run script.php , I want block running and show 406 error now can you tell me how can I write this rule in mod_security 2 with apache 2? I use SecRule RESPONSE_BODY "test" but its now working ...
View Replies!
View Related
What Can I Do To Prevent DDoS Attack
My site was recently under a DDoS attack and was down for a few days, the attack came from Russia i believe. The people who did it asked for $800, but of course i didnt pay. My hosting company did the best they could in order to stop the attack but it still lasted a few days and badly hurt my rankings. I moved my site to a dedicated server, but i dont know what kind of software/hardware i need to install on it in order to prevent more future attacks, the hosting company suggested a few things but i dont know if they are just trying to get more money out of me.
View Replies!
View Related
Prevent Directory Listing
I've just made a transition from a VDS to a Dedicated and I'm having problems preventing directory contents from showing. In my previous server whenever I created a directory, it would automatically give a 403 when you tried to access the directory directly in your browser (which is what I want). Now when I set up directories in this new dedicated the contents of the directories display when there is either no index page or if I didn't have an htaccess file preventing it from listing the contents. So what im asking is how did my previous server automatically set up the directories to not display the contents but use the contents and allow access to say for example pictures in the directory? Is there a way I can have apache automatically do this for me or do I have to place a blank index page in every directory i create or have to place an htaccess file in every directory I create? How can I protect the contents with a 403 but still allow the contents to be accessed only through full path?
View Replies!
View Related
My Server Was Hacked -- How To Prevent This
My server was recently hacked and I'm looking ways to secure it in the future. I use the server to host my own websites. It was hacked to be a spam server. I traced the new files the hackers added to my "upload" directory, which is where my site members upload pics. I had set the directory to chmod 777. Could someone hack that directory solely from it being its rights being 777? The site was custom developed in PHP, and looking through it myself, I couldn't find any security issues. But then again, I may not know what exactly to look up. I would appreciate any general tips to protecting a server, as well as general tactics hackers use to hack a server and PHP site.
View Replies!
View Related
To Prevent Local Hack
I try to enhance my server security and prevent local hack but it seem useless. I tried to chmod home/user/public_html to 711; disable functions; enable php open_basedir. I can stop some popular shell such as c99shell.php but server can be hacked local. Anyway to prevent it completely?
View Replies!
View Related
Way To Prevent Iframe Attack
some sites on my server is inserted iframe code to its homepage index.php and index.html I found this topic is discussed on WHT for sometimes but no solution yet. I found a article help to solve this issue but i am lack of knowledge to understand the article. [url]
View Replies!
View Related
How To Prevent DDoS Attacks CentOS
I believe that my site is being DDoSed against, and I'm wondering how I can prevent this from happening. I'm running CentOS 5.3. Are there any server side scripts of PHP scripts that could be used to dynamically block out IP's that are consuming too many resources on the VPS?
View Replies!
View Related
Check And Prevent Ddos Attack
While working with different issues, I have seen that many clients complaining about ddos attack on their server. So, I am posting here some useful commands to check and prevent ddos attack. First of all when you see that your site's or server speed is very slow even though there is not much load on your server, you can guess it might be ddos. Then run 'top' command and see which processes is more, if those are httpd then fire following command which will show how many active connections your server is currently processing. netstat -n | grep :80 | wc -l netstat -n | grep :80 | grep SYN |wc -l The first command will show the number of active connections that are open to your server. The number of active connections from the first command is going to vary widely but if you are much above 500 you are probably having problems.If the second command is over 100 you are having trouble with a syn attack. netstat -anp |grep ‘tcp|udp’ | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n That will list the IPs taking the most amounts of connections to a server. use follwoing command to block a ip with iptables on server iptables -A INPUT 1 -s IPADRESS -j DROP/REJECT service iptables restart service iptables save --------OR--------------- You can place ip's which you want to block in hosts.deny vi /etc/hosts.deny httpd: IP write and quit --------------------------- Then KILL all httpd connection and restarted httpd service by using following command killall -KILL httpd service httpd startssl ----------------------------------- This are all the step to check and prevent ddos on your server.
View Replies!
View Related
How To Prevent Staff Steal Our Site
Become my attention when we hire company/people to handle our server due our knowledge about manage dedicated server is low level and we run big site on that server. Anybody know about tips how to prevent staff from managed service steal our site,even they has been trusted and handled hundred or thousand servers.As we know when we hired them for full managed service,they have our root access.
View Replies!
View Related
How To Prevent Email To Root Account
I'm running a webosting server under linux with sendmail as mailserver. The problem is that many spammers send mails directly to the root account by using one of the existing pseudo accounts like "apache, uucp, root, ...". In a default sendmail installation, apache, uucp, root are defined as alias and point to root. I do virtualhosting so I accept mail for several domains. If a spammer send mail to root@anotherdomain.com, the spam will also arrive in the root account. If I define a bounce all for my main domain, I have problems because root@mymaindomain.com and apache@mymaindomain.com do not exist anymore. This results in user unkown when apache or root try to send a mail out. So, how do I prevent spammers from sending mail directly to the root account? Is it possible to accept only local mail to the root account?
View Replies!
View Related
|
TRACKER
