Potential Exploit Checking Script....

[Wizzie]

Ok folks,

The attached script is not directly Joomla! related, after seeing quite an upsurge in attempted and unfortuntely, successful exploits in the forums in recent weeks, we decided to release a script that we have to try and at least "limit" the damage caused if we have missed something...


Information/Overview:
A reasonably effective script to search for particular known strings within .php and .cgi files that MAY present exploit capabilities.

The simple logic is by no means "fool proof" or "exhaustive" but gives a reasonably good indication that the target script maybe part of an exploit set. False positives are extremely possible due to the fact that many valid scripts make use of the same logic/technologies to acheive required activities, therefore some "human intelligence" must be applied to the final reports.

Installation:

  1) FTP sploitFinder.sh.txt to your server
  2) Rename to either sploitFinder.sh or just sploitFinder
  3) chmod 755 sploitFinder
  4) READ the comments andinstructions in the file
  5) run it to test with all the different switches, setup crons etc etc


  sploitFinder: list possible exploit scripts and optionally email output
    Usage: ./sploitFinder(.sh) [-a] [-c] [-m ] [egrep pattern]
              -m : email output to instead of writing to stdout
              -a : shows all files not just changes since last run
              -c : shows matching lines with context
              -r : reset/delete history


The script is well commented, only a couple of internal variables to be configured and select your command line execution switches.

Configuration:

    searchpath=/home  (Default : /home)
    sploitdir=//sploitFind  (Default : none)


This is the search pattern criteria. Listed are some of the signitures of some exploits we have heard of, these ARE NOT exhaustive. Obviously, the more variables there are, the longer each run will take.

  sploitpattern='[removed]|[removed]|r57shell|c99shell|phpshell|void\.ru|phpremoteview|directmail|bash_history|\.ru/|brute *force|MultiViews|[removed]|[removed]|eggdrop|guardservices|[removed]|DALnet'

(Feel free to post additions to the sploitpattern to enhance the scripts capability and share your experience and knowledge.!)


This script may be run adhoc if prefered, another option is via crom, for example: TWO regular cron jobs.

  The first cron runs every 4 hours on Monday through Sunday at 02.10hrs, 06.10hrs, 10.10hrs, 14.10hrs, 18.10hrs & 22.10hrs
    - Showing only new files since the previous run and mailing the report

  The second cron runs once a week on Sunday at 01.10hrs
    - Resets/rebuilds the Baseline and mails out a full report of ALL files (-a implied)

EG:
  10 2,6,10,14,18,22 * * * //sploitFinder.sh -m [email protected] >& /dev/null
  10 1 * * 0 //sploitFinder.sh -rm [email protected] >& /dev/null


As ever, This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY or support; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

[Bog]

Excellent idea.  I haven't looked at the script yet to see what it does.

Some other ideas could be:
1.  Detect new files since last scan
2.  Detect modified files since last scan
3.  Use of an exclusion file to eliminate noise and false positives

[Wizzie]

Bog

Thanks for the interest in the script,

The script has been designed to search through all .php and .cgi files in the designated searchpath (Default: /home) looking for the strings in $sploitpattern. If run without the -a or -r switch it will only report new files with matches since the last scan. So we beleive that answers point 1)

If the file has been modified;  if the file was not captured on a previous scan it will be reported this scan, but at the moment the script does not capture  subsequent changes to a file that has already been reported once for other string matches (If it was already reported once, it should have been reveiwed already), if you reset/rebuild (-r switch) occasionally, that will ensure that files that have been subsequently modified, after already being reported will be re-reported. Does this answer 2) ?

We will look in to your suggestion of an exclusion list for filenames not to scan, in an attempt to eliminate false positives. Don't hold your breath though, busy as ever. We will post in here again if/when it is implemented.

[Wizzie]

Updated sploitpattern to include latest seen exploit attempts;


sploitpattern='[removed]|[removed]|[removed]|r57shell|c99shell|shellbot|phpshell|void\.ru|phpremoteview|directmail|bash_history|\.ru/|brute *force|multiviews|[removed]|[removed]|eggdrop|guardservices|[removed]|dalnet|undernet'


Replace current pattern in script with the above...

[Wizzie]

Updated to include latest seens exploit attmepts; just update the spoitpattern in the posted script.

sploitpattern='[removed]|[removed]|[removed]|r57shell|c99shell|shellbot|phpshell|void\.ru|phpremoteview|directmail|bash_history|\.ru/|brute *force|multiviews|[removed]|[removed]|eggdrop|guardservices|[removed]|dalnet|undernet|vulnscan|spymeta|[removed]'

[zman818]

Thanks Wizzie!

[tamer.yasin]

Wonderfull.

But where is the attached script!
how can I download it.

thanks.

[Wizzie]

It is attached to the first post in this thread. (File name: sploitFinder.sh.txt)

[wuffy77]

sorry for the stupid question, but how do we actually run this? I've followed the instructions and uploaded etc however it just says 'run the script' - I've tried opening in a browser, but that just opens a file download selector... 

[RobS]

It is a shell script.  You need to have shell access to use it.

[hilu]

:-[Sorry for being ignorant..
Those who know may simply write "YEs" or "No"
I have a cpanel access.
Can I run this script using cpanel ?
Thank you for your valuable time
Regards,

[steve4j]

:-[Sorry for being ignorant..
Those who know may simply write "YEs" or "No"
I have a cpanel access.
Can I run this script using cpanel ?
Thank you for your valuable time
Regards,

SHELL ACCESS means, by use of a special interface your web host has set up, you can connect to your website with a command prompt JUST AS IF YOU WERE SITTING AT THE KEYBOARD OF THE LINUX/UNIX SERVER.

from there, you can type any Linux command, like LS (to list files) and many more.

It is very powerful, many things can only be done via the shell acess.

(the answer is no)



that script is no great loss, you havent missed much.

you can get a similar effect by mirroring your site to a folder on your hard drive, then using the Windows file search functions..

you should mirror your site to your local hard drive anyway for testing and backup purposes.

[luchris]

Hi,

I am having some difficulties to run the script. It says:-

/usr/bin/sploitfinder: line 246: unexpected EOF while looking for matching `''
/usr/bin/sploitfinder: line 254: syntax error: unexpected end of file

Any idea?
Thanks

[luchris]

:-[Sorry for being ignorant..
Those who know may simply write "YEs" or "No"
I have a cpanel access.
Can I run this script using cpanel ?
Thank you for your valuable time
Regards,

I dont think there will be any problem.. Just upload the file using ur favorite ftp client and chmod it to 755 and add a crond job from the cpanel menu.

[netxs]

Can you tell me where SploitFinder.sh is attached .
I am unable to find it

Thanking you

[Wizzie]

It is attached to the first post in this thread. (File name: sploitFinder.sh.txt).

[China]

Now all we need to do is make this into a component 
And we can start a war with the script kiddies. viva la com_JoomlaExploits
Hint hint.

[madmoritz]

Wicked script thanks 

Back soon, time to play with my new toy

[twincascos]

I've just found, installed and tested this script,
I have one question and one problem.

question:
I see that the sploitpattern has been updated a few times, will this be updated again? from time to time?

problem:
in terminal - #./sploitFinder.sh -rm [email protected]
error- ./sploitFinder.sh: line 244: /bin/mail: Permission denied

Thanx for any insight to my problem and thanx for the script.

[RussW]

Yes, from time to time the patterns will be updated, but there is nothing to stop you from updating or adding to the patterns yourself if you see something occurring on your own servers or in any security forums you may follow.

As for your mail problem, you are getting permission denied to the mail problem, either the user you are running the script as, does not have access to the mail binary or maybe security on your host disables the command line use of the binary.

[cronlin]

ok I'm lost... I know what I'm supposed to change but not what to change it to... is it like an absolute url or a directory or what?

[RussW]

As the Help at the top of file suggests,  you will need to complete the following variables to suit your server or site information;

  searchpath=/home  (Default : /home)
  Which directory do you want to search? This will be your hosting account directory.

    sploitdir=//sploitFind  (Default : none)
  Where you want the sploitFind to put its database....

[cronlin]

well, thanks for the quick reply but that's completely greek to me so I think I'll just pass

[muskiediver]

I run this:

./sploitFinder.sh -rm [email protected]

I get this error:
: bad interpreter: No such file or directory

My configuration:

#### SETUP OPTIONS ####
searchpath=/httpdocs
sploitdir=/httpdocs/sploitfind

Any ideas what I am doing wrong?

[RussW]

Which shell are you trying to run this in?

Without knowing your server configuration or setup; try also setting your path to the full path,  something like,    /home//public_html

[muskiediver]

redhat linuix

[fw116]

in the *.txt file are a bunch of  ^M from an MS-DOS like editor (gee thanks bill for this crap)
in a windows editor you dont even see this, but in vi or whatever u ve got a bunch of this line breaks (?) ..

it may happen that some systems run into trouble because of the ^M , check this and delete this and iam sure it will run...

[digitaldentist]

usually caused by white space after the ending ?>

[dealmaker]

It is insane.  I am currently using Hostgator as my hosting company.  I upload this script into my account, and in the process of using emacs to editing the script.  I haven't even run  it once.  I suddenly got an email saying that my account is suspended because of this script.  I asked them to lift the suspension but they ask me to wait for response. 

What should I do?

[RussW]

Talk to your host? they are most likely evaluating the script as to its use and purpose, seeing as it popped their own security.

This is actually goodness, your host is pro-actively attempting to protect you (and themselves) against potential exploits... Congratulations to your host for their approach and attitude to security. However, this may mean that you cannot make use of the posted script on your account.


This script probably got detected by a script of theirs looking for common or known exploits. This script contains some "keywords" of common and known exploits, so is their script. The result being, that their script considers this script to be a possible exploit script itself (a false positive) because our search keywords match their search keywords and suspended the account to avoid abuse of your account.