Potential Exploit Checking Script....

Discussion regarding Joomla! security issues.

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
cantthinkofanickname
Joomla! Ace
Joomla! Ace
Posts: 1334
Joined: Sat Oct 21, 2006 8:53 am

Re: Potential Exploit Checking Script....

Post by cantthinkofanickname » Fri Jun 01, 2007 6:07 pm

Just starting to read about security. Simple question, IF all the directories and files are tied down with the correct permissions would there be any need to run this sploit checker as no one would be able to exploit any files? Perhaps if this is true then this is just another check level or someone has discovered a backdoor.

Thanks
Thanks for your time.

User avatar
RussW
Joomla! Exemplar
Joomla! Exemplar
Posts: 9352
Joined: Sun Oct 22, 2006 4:42 am
Location: Sunshine Coast, Queensland, Australia
Contact:

Re: Potential Exploit Checking Script....

Post by RussW » Sat Jun 02, 2007 8:40 am

In a perfect world, your assumptions are more than fair and valid, and this and other intrusion detection mechanisms would not be required.

But..... on Shared Hosting, there is are no guarantee's that another site on the same server hasn't been exploited and due to differing server configurations, your account is then vulnerable from "inside"....
Joomla! on the fabulous Sunshine Coast...
hotmango, web & print http://www.hotmango.me/
The Styleguyz https://www.thestyleguyz.com/

Kung
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Thu Jun 07, 2007 12:35 am

Re: Potential Exploit Checking Script....

Post by Kung » Thu Jun 07, 2007 2:05 am

Alright, I'll confess to being a noob, but i've read the instructions about 29 times.  I've got the script itself at /, searching /home, and the location of the database as /, just to keep it easy, and I *STILL* get 'bad interpreter'.

toemik
Joomla! Apprentice
Joomla! Apprentice
Posts: 10
Joined: Thu Apr 20, 2006 2:13 pm

Re: Potential Exploit Checking Script....

Post by toemik » Thu Jun 07, 2007 9:03 am

Thank you Wzizzie for this script.

My ISP had recently had an attack and the finger of suspicion was that a root kit may have been installed. The main culprit under suspicion from the ISP hosting support was mambo/joomla installations. As I do have a good working relationship with my ISP I was asked to check out the servers for possible issues.

no.1 - a number of old mambo installations installed by people with little knowledge of security leaving  configuration.php at 777
no.2 - url_open open
no.3 - two instances of r57shell one unfortunately in an old mambo install cache directory and the other in a perl shopping cart program (no php scripts at all). It is fair to say taht but for the script I would not have tumbled the last one.

I hope that if any one has experience of these types of scripts may contribute so the search list can be extended

Cheers again
Last edited by toemik on Thu Jun 07, 2007 12:23 pm, edited 1 time in total.

User avatar
RussW
Joomla! Exemplar
Joomla! Exemplar
Posts: 9352
Joined: Sun Oct 22, 2006 4:42 am
Location: Sunshine Coast, Queensland, Australia
Contact:

Re: Potential Exploit Checking Script....

Post by RussW » Thu Jun 07, 2007 10:27 am

Toemik

I work with Wizzie and worked on the development of the original script, thank you so very much for posting your "good news" story, nice to hear that it has assisted someone in a small way.

You (and/or your ISP) might also be interested in making use of the following scripts that we have also posted;

  Automated check for Joomla! & Mambo Versions script

  Automated Joomla! / Mambo Component/Module Version Checks

  Joomla! Admin Auto Password Generation and Change Script

  Joomla! Tools Suite
Joomla! on the fabulous Sunshine Coast...
hotmango, web & print http://www.hotmango.me/
The Styleguyz https://www.thestyleguyz.com/

toemik
Joomla! Apprentice
Joomla! Apprentice
Posts: 10
Joined: Thu Apr 20, 2006 2:13 pm

Re: Potential Exploit Checking Script....

Post by toemik » Thu Jun 07, 2007 12:21 pm

Apologies for not passing on the credit in the first instance, I shall check out the scripts you mentioned.

Cheers

User avatar
RussW
Joomla! Exemplar
Joomla! Exemplar
Posts: 9352
Joined: Sun Oct 22, 2006 4:42 am
Location: Sunshine Coast, Queensland, Australia
Contact:

Re: Potential Exploit Checking Script....

Post by RussW » Thu Jun 07, 2007 8:16 pm

Nothing to apologise for :)
Joomla! on the fabulous Sunshine Coast...
hotmango, web & print http://www.hotmango.me/
The Styleguyz https://www.thestyleguyz.com/

harty83
Joomla! Intern
Joomla! Intern
Posts: 51
Joined: Mon Apr 17, 2006 10:57 am

Re: Potential Exploit Checking Script....

Post by harty83 » Sun Jun 17, 2007 7:01 pm

I just wanted to say that I had a lot of trouble running this script on a linux box.  I would get a bunch of errors or I would get something like : bad interpreter: No such file or directoryh: /bin/sh

I fixed this by running the program dos2unix on the script before uploading.  I installed this on my local box with Ubuntu by installing tofrodos. Then typed in a console "dos2unix sploitFinder.sh" then uploaded the script  All works fine now.

villano666
Joomla! Fledgling
Joomla! Fledgling
Posts: 2
Joined: Fri Jul 06, 2007 3:26 pm

Re: Potential Exploit Checking Script....

Post by villano666 » Fri Jul 06, 2007 3:51 pm

How am i suppose to run this scrip? Just tipying in the adress bar of my browser??
http://www.mysite.com/sploitFinder.sh
I´ve tried this and the browser wants to download the file, both firefox and iexplorer
I´ve also tried with http://www.mysite.com/sploitFinder but nothing happened.

User avatar
RussW
Joomla! Exemplar
Joomla! Exemplar
Posts: 9352
Joined: Sun Oct 22, 2006 4:42 am
Location: Sunshine Coast, Queensland, Australia
Contact:

Re: Potential Exploit Checking Script....

Post by RussW » Sat Jul 07, 2007 4:54 am

As other posts in this thread explain, including the instructions, this is a Unix Shell script, it needs to be run from the command line, if you do not have access to the command line or able to configure this to run from the command line through a CRON job then you will not be able to make use of it, sorry.
Joomla! on the fabulous Sunshine Coast...
hotmango, web & print http://www.hotmango.me/
The Styleguyz https://www.thestyleguyz.com/

User avatar
rtenny
Joomla! Apprentice
Joomla! Apprentice
Posts: 29
Joined: Sun Nov 19, 2006 10:09 pm
Location: Spain
Contact:

Re: Potential Exploit Checking Script....

Post by rtenny » Sat Sep 22, 2007 1:53 pm

Wizzie wrote: Updated sploitpattern to include latest seen exploit attempts;


sploitpattern='[removed]|[removed]|[removed]|r57shell|c99shell|shellbot|phpshell|void\.ru|phpremoteview|directmail|bash_history|\.ru/|brute *force|multiviews|[removed]|[removed]|eggdrop|guardservices|[removed]|dalnet|undernet'


Replace current pattern in script with the above...
I have added the word "vandal" to the search phrase as we have been attacked with a script that contained that email

User avatar
RussW
Joomla! Exemplar
Joomla! Exemplar
Posts: 9352
Joined: Sun Oct 22, 2006 4:42 am
Location: Sunshine Coast, Queensland, Australia
Contact:

Re: Potential Exploit Checking Script....

Post by RussW » Sat Sep 22, 2007 2:31 pm

kewl, thanks for the update.  Glad the script has been of use to you....
Joomla! on the fabulous Sunshine Coast...
hotmango, web & print http://www.hotmango.me/
The Styleguyz https://www.thestyleguyz.com/

User avatar
rtenny
Joomla! Apprentice
Joomla! Apprentice
Posts: 29
Joined: Sun Nov 19, 2006 10:09 pm
Location: Spain
Contact:

Re: Potential Exploit Checking Script....

Post by rtenny » Sat Sep 22, 2007 3:42 pm

RussW wrote: kewl, thanks for the update.  Glad the script has been of use to you....
I would not have know what to do without it. ???
Now I have learned alot about Joomla security, I should have done that years ago ;)

I also downloaded the other 2 scripts (admin password changer, security audit)

Thanks for all your help

User avatar
trichnosis
Joomla! Explorer
Joomla! Explorer
Posts: 315
Joined: Wed May 17, 2006 4:15 pm

Re: Potential Exploit Checking Script....

Post by trichnosis » Tue Sep 25, 2007 1:22 pm

RobS wrote: It is a shell script.  You need to have shell access to use it.
so this prevents most of us

User avatar
RussW
Joomla! Exemplar
Joomla! Exemplar
Posts: 9352
Joined: Sun Oct 22, 2006 4:42 am
Location: Sunshine Coast, Queensland, Australia
Contact:

Re: Potential Exploit Checking Script....

Post by RussW » Tue Sep 25, 2007 10:07 pm

Not sure I know if this is a question or a statement

But either way, if you do not have access to the shell, then.... no, you will not be able to use this script.....
Joomla! on the fabulous Sunshine Coast...
hotmango, web & print http://www.hotmango.me/
The Styleguyz https://www.thestyleguyz.com/

almannai
Joomla! Apprentice
Joomla! Apprentice
Posts: 8
Joined: Sun Sep 30, 2007 8:25 pm

Re: Potential Exploit Checking Script....

Post by almannai » Sun Sep 30, 2007 8:51 pm

Hi,
Thanks for sharing this script.

I was trying to run this on my site but with no use every step I take give me error

this command
sh sploitFinder.sh

will return this error
syntax error on line 126: for i; do unexpected token near do

this command
sploitFinder.sh

will return command not found

i even try yo insert it using
crontab -e

but still not working

please adviice

regards

User avatar
RussW
Joomla! Exemplar
Joomla! Exemplar
Posts: 9352
Joined: Sun Oct 22, 2006 4:42 am
Location: Sunshine Coast, Queensland, Australia
Contact:

Re: Potential Exploit Checking Script....

Post by RussW » Sun Sep 30, 2007 10:58 pm

Firstly;

  -  Are you running a Linux/Unix system? It requires a Unix Shell.
  -  Have you read the instruction in the script?
  -  if running locally/manually from the same directory, you may need to add " ./ " infront of the script name
  -  Did the file download/upload ok? Is it corrupt/complete?
Joomla! on the fabulous Sunshine Coast...
hotmango, web & print http://www.hotmango.me/
The Styleguyz https://www.thestyleguyz.com/

almannai
Joomla! Apprentice
Joomla! Apprentice
Posts: 8
Joined: Sun Sep 30, 2007 8:25 pm

Re: Potential Exploit Checking Script....

Post by almannai » Mon Oct 01, 2007 10:32 am

Thanks for rapid reply,

My system centos.

The settings are
#### SETUP OPTIONS ####
searchpath=/home
sploitdir=/var/run/sploitfind
last=$sploitdir/last
this=$sploitdir/this
pid=$sploitdir/pid

the sploitFinder.sh is placed on the root


running the following
sploitFinder.sh -a -m myemail@yahoo.com
return this
bash: sploitFinder.sh: command not found


running the following
sh sploitFinder.sh -a -m myemail@yahoo.com
return this

: command not foundne 107:
: command not foundne 108:
: command not foundne 109:
: command not foundne 110:
: command not foundne 113:
: command not foundne 116:
'ploitFinder.sh: line 126: syntax error near unexpected token `do
'ploitFinder.sh: line 126: `for i; do

Just to let you know am newbie in system settings and shel things

Regards
Last edited by almannai on Mon Oct 01, 2007 10:35 am, edited 1 time in total.

almannai
Joomla! Apprentice
Joomla! Apprentice
Posts: 8
Joined: Sun Sep 30, 2007 8:25 pm

Re: Potential Exploit Checking Script....

Post by almannai » Mon Oct 01, 2007 10:34 am

sorry
:-[

User avatar
RussW
Joomla! Exemplar
Joomla! Exemplar
Posts: 9352
Joined: Sun Oct 22, 2006 4:42 am
Location: Sunshine Coast, Queensland, Australia
Contact:

Re: Potential Exploit Checking Script....

Post by RussW » Mon Oct 01, 2007 11:20 am

have you tried adding ' ./ " infront of the file when running?  ./sploitFinder.sh -a -m xxx.xxx.com.au

Is the file still named sploitFinder ? IE: upper and lowercase...

When you say "root"  where exactly do you mean?  If this is the root of your hosting acocunt then you need to change the  /home  to the right directory  /home/account/  otherwise you might not have the right prmissions to access the /home directory.
Joomla! on the fabulous Sunshine Coast...
hotmango, web & print http://www.hotmango.me/
The Styleguyz https://www.thestyleguyz.com/

almannai
Joomla! Apprentice
Joomla! Apprentice
Posts: 8
Joined: Sun Sep 30, 2007 8:25 pm

Re: Potential Exploit Checking Script....

Post by almannai » Mon Oct 01, 2007 11:40 am

Trying this

./sploitFinder.sh -a -m xxx.xxx.com.au
return
-bash: ./sploitFinder.sh: Permission denied

I have comlete control of the server and running it from here
[root@server ~]#

you say to
/home/account/ 

but which account i will use i have more than one account on the server and i want it to lock for all accounts

User avatar
RussW
Joomla! Exemplar
Joomla! Exemplar
Posts: 9352
Joined: Sun Oct 22, 2006 4:42 am
Location: Sunshine Coast, Queensland, Australia
Contact:

Re: Potential Exploit Checking Script....

Post by RussW » Mon Oct 01, 2007 12:04 pm

OK, so now you just have a permissions problem, I would suggest not running this or any other script from the server " / " directory, this is a very poor practice.

Maybe do something login as your account user, then "su" to root, make a directory in "/home'  maybe call it "AdminScripts/'  so you have " /home/AdminScripts/" copy the file there.  Make sure the script has the correct permisisons to run and that the "AdminScripts/" allows the script to make some new directories and files 9it is going to auto-create a small dBase file.  The search path of home then should be ok , as it is.

Then run the script again " ./sploitFinder -a -m xxx.xxxx.com.au "  etc etc,  see how it goes....
Joomla! on the fabulous Sunshine Coast...
hotmango, web & print http://www.hotmango.me/
The Styleguyz https://www.thestyleguyz.com/

almannai
Joomla! Apprentice
Joomla! Apprentice
Posts: 8
Joined: Sun Sep 30, 2007 8:25 pm

Re: Potential Exploit Checking Script....

Post by almannai » Mon Oct 01, 2007 3:06 pm

Ok I've followed your instructions but still not working here is my settings

/home/sploitFinder folder with 0777 permissions
sploitFinder.sh in above directory with 0755 permissions

#### SETUP OPTIONS ####
searchpath=/home
sploitdir=/home/sploitFinder

running this command from /home/sploitFinder
./sploitFinder -a -m xxx.xxxx.com.au

this is the error
: bad interpreter: No such file or directory

almannai
Joomla! Apprentice
Joomla! Apprentice
Posts: 8
Joined: Sun Sep 30, 2007 8:25 pm

Re: Potential Exploit Checking Script....

Post by almannai » Mon Oct 01, 2007 3:31 pm

Ok i found the problem thank you for your time and efort.

when i edit the file in windows then upload it linux did'nt like the  CR/LFs, so with a perl command i replaced
CR/LFs with CRs

After running it i got an email like the below. It is working I now think!!

  -- Run Time Options
---------------------------------------------------------------
  Show All Files    =  Yes, new and historical files.
  Show Context      =  No,  only file names.
  History Cleared    =  No,  previous entries left inplace.
  Email Notification =  Yes, notification to myemail@yahoo.com.

  Search Patterns:

  [removed]|[removed]|r57shell|c99shell|phpshell|void\.ru|phpremoteview|directmail|bash_history|\.ru/|brute
*force|MultiViews|[removed]|[removed]|eggdrop|guardservices|[removed]|DALnet


  -- Execution Notes

User avatar
RussW
Joomla! Exemplar
Joomla! Exemplar
Posts: 9352
Joined: Sun Oct 22, 2006 4:42 am
Location: Sunshine Coast, Queensland, Australia
Contact:

Re: Potential Exploit Checking Script....

Post by RussW » Mon Oct 01, 2007 8:33 pm

If you open the file in VI, do you see control characters on the end of lines  " ^M " and others?  Do a " dos2unix sploitFinder.sh " and try again.
Joomla! on the fabulous Sunshine Coast...
hotmango, web & print http://www.hotmango.me/
The Styleguyz https://www.thestyleguyz.com/

User avatar
RussW
Joomla! Exemplar
Joomla! Exemplar
Posts: 9352
Joined: Sun Oct 22, 2006 4:42 am
Location: Sunshine Coast, Queensland, Australia
Contact:

Re: Potential Exploit Checking Script....

Post by RussW » Mon Oct 01, 2007 10:47 pm

Welldone, yup, it looks like it is running ok now. I have it configured under CRONTAB to run each day without reseting the database, then once a week to reset the database as output to email. Similar to the CRONTABs discussed earlier in the thread.
Joomla! on the fabulous Sunshine Coast...
hotmango, web & print http://www.hotmango.me/
The Styleguyz https://www.thestyleguyz.com/

almannai
Joomla! Apprentice
Joomla! Apprentice
Posts: 8
Joined: Sun Sep 30, 2007 8:25 pm

Re: Potential Exploit Checking Script....

Post by almannai » Tue Oct 02, 2007 1:51 pm

Ok i have it configured in corn like this

crontab -e

at the end i placed
0 7,19 * * * ./home/sploitFinder/sploitFinder.sh -c -m mail@mail.com

is this ok ? i don't know the command to reset it every week!

If there is a better practice than this please advise.

Have a good day

luciffere
Joomla! Apprentice
Joomla! Apprentice
Posts: 40
Joined: Mon Aug 20, 2007 1:12 pm

Re: Potential Exploit Checking Script....

Post by luciffere » Fri Oct 12, 2007 8:05 am

I uploaded the file sploitFinder.sh.txt with TotalCommander on my server (i use ftp from TotalCommander).
With putty i make connection to my server and loging with root permision.
I insered the command cd /var/www/htdocs/sploitFind
The next step i renamed the file sploitFinder.sh.txt in sploitFinder.sh (root@server: /var/www/htdocs/sploitFind# mv sploitFinder.sh.txt sploitFinder.sh)
Next i use nano to change the configuration: root@server: /var/www/htdocs/sploitFind# nano sploiFinder.sh and i change the search path to /htdocs and sploitdir in /htdocs/sploitFind
I make save with ctrl+#+x
I make the command sh ./sploitFinder.sh but i see the error:
root@server:/var/www/htdocs/sploitFind# sh ./sploitFinder.sh
: command not foundline 107:
: command not foundline 108:
: command not foundline 109:
: command not foundline 110:
: command not foundline 113:
: command not foundline 116:
'/sploitFinder.sh: line 126: syntax error near unexpected token `do
'/sploitFinder.sh: line 126: `for i; do

Where is wrong?

almannai
Joomla! Apprentice
Joomla! Apprentice
Posts: 8
Joined: Sun Sep 30, 2007 8:25 pm

Re: Potential Exploit Checking Script....

Post by almannai » Fri Oct 12, 2007 9:54 am

This is what happend to me too.

Read my reply #53 and RussW #54

Regards,

luciffere
Joomla! Apprentice
Joomla! Apprentice
Posts: 40
Joined: Mon Aug 20, 2007 1:12 pm

Re: Potential Exploit Checking Script....

Post by luciffere » Fri Oct 12, 2007 12:15 pm

luciffere wrote: I uploaded the file sploitFinder.sh.txt with TotalCommander on my server (i use ftp from TotalCommander).
With putty i make connection to my server and loging with root permision.
I insered the command cd /var/www/htdocs/sploitFind
The next step i renamed the file sploitFinder.sh.txt in sploitFinder.sh (root@server: /var/www/htdocs/sploitFind# mv sploitFinder.sh.txt sploitFinder.sh)
Next i use nano to change the configuration: root@server: /var/www/htdocs/sploitFind# nano sploiFinder.sh and i change the search path to /htdocs and sploitdir in /htdocs/sploitFind
I make save with ctrl+#+x
I make the command sh ./sploitFinder.sh but i see the error:
root@server:/var/www/htdocs/sploitFind# sh ./sploitFinder.sh
: command not foundline 107:
: command not foundline 108:
: command not foundline 109:
: command not foundline 110:
: command not foundline 113:
: command not foundline 116:
'/sploitFinder.sh: line 126: syntax error near unexpected token `do
'/sploitFinder.sh: line 126: `for i; do

Where is wrong?
I find.
In the sploitFinder.sh i changed "search pat=" and "sploit dir="
Next i execute root@server:/var/www/htdocs/sploitFind# sh ./sploitFinder.sh
and i see:

root@mercurcv:/var/www/htdocs/sploitFind# ./sploitFinder.sh -a
./sploitFinder.sh: line 166: find: command not found
./sploitFinder.sh: line 166: xargs: command not found


  -- Run Time Options ---------------------------------------------------------------
  Show All Files    =  Yes, new and historical files.
  Show Context      =  No,  only file names.
  History Cleared    =  No,  previous entries left inplace.
  Email Notification =  No,  notification not requested.

  Search Patterns:
  [removed]|[removed]|r57shell|c99shell|phpshell|void\.ru|phpremoteview|directmail|bash_history|\.ru/|brute *force|MultiViews|[removed]|[removed]|eggdrop|guardservices|[removed]|DALnet


  -- Execution Notes ----------------------------------------------------------------
  If new potential exploit scripts are found, either manually review the file, or run
  "sploitFinder.sh -ac" (optionally -m email@address.com.au) to view the offending
  line within the indentified script.

  CAUTION: NOT all matches are guaranteed positives, valid scripts may also match
  some of the search criteria listed above.
  -----------------------------------------------------------------------------------
  usage: sploitFinder [-a] [-c] [-r] [-m ] [egrep pattern]
        -m : Email output to instead of writing to stdout
        -a : Shows all files not just changes since last run
        -c : Shows matching lines with context
        -r : Reset/delete file match history

but i have this lines with error:
./sploitFinder.sh: line 166: find: command not found
./sploitFinder.sh: line 166: xargs: command not found


Locked

Return to “Security - 1.0.x”