http://forum.joomla.org/viewtopic.php?f=621&t=777096
Ok folks,
Following a rather lengthy and fruitless discussion regarding some very old shell exploits on the developer mail-lists by upset and exploited user, I decided to update and re-issue my old "sploitFinder" shell script (originally posted in the J!1.0 Security Forums in September of 2006) in the hope that it may be of use to some again.
Information/Overview:IMPORTANT NOTICE
This script is a Unix SHELL SCRIPT and not useful for everybody.
If you host on Windows or do not have Unix/Linux SSH/Shell access to you host, you will not be able to make use of it. However....
PHP Developers
If any smart-cookie PHP Developer would like to convert this from a shell script to either a standalone, single user, browser ready php script or a Joomla! Extension, feel free to go for it.
A reasonably effective script to search for particular known patterns within .php and .cgi files that MAY present exploit capabilities.
The simple logic is by no means "fool proof" or "exhaustive" but gives a reasonably good indication that the target script maybe part of an exploit set. False positives are extremely possible due to the fact that many valid scripts make use of the same logic/technologies to acheive required activities, therefore some "human intelligence" must be applied to the final reports.
Installation:
1) FTP/Copy sploitFinder.sh.txt to your server
2) Rename to either sploitFinder.sh or just sploitFinder
3) Make the file executable (chmod 755 sploitFinder) or run "sh sploitFinder.sh"
4) READ the comments and instructions in the file (it is fully documented)
5) run it to test with all the different switches, setup crons etc etc
sploitFinder: list possible exploit scripts and optionally email output
Usage: ./sploitFinder(.sh) [-a] [-c] [-m ] [egrep pattern]
-m : email output to instead of writing to stdout
-a : shows all files not just changes since last run
-c : shows matching lines with context
-r : reset/delete history
The script is well commented, only a couple of internal variables to be configured and select your command line execution switches.
Configuration:
searchpath=/home (Default : /home)
sploitdir=/sploitFind (Default : none)
This is the search pattern criteria. Listed are some of the signitures of some exploits we have heard of, these ARE NOT exhaustive. Obviously, the more variables there are, the longer each run will take.
sploitpattern='[removed]|[removed]|[removed]|r57shell|c99shell|shellbot|phpshell|void\.ru|phpremoteview|directmail|bash_history|\.ru/|brute *force|multiviews|[removed]|vandal|[removed]|eggdrop|guardservices|[removed]|dalnet|undernet|vulnscan|spymeta|[removed]|Webshell'
(Feel free to post additions to the sploitpattern to enhance the scripts capability and share your experience and knowledge.!)
This script may be run adhoc if prefered, another option is via crom, for example: TWO regular cron jobs.
The first cron runs every 4 hours on Monday through Sunday at 02.10hrs, 06.10hrs, 10.10hrs, 14.10hrs, 18.10hrs & 22.10hrs
- Showing only new files since the previous run and mailing the report
The second cron runs once a week on Sunday at 01.10hrs
- Resets/rebuilds the Baseline and mails out a full report of ALL files (-a implied)
EG:
10 2,6,10,14,18,22 * * * //sploitFinder.sh -m [email protected] >& /dev/null
10 1 * * 0 //sploitFinder.sh -rm [email protected] >& /dev/null
As ever, This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY or support; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.