Potential Exploit Checking Script....
Moderator: General Support Moderators
Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
- Wizzie
- Joomla! Hero
- Posts: 2701
- Joined: Tue Sep 06, 2005 4:37 am
- Location: Australia
- Contact:
Potential Exploit Checking Script....
Ok folks,
The attached script is not directly Joomla! related, after seeing quite an upsurge in attempted and unfortuntely, successful exploits in the forums in recent weeks, we decided to release a script that we have to try and at least "limit" the damage caused if we have missed something...
Information/Overview:
A reasonably effective script to search for particular known strings within .php and .cgi files that MAY present exploit capabilities.
The simple logic is by no means "fool proof" or "exhaustive" but gives a reasonably good indication that the target script maybe part of an exploit set. False positives are extremely possible due to the fact that many valid scripts make use of the same logic/technologies to acheive required activities, therefore some "human intelligence" must be applied to the final reports.
Installation:
1) FTP sploitFinder.sh.txt to your server
2) Rename to either sploitFinder.sh or just sploitFinder
3) chmod 755 sploitFinder
4) READ the comments andinstructions in the file
5) run it to test with all the different switches, setup crons etc etc
sploitFinder: list possible exploit scripts and optionally email output
Usage: ./sploitFinder(.sh) [-a] [-c] [-m ] [egrep pattern]
-m : email output to instead of writing to stdout
-a : shows all files not just changes since last run
-c : shows matching lines with context
-r : reset/delete history
The script is well commented, only a couple of internal variables to be configured and select your command line execution switches.
Configuration:
searchpath=/home (Default : /home)
sploitdir=//sploitFind (Default : none)
This is the search pattern criteria. Listed are some of the signitures of some exploits we have heard of, these ARE NOT exhaustive. Obviously, the more variables there are, the longer each run will take.
sploitpattern='[removed]|[removed]|r57shell|c99shell|phpshell|void\.ru|phpremoteview|directmail|bash_history|\.ru/|brute *force|MultiViews|[removed]|[removed]|eggdrop|guardservices|[removed]|DALnet'
(Feel free to post additions to the sploitpattern to enhance the scripts capability and share your experience and knowledge.!)
This script may be run adhoc if prefered, another option is via crom, for example: TWO regular cron jobs.
The first cron runs every 4 hours on Monday through Sunday at 02.10hrs, 06.10hrs, 10.10hrs, 14.10hrs, 18.10hrs & 22.10hrs
- Showing only new files since the previous run and mailing the report
The second cron runs once a week on Sunday at 01.10hrs
- Resets/rebuilds the Baseline and mails out a full report of ALL files (-a implied)
EG:
10 2,6,10,14,18,22 * * * //sploitFinder.sh -m [email protected] >& /dev/null
10 1 * * 0 //sploitFinder.sh -rm [email protected] >& /dev/null
As ever, This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY or support; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
The attached script is not directly Joomla! related, after seeing quite an upsurge in attempted and unfortuntely, successful exploits in the forums in recent weeks, we decided to release a script that we have to try and at least "limit" the damage caused if we have missed something...
Information/Overview:
A reasonably effective script to search for particular known strings within .php and .cgi files that MAY present exploit capabilities.
The simple logic is by no means "fool proof" or "exhaustive" but gives a reasonably good indication that the target script maybe part of an exploit set. False positives are extremely possible due to the fact that many valid scripts make use of the same logic/technologies to acheive required activities, therefore some "human intelligence" must be applied to the final reports.
Installation:
1) FTP sploitFinder.sh.txt to your server
2) Rename to either sploitFinder.sh or just sploitFinder
3) chmod 755 sploitFinder
4) READ the comments andinstructions in the file
5) run it to test with all the different switches, setup crons etc etc
sploitFinder: list possible exploit scripts and optionally email output
Usage: ./sploitFinder(.sh) [-a] [-c] [-m ] [egrep pattern]
-m : email output to instead of writing to stdout
-a : shows all files not just changes since last run
-c : shows matching lines with context
-r : reset/delete history
The script is well commented, only a couple of internal variables to be configured and select your command line execution switches.
Configuration:
searchpath=/home (Default : /home)
sploitdir=//sploitFind (Default : none)
This is the search pattern criteria. Listed are some of the signitures of some exploits we have heard of, these ARE NOT exhaustive. Obviously, the more variables there are, the longer each run will take.
sploitpattern='[removed]|[removed]|r57shell|c99shell|phpshell|void\.ru|phpremoteview|directmail|bash_history|\.ru/|brute *force|MultiViews|[removed]|[removed]|eggdrop|guardservices|[removed]|DALnet'
(Feel free to post additions to the sploitpattern to enhance the scripts capability and share your experience and knowledge.!)
This script may be run adhoc if prefered, another option is via crom, for example: TWO regular cron jobs.
The first cron runs every 4 hours on Monday through Sunday at 02.10hrs, 06.10hrs, 10.10hrs, 14.10hrs, 18.10hrs & 22.10hrs
- Showing only new files since the previous run and mailing the report
The second cron runs once a week on Sunday at 01.10hrs
- Resets/rebuilds the Baseline and mails out a full report of ALL files (-a implied)
EG:
10 2,6,10,14,18,22 * * * //sploitFinder.sh -m [email protected] >& /dev/null
10 1 * * 0 //sploitFinder.sh -rm [email protected] >& /dev/null
As ever, This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY or support; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You do not have the required permissions to view the files attached to this post.
-
- Joomla! Intern
- Posts: 56
- Joined: Wed Mar 29, 2006 9:11 pm
Re: Potential Exploit Checking Script....
Excellent idea. I haven't looked at the script yet to see what it does.
Some other ideas could be:
1. Detect new files since last scan
2. Detect modified files since last scan
3. Use of an exclusion file to eliminate noise and false positives
Some other ideas could be:
1. Detect new files since last scan
2. Detect modified files since last scan
3. Use of an exclusion file to eliminate noise and false positives
Last edited by Bog on Wed Sep 06, 2006 3:20 pm, edited 1 time in total.
- Wizzie
- Joomla! Hero
- Posts: 2701
- Joined: Tue Sep 06, 2005 4:37 am
- Location: Australia
- Contact:
Re: Potential Exploit Checking Script....
Bog
Thanks for the interest in the script,
The script has been designed to search through all .php and .cgi files in the designated searchpath (Default: /home) looking for the strings in $sploitpattern. If run without the -a or -r switch it will only report new files with matches since the last scan. So we beleive that answers point 1)
If the file has been modified; if the file was not captured on a previous scan it will be reported this scan, but at the moment the script does not capture subsequent changes to a file that has already been reported once for other string matches (If it was already reported once, it should have been reveiwed already), if you reset/rebuild (-r switch) occasionally, that will ensure that files that have been subsequently modified, after already being reported will be re-reported. Does this answer 2) ?
We will look in to your suggestion of an exclusion list for filenames not to scan, in an attempt to eliminate false positives. Don't hold your breath though, busy as ever. We will post in here again if/when it is implemented.
Thanks for the interest in the script,
The script has been designed to search through all .php and .cgi files in the designated searchpath (Default: /home) looking for the strings in $sploitpattern. If run without the -a or -r switch it will only report new files with matches since the last scan. So we beleive that answers point 1)
If the file has been modified; if the file was not captured on a previous scan it will be reported this scan, but at the moment the script does not capture subsequent changes to a file that has already been reported once for other string matches (If it was already reported once, it should have been reveiwed already), if you reset/rebuild (-r switch) occasionally, that will ensure that files that have been subsequently modified, after already being reported will be re-reported. Does this answer 2) ?
We will look in to your suggestion of an exclusion list for filenames not to scan, in an attempt to eliminate false positives. Don't hold your breath though, busy as ever. We will post in here again if/when it is implemented.
- Wizzie
- Joomla! Hero
- Posts: 2701
- Joined: Tue Sep 06, 2005 4:37 am
- Location: Australia
- Contact:
Re: Potential Exploit Checking Script....
Updated sploitpattern to include latest seen exploit attempts;
sploitpattern='[removed]|[removed]|[removed]|r57shell|c99shell|shellbot|phpshell|void\.ru|phpremoteview|directmail|bash_history|\.ru/|brute *force|multiviews|[removed]|[removed]|eggdrop|guardservices|[removed]|dalnet|undernet'
Replace current pattern in script with the above...
sploitpattern='[removed]|[removed]|[removed]|r57shell|c99shell|shellbot|phpshell|void\.ru|phpremoteview|directmail|bash_history|\.ru/|brute *force|multiviews|[removed]|[removed]|eggdrop|guardservices|[removed]|dalnet|undernet'
Replace current pattern in script with the above...
- Wizzie
- Joomla! Hero
- Posts: 2701
- Joined: Tue Sep 06, 2005 4:37 am
- Location: Australia
- Contact:
Re: Potential Exploit Checking Script....
Updated to include latest seens exploit attmepts; just update the spoitpattern in the posted script.
sploitpattern='[removed]|[removed]|[removed]|r57shell|c99shell|shellbot|phpshell|void\.ru|phpremoteview|directmail|bash_history|\.ru/|brute *force|multiviews|[removed]|[removed]|eggdrop|guardservices|[removed]|dalnet|undernet|vulnscan|spymeta|[removed]'
sploitpattern='[removed]|[removed]|[removed]|r57shell|c99shell|shellbot|phpshell|void\.ru|phpremoteview|directmail|bash_history|\.ru/|brute *force|multiviews|[removed]|[removed]|eggdrop|guardservices|[removed]|dalnet|undernet|vulnscan|spymeta|[removed]'
-
- Joomla! Explorer
- Posts: 314
- Joined: Mon Jun 19, 2006 5:54 pm
Re: Potential Exploit Checking Script....
Thanks Wizzie!
-
- Joomla! Fledgling
- Posts: 1
- Joined: Wed Nov 08, 2006 10:47 am
Re: Potential Exploit Checking Script....
Wonderfull.
But where is the attached script!
how can I download it.
thanks.
But where is the attached script!
how can I download it.
thanks.
- Wizzie
- Joomla! Hero
- Posts: 2701
- Joined: Tue Sep 06, 2005 4:37 am
- Location: Australia
- Contact:
Re: Potential Exploit Checking Script....
It is attached to the first post in this thread. (File name: sploitFinder.sh.txt)
-
- Joomla! Intern
- Posts: 57
- Joined: Mon Oct 23, 2006 1:23 pm
Re: Potential Exploit Checking Script....
sorry for the stupid question, but how do we actually run this? I've followed the instructions and uploaded etc however it just says 'run the script' - I've tried opening in a browser, but that just opens a file download selector...
- RobS
- Joomla! Ace
- Posts: 1366
- Joined: Mon Dec 05, 2005 10:17 am
- Location: New Orleans, LA, USA
- Contact:
Re: Potential Exploit Checking Script....
It is a shell script. You need to have shell access to use it.
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions
- hilu
- Joomla! Intern
- Posts: 81
- Joined: Wed May 10, 2006 11:00 pm
- Location: uk
- Contact:
Re: Potential Exploit Checking Script....
:-[Sorry for being ignorant..
Those who know may simply write "YEs" or "No"
I have a cpanel access.
Can I run this script using cpanel ?
Thank you for your valuable time
Regards,
Those who know may simply write "YEs" or "No"
I have a cpanel access.
Can I run this script using cpanel ?
Thank you for your valuable time
Regards,
-
- I've been banned!
- Posts: 143
- Joined: Sat Sep 03, 2005 3:37 pm
Re: Potential Exploit Checking Script....
SHELL ACCESS means, by use of a special interface your web host has set up, you can connect to your website with a command prompt JUST AS IF YOU WERE SITTING AT THE KEYBOARD OF THE LINUX/UNIX SERVER.hilu wrote: :-[Sorry for being ignorant..
Those who know may simply write "YEs" or "No"
I have a cpanel access.
Can I run this script using cpanel ?
Thank you for your valuable time
Regards,
from there, you can type any Linux command, like LS (to list files) and many more.
It is very powerful, many things can only be done via the shell acess.
(the answer is no)
that script is no great loss, you havent missed much.
you can get a similar effect by mirroring your site to a folder on your hard drive, then using the Windows file search functions..
you should mirror your site to your local hard drive anyway for testing and backup purposes.
-
- Joomla! Fledgling
- Posts: 2
- Joined: Tue Dec 19, 2006 6:04 am
Re: Potential Exploit Checking Script....
Hi,
I am having some difficulties to run the script. It says:-
/usr/bin/sploitfinder: line 246: unexpected EOF while looking for matching `''
/usr/bin/sploitfinder: line 254: syntax error: unexpected end of file
Any idea?
Thanks
I am having some difficulties to run the script. It says:-
/usr/bin/sploitfinder: line 246: unexpected EOF while looking for matching `''
/usr/bin/sploitfinder: line 254: syntax error: unexpected end of file
Any idea?
Thanks
-
- Joomla! Fledgling
- Posts: 2
- Joined: Tue Dec 19, 2006 6:04 am
Re: Potential Exploit Checking Script....
I dont think there will be any problem.. Just upload the file using ur favorite ftp client and chmod it to 755 and add a crond job from the cpanel menu.hilu wrote: :-[Sorry for being ignorant..
Those who know may simply write "YEs" or "No"
I have a cpanel access.
Can I run this script using cpanel ?
Thank you for your valuable time
Regards,
-
- Joomla! Fledgling
- Posts: 3
- Joined: Wed Jan 03, 2007 11:57 am
Re: Potential Exploit Checking Script....
Can you tell me where SploitFinder.sh is attached .
I am unable to find it
Thanking you
I am unable to find it
Thanking you
- Wizzie
- Joomla! Hero
- Posts: 2701
- Joined: Tue Sep 06, 2005 4:37 am
- Location: Australia
- Contact:
Re: Potential Exploit Checking Script....
It is attached to the first post in this thread. (File name: sploitFinder.sh.txt).
-
- Joomla! Fledgling
- Posts: 3
- Joined: Thu Nov 09, 2006 12:48 pm
Re: Potential Exploit Checking Script....
Now all we need to do is make this into a component
And we can start a war with the script kiddies. viva la com_JoomlaExploits
Hint hint.
And we can start a war with the script kiddies. viva la com_JoomlaExploits
Hint hint.
-
- Joomla! Intern
- Posts: 54
- Joined: Mon Dec 18, 2006 9:00 pm
Re: Potential Exploit Checking Script....
Wicked script thanks
Back soon, time to play with my new toy
Back soon, time to play with my new toy
My code never has bugs. It just develops random features.
-
- Joomla! Intern
- Posts: 83
- Joined: Fri Mar 17, 2006 12:20 am
- Location: Barcelona
Re: Potential Exploit Checking Script....
I've just found, installed and tested this script,
I have one question and one problem.
question:
I see that the sploitpattern has been updated a few times, will this be updated again? from time to time?
problem:
in terminal - #./sploitFinder.sh -rm [email protected]
error- ./sploitFinder.sh: line 244: /bin/mail: Permission denied
Thanx for any insight to my problem and thanx for the script.
I have one question and one problem.
question:
I see that the sploitpattern has been updated a few times, will this be updated again? from time to time?
problem:
in terminal - #./sploitFinder.sh -rm [email protected]
error- ./sploitFinder.sh: line 244: /bin/mail: Permission denied
Thanx for any insight to my problem and thanx for the script.
- RussW
- Joomla! Exemplar
- Posts: 9347
- Joined: Sun Oct 22, 2006 4:42 am
- Location: Sunshine Coast, Queensland, Australia
- Contact:
Re: Potential Exploit Checking Script....
Yes, from time to time the patterns will be updated, but there is nothing to stop you from updating or adding to the patterns yourself if you see something occurring on your own servers or in any security forums you may follow.
As for your mail problem, you are getting permission denied to the mail problem, either the user you are running the script as, does not have access to the mail binary or maybe security on your host disables the command line use of the binary.
As for your mail problem, you are getting permission denied to the mail problem, either the user you are running the script as, does not have access to the mail binary or maybe security on your host disables the command line use of the binary.
Joomla! on the fabulous Sunshine Coast...
hotmango, web & print http://www.hotmango.me/
The Styleguyz https://www.thestyleguyz.com/
hotmango, web & print http://www.hotmango.me/
The Styleguyz https://www.thestyleguyz.com/
- cronlin
- Joomla! Explorer
- Posts: 484
- Joined: Sun Aug 28, 2005 1:19 pm
- Location: Noel, MO
- Contact:
Re: Potential Exploit Checking Script....
ok I'm lost... I know what I'm supposed to change but not what to change it to... is it like an absolute url or a directory or what?
As soon as you make something idiot proof, Nature makes better idiots!!!
If you want to know what "coulda", "shoulda", and "woulda" gone wrong, send it my way! I have a natural ability of mucking things up!
If you want to know what "coulda", "shoulda", and "woulda" gone wrong, send it my way! I have a natural ability of mucking things up!
- RussW
- Joomla! Exemplar
- Posts: 9347
- Joined: Sun Oct 22, 2006 4:42 am
- Location: Sunshine Coast, Queensland, Australia
- Contact:
Re: Potential Exploit Checking Script....
As the Help at the top of file suggests, you will need to complete the following variables to suit your server or site information;
searchpath=/home (Default : /home)
Which directory do you want to search? This will be your hosting account directory.
sploitdir=//sploitFind (Default : none)
Where you want the sploitFind to put its database....
searchpath=/home (Default : /home)
Which directory do you want to search? This will be your hosting account directory.
sploitdir=//sploitFind (Default : none)
Where you want the sploitFind to put its database....
Joomla! on the fabulous Sunshine Coast...
hotmango, web & print http://www.hotmango.me/
The Styleguyz https://www.thestyleguyz.com/
hotmango, web & print http://www.hotmango.me/
The Styleguyz https://www.thestyleguyz.com/
- cronlin
- Joomla! Explorer
- Posts: 484
- Joined: Sun Aug 28, 2005 1:19 pm
- Location: Noel, MO
- Contact:
Re: Potential Exploit Checking Script....
well, thanks for the quick reply but that's completely greek to me so I think I'll just pass
As soon as you make something idiot proof, Nature makes better idiots!!!
If you want to know what "coulda", "shoulda", and "woulda" gone wrong, send it my way! I have a natural ability of mucking things up!
If you want to know what "coulda", "shoulda", and "woulda" gone wrong, send it my way! I have a natural ability of mucking things up!
- muskiediver
- Joomla! Intern
- Posts: 92
- Joined: Tue Aug 23, 2005 12:15 pm
Re: bad interpreter: No such file or directory
I run this:
./sploitFinder.sh -rm [email protected]
I get this error:
: bad interpreter: No such file or directory
My configuration:
#### SETUP OPTIONS ####
searchpath=/httpdocs
sploitdir=/httpdocs/sploitfind
Any ideas what I am doing wrong?
./sploitFinder.sh -rm [email protected]
I get this error:
: bad interpreter: No such file or directory
My configuration:
#### SETUP OPTIONS ####
searchpath=/httpdocs
sploitdir=/httpdocs/sploitfind
Any ideas what I am doing wrong?
- RussW
- Joomla! Exemplar
- Posts: 9347
- Joined: Sun Oct 22, 2006 4:42 am
- Location: Sunshine Coast, Queensland, Australia
- Contact:
Re: Potential Exploit Checking Script....
Which shell are you trying to run this in?
Without knowing your server configuration or setup; try also setting your path to the full path, something like, /home//public_html
Without knowing your server configuration or setup; try also setting your path to the full path, something like, /home//public_html
Joomla! on the fabulous Sunshine Coast...
hotmango, web & print http://www.hotmango.me/
The Styleguyz https://www.thestyleguyz.com/
hotmango, web & print http://www.hotmango.me/
The Styleguyz https://www.thestyleguyz.com/
- muskiediver
- Joomla! Intern
- Posts: 92
- Joined: Tue Aug 23, 2005 12:15 pm
Re: Potential Exploit Checking Script....
redhat linuix
- fw116
- Joomla! Ace
- Posts: 1373
- Joined: Tue Sep 06, 2005 11:18 am
- Location: Germany
Re: Potential Exploit Checking Script....
in the *.txt file are a bunch of ^M from an MS-DOS like editor (gee thanks bill for this crap)
in a windows editor you dont even see this, but in vi or whatever u ve got a bunch of this line breaks (?) ..
it may happen that some systems run into trouble because of the ^M , check this and delete this and iam sure it will run...
in a windows editor you dont even see this, but in vi or whatever u ve got a bunch of this line breaks (?) ..
it may happen that some systems run into trouble because of the ^M , check this and delete this and iam sure it will run...
Re: Potential Exploit Checking Script....
usually caused by white space after the ending ?>
-
- Joomla! Apprentice
- Posts: 45
- Joined: Sat Dec 09, 2006 6:29 pm
Re: Potential Exploit Checking Script....
It is insane. I am currently using Hostgator as my hosting company. I upload this script into my account, and in the process of using emacs to editing the script. I haven't even run it once. I suddenly got an email saying that my account is suspended because of this script. I asked them to lift the suspension but they ask me to wait for response.
What should I do?
What should I do?
- RussW
- Joomla! Exemplar
- Posts: 9347
- Joined: Sun Oct 22, 2006 4:42 am
- Location: Sunshine Coast, Queensland, Australia
- Contact:
Re: Potential Exploit Checking Script....
Talk to your host? they are most likely evaluating the script as to its use and purpose, seeing as it popped their own security.
This is actually goodness, your host is pro-actively attempting to protect you (and themselves) against potential exploits... Congratulations to your host for their approach and attitude to security. However, this may mean that you cannot make use of the posted script on your account.
This script probably got detected by a script of theirs looking for common or known exploits. This script contains some "keywords" of common and known exploits, so is their script. The result being, that their script considers this script to be a possible exploit script itself (a false positive) because our search keywords match their search keywords and suspended the account to avoid abuse of your account.
This is actually goodness, your host is pro-actively attempting to protect you (and themselves) against potential exploits... Congratulations to your host for their approach and attitude to security. However, this may mean that you cannot make use of the posted script on your account.
This script probably got detected by a script of theirs looking for common or known exploits. This script contains some "keywords" of common and known exploits, so is their script. The result being, that their script considers this script to be a possible exploit script itself (a false positive) because our search keywords match their search keywords and suspended the account to avoid abuse of your account.
Joomla! on the fabulous Sunshine Coast...
hotmango, web & print http://www.hotmango.me/
The Styleguyz https://www.thestyleguyz.com/
hotmango, web & print http://www.hotmango.me/
The Styleguyz https://www.thestyleguyz.com/