Potential Exploit Checking Script....

Discussion regarding Joomla! security issues.

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
User avatar
Wizzie
Joomla! Hero
Joomla! Hero
Posts: 2703
Joined: Tue Sep 06, 2005 4:37 am
Location: Australia
Contact:

Potential Exploit Checking Script....

Post by Wizzie » Wed Sep 06, 2006 1:37 pm

Ok folks,

The attached script is not directly Joomla! related, after seeing quite an upsurge in attempted and unfortuntely, successful exploits in the forums in recent weeks, we decided to release a script that we have to try and at least "limit" the damage caused if we have missed something...


Information/Overview:
A reasonably effective script to search for particular known strings within .php and .cgi files that MAY present exploit capabilities.

The simple logic is by no means "fool proof" or "exhaustive" but gives a reasonably good indication that the target script maybe part of an exploit set. False positives are extremely possible due to the fact that many valid scripts make use of the same logic/technologies to acheive required activities, therefore some "human intelligence" must be applied to the final reports.

Installation:

  1) FTP sploitFinder.sh.txt to your server
  2) Rename to either sploitFinder.sh or just sploitFinder
  3) chmod 755 sploitFinder
  4) READ the comments andinstructions in the file
  5) run it to test with all the different switches, setup crons etc etc


  sploitFinder: list possible exploit scripts and optionally email output
    Usage: ./sploitFinder(.sh) [-a] [-c] [-m ] [egrep pattern]
              -m : email output to instead of writing to stdout
              -a : shows all files not just changes since last run
              -c : shows matching lines with context
              -r : reset/delete history


The script is well commented, only a couple of internal variables to be configured and select your command line execution switches.

Configuration:

    searchpath=/home  (Default : /home)
    sploitdir=//sploitFind  (Default : none)


This is the search pattern criteria. Listed are some of the signitures of some exploits we have heard of, these ARE NOT exhaustive. Obviously, the more variables there are, the longer each run will take.

  sploitpattern='[removed]|[removed]|r57shell|c99shell|phpshell|void\.ru|phpremoteview|directmail|bash_history|\.ru/|brute *force|MultiViews|[removed]|[removed]|eggdrop|guardservices|[removed]|DALnet'

(Feel free to post additions to the sploitpattern to enhance the scripts capability and share your experience and knowledge.!)


This script may be run adhoc if prefered, another option is via crom, for example: TWO regular cron jobs.

  The first cron runs every 4 hours on Monday through Sunday at 02.10hrs, 06.10hrs, 10.10hrs, 14.10hrs, 18.10hrs & 22.10hrs
    - Showing only new files since the previous run and mailing the report

  The second cron runs once a week on Sunday at 01.10hrs
    - Resets/rebuilds the Baseline and mails out a full report of ALL files (-a implied)

EG:
  10 2,6,10,14,18,22 * * * //sploitFinder.sh -m your@emailaddress.com.au >& /dev/null
  10 1 * * 0 //sploitFinder.sh -rm your@emailaddress.com >& /dev/null


As ever, This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY or support; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You do not have the required permissions to view the files attached to this post.

Bog
Joomla! Intern
Joomla! Intern
Posts: 56
Joined: Wed Mar 29, 2006 9:11 pm

Re: Potential Exploit Checking Script....

Post by Bog » Wed Sep 06, 2006 3:18 pm

Excellent idea.  I haven't looked at the script yet to see what it does.

Some other ideas could be:
1.  Detect new files since last scan
2.  Detect modified files since last scan
3.  Use of an exclusion file to eliminate noise and false positives
Last edited by Bog on Wed Sep 06, 2006 3:20 pm, edited 1 time in total.

User avatar
Wizzie
Joomla! Hero
Joomla! Hero
Posts: 2703
Joined: Tue Sep 06, 2005 4:37 am
Location: Australia
Contact:

Re: Potential Exploit Checking Script....

Post by Wizzie » Wed Sep 06, 2006 10:36 pm

Bog

Thanks for the interest in the script,

The script has been designed to search through all .php and .cgi files in the designated searchpath (Default: /home) looking for the strings in $sploitpattern. If run without the -a or -r switch it will only report new files with matches since the last scan. So we beleive that answers point 1)

If the file has been modified;  if the file was not captured on a previous scan it will be reported this scan, but at the moment the script does not capture  subsequent changes to a file that has already been reported once for other string matches (If it was already reported once, it should have been reveiwed already), if you reset/rebuild (-r switch) occasionally, that will ensure that files that have been subsequently modified, after already being reported will be re-reported. Does this answer 2) ?

We will look in to your suggestion of an exclusion list for filenames not to scan, in an attempt to eliminate false positives. Don't hold your breath though, busy as ever. We will post in here again if/when it is implemented.

User avatar
Wizzie
Joomla! Hero
Joomla! Hero
Posts: 2703
Joined: Tue Sep 06, 2005 4:37 am
Location: Australia
Contact:

Re: Potential Exploit Checking Script....

Post by Wizzie » Mon Sep 11, 2006 12:11 pm

Updated sploitpattern to include latest seen exploit attempts;


sploitpattern='[removed]|[removed]|[removed]|r57shell|c99shell|shellbot|phpshell|void\.ru|phpremoteview|directmail|bash_history|\.ru/|brute *force|multiviews|[removed]|[removed]|eggdrop|guardservices|[removed]|dalnet|undernet'


Replace current pattern in script with the above...

User avatar
Wizzie
Joomla! Hero
Joomla! Hero
Posts: 2703
Joined: Tue Sep 06, 2005 4:37 am
Location: Australia
Contact:

Re: Potential Exploit Checking Script....

Post by Wizzie » Sun Sep 17, 2006 9:47 am

Updated to include latest seens exploit attmepts; just update the spoitpattern in the posted script.

sploitpattern='[removed]|[removed]|[removed]|r57shell|c99shell|shellbot|phpshell|void\.ru|phpremoteview|directmail|bash_history|\.ru/|brute *force|multiviews|[removed]|[removed]|eggdrop|guardservices|[removed]|dalnet|undernet|vulnscan|spymeta|[removed]'

zman818
Joomla! Explorer
Joomla! Explorer
Posts: 314
Joined: Mon Jun 19, 2006 5:54 pm

Re: Potential Exploit Checking Script....

Post by zman818 » Sun Sep 17, 2006 2:06 pm

Thanks Wizzie!

tamer.yasin
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Wed Nov 08, 2006 10:47 am

Re: Potential Exploit Checking Script....

Post by tamer.yasin » Wed Nov 08, 2006 11:01 am

Wonderfull.

But where is the attached script!
how can I download it.

thanks.

User avatar
Wizzie
Joomla! Hero
Joomla! Hero
Posts: 2703
Joined: Tue Sep 06, 2005 4:37 am
Location: Australia
Contact:

Re: Potential Exploit Checking Script....

Post by Wizzie » Wed Nov 08, 2006 11:23 am

It is attached to the first post in this thread. (File name: sploitFinder.sh.txt)

wuffy77
Joomla! Intern
Joomla! Intern
Posts: 57
Joined: Mon Oct 23, 2006 1:23 pm

Re: Potential Exploit Checking Script....

Post by wuffy77 » Wed Nov 08, 2006 5:16 pm

sorry for the stupid question, but how do we actually run this? I've followed the instructions and uploaded etc however it just says 'run the script' - I've tried opening in a browser, but that just opens a file download selector...  ???

User avatar
RobS
Joomla! Ace
Joomla! Ace
Posts: 1367
Joined: Mon Dec 05, 2005 10:17 am
Location: New Orleans, LA, USA
Contact:

Re: Potential Exploit Checking Script....

Post by RobS » Wed Nov 08, 2006 5:50 pm

It is a shell script.  You need to have shell access to use it.
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions

User avatar
hilu
Joomla! Intern
Joomla! Intern
Posts: 81
Joined: Wed May 10, 2006 11:00 pm
Location: uk
Contact:

Re: Potential Exploit Checking Script....

Post by hilu » Wed Nov 15, 2006 2:50 pm

:-[Sorry for being ignorant..
Those who know may simply write "YEs" or "No"
I have a cpanel access.
Can I run this script using cpanel ?
Thank you for your valuable time
Regards,

steve4j
I've been banned!
Posts: 143
Joined: Sat Sep 03, 2005 3:37 pm

Re: Potential Exploit Checking Script....

Post by steve4j » Wed Nov 15, 2006 4:06 pm

hilu wrote: :-[Sorry for being ignorant..
Those who know may simply write "YEs" or "No"
I have a cpanel access.
Can I run this script using cpanel ?
Thank you for your valuable time
Regards,
SHELL ACCESS means, by use of a special interface your web host has set up, you can connect to your website with a command prompt JUST AS IF YOU WERE SITTING AT THE KEYBOARD OF THE LINUX/UNIX SERVER.

from there, you can type any Linux command, like LS (to list files) and many more.

It is very powerful, many things can only be done via the shell acess.

(the answer is no)



that script is no great loss, you havent missed much.

you can get a similar effect by mirroring your site to a folder on your hard drive, then using the Windows file search functions..

you should mirror your site to your local hard drive anyway for testing and backup purposes. :pop

luchris
Joomla! Fledgling
Joomla! Fledgling
Posts: 2
Joined: Tue Dec 19, 2006 6:04 am

Re: Potential Exploit Checking Script....

Post by luchris » Tue Dec 19, 2006 6:15 am

Hi,

I am having some difficulties to run the script. It says:-

/usr/bin/sploitfinder: line 246: unexpected EOF while looking for matching `''
/usr/bin/sploitfinder: line 254: syntax error: unexpected end of file

Any idea?
Thanks

luchris
Joomla! Fledgling
Joomla! Fledgling
Posts: 2
Joined: Tue Dec 19, 2006 6:04 am

Re: Potential Exploit Checking Script....

Post by luchris » Tue Dec 19, 2006 6:18 am

hilu wrote: :-[Sorry for being ignorant..
Those who know may simply write "YEs" or "No"
I have a cpanel access.
Can I run this script using cpanel ?
Thank you for your valuable time
Regards,
I dont think there will be any problem.. Just upload the file using ur favorite ftp client and chmod it to 755 and add a crond job from the cpanel menu.

netxs
Joomla! Fledgling
Joomla! Fledgling
Posts: 3
Joined: Wed Jan 03, 2007 11:57 am

Re: Potential Exploit Checking Script....

Post by netxs » Fri Jan 05, 2007 10:47 am

Can you tell me where SploitFinder.sh is attached .
I am unable to find it

Thanking you

User avatar
Wizzie
Joomla! Hero
Joomla! Hero
Posts: 2703
Joined: Tue Sep 06, 2005 4:37 am
Location: Australia
Contact:

Re: Potential Exploit Checking Script....

Post by Wizzie » Fri Jan 05, 2007 10:54 am

It is attached to the first post in this thread. (File name: sploitFinder.sh.txt).

China
Joomla! Fledgling
Joomla! Fledgling
Posts: 3
Joined: Thu Nov 09, 2006 12:48 pm

Re: Potential Exploit Checking Script....

Post by China » Fri Jan 19, 2007 9:24 am

Now all we need to do is make this into a component  :D
And we can start a war with the script kiddies. viva la com_JoomlaExploits
Hint hint.

madmoritz
Joomla! Intern
Joomla! Intern
Posts: 54
Joined: Mon Dec 18, 2006 9:00 pm

Re: Potential Exploit Checking Script....

Post by madmoritz » Fri Jan 19, 2007 11:54 am

Wicked script thanks  :D

Back soon, time to play with my new toy :)
My code never has bugs. It just develops random features.

twincascos
Joomla! Intern
Joomla! Intern
Posts: 83
Joined: Fri Mar 17, 2006 12:20 am
Location: Barcelona

Re: Potential Exploit Checking Script....

Post by twincascos » Thu Feb 22, 2007 12:35 pm

I've just found, installed and tested this script,
I have one question and one problem.

question:
I see that the sploitpattern has been updated a few times, will this be updated again? from time to time?

problem:
in terminal - #./sploitFinder.sh -rm webmaster@mydomain.net
error- ./sploitFinder.sh: line 244: /bin/mail: Permission denied

Thanx for any insight to my problem and thanx for the script.

User avatar
RussW
Joomla! Exemplar
Joomla! Exemplar
Posts: 9352
Joined: Sun Oct 22, 2006 4:42 am
Location: Sunshine Coast, Queensland, Australia
Contact:

Re: Potential Exploit Checking Script....

Post by RussW » Thu Feb 22, 2007 8:19 pm

Yes, from time to time the patterns will be updated, but there is nothing to stop you from updating or adding to the patterns yourself if you see something occurring on your own servers or in any security forums you may follow.

As for your mail problem, you are getting permission denied to the mail problem, either the user you are running the script as, does not have access to the mail binary or maybe security on your host disables the command line use of the binary.
Joomla! on the fabulous Sunshine Coast...
hotmango, web & print http://www.hotmango.me/
The Styleguyz https://www.thestyleguyz.com/

User avatar
cronlin
Joomla! Explorer
Joomla! Explorer
Posts: 484
Joined: Sun Aug 28, 2005 1:19 pm
Location: Noel, MO
Contact:

Re: Potential Exploit Checking Script....

Post by cronlin » Wed Apr 04, 2007 10:31 am

ok I'm lost... I know what I'm supposed to change but not what to change it to... is it like an absolute url or a directory or what?
As soon as you make something idiot proof, Nature makes better idiots!!!

If you want to know what "coulda", "shoulda", and "woulda" gone wrong, send it my way! I have a natural ability of mucking things up!

User avatar
RussW
Joomla! Exemplar
Joomla! Exemplar
Posts: 9352
Joined: Sun Oct 22, 2006 4:42 am
Location: Sunshine Coast, Queensland, Australia
Contact:

Re: Potential Exploit Checking Script....

Post by RussW » Wed Apr 04, 2007 11:04 am

As the Help at the top of file suggests,  you will need to complete the following variables to suit your server or site information;

  searchpath=/home  (Default : /home)
  Which directory do you want to search? This will be your hosting account directory.

    sploitdir=//sploitFind  (Default : none)
  Where you want the sploitFind to put its database....
Joomla! on the fabulous Sunshine Coast...
hotmango, web & print http://www.hotmango.me/
The Styleguyz https://www.thestyleguyz.com/

User avatar
cronlin
Joomla! Explorer
Joomla! Explorer
Posts: 484
Joined: Sun Aug 28, 2005 1:19 pm
Location: Noel, MO
Contact:

Re: Potential Exploit Checking Script....

Post by cronlin » Wed Apr 04, 2007 11:18 am

well, thanks for the quick reply but that's completely greek to me so I think I'll just pass
As soon as you make something idiot proof, Nature makes better idiots!!!

If you want to know what "coulda", "shoulda", and "woulda" gone wrong, send it my way! I have a natural ability of mucking things up!

User avatar
muskiediver
Joomla! Intern
Joomla! Intern
Posts: 92
Joined: Tue Aug 23, 2005 12:15 pm

Re: bad interpreter: No such file or directory

Post by muskiediver » Wed Apr 11, 2007 1:32 pm

I run this:

./sploitFinder.sh -rm myemailaddress@someplace.com

I get this error:
: bad interpreter: No such file or directory

My configuration:

#### SETUP OPTIONS ####
searchpath=/httpdocs
sploitdir=/httpdocs/sploitfind

Any ideas what I am doing wrong?

User avatar
RussW
Joomla! Exemplar
Joomla! Exemplar
Posts: 9352
Joined: Sun Oct 22, 2006 4:42 am
Location: Sunshine Coast, Queensland, Australia
Contact:

Re: Potential Exploit Checking Script....

Post by RussW » Thu Apr 12, 2007 9:25 am

Which shell are you trying to run this in?

Without knowing your server configuration or setup; try also setting your path to the full path,  something like,    /home//public_html
Joomla! on the fabulous Sunshine Coast...
hotmango, web & print http://www.hotmango.me/
The Styleguyz https://www.thestyleguyz.com/

User avatar
muskiediver
Joomla! Intern
Joomla! Intern
Posts: 92
Joined: Tue Aug 23, 2005 12:15 pm

Re: Potential Exploit Checking Script....

Post by muskiediver » Thu Apr 12, 2007 2:14 pm

redhat linuix

User avatar
fw116
Joomla! Ace
Joomla! Ace
Posts: 1365
Joined: Tue Sep 06, 2005 11:18 am
Location: Germany

Re: Potential Exploit Checking Script....

Post by fw116 » Mon Apr 16, 2007 11:04 pm

in the *.txt file are a bunch of  ^M from an MS-DOS like editor (gee thanks bill for this crap)
in a windows editor you dont even see this, but in vi or whatever u ve got a bunch of this line breaks (?) ..

it may happen that some systems run into trouble because of the ^M , check this and delete this and iam sure it will run...

digitaldentist

Re: Potential Exploit Checking Script....

Post by digitaldentist » Tue Apr 17, 2007 3:48 pm

usually caused by white space after the ending ?>

dealmaker
Joomla! Apprentice
Joomla! Apprentice
Posts: 45
Joined: Sat Dec 09, 2006 6:29 pm

Re: Potential Exploit Checking Script....

Post by dealmaker » Sat May 05, 2007 3:32 am

It is insane.  I am currently using Hostgator as my hosting company.  I upload this script into my account, and in the process of using emacs to editing the script.  I haven't even run  it once.  I suddenly got an email saying that my account is suspended because of this script.  I asked them to lift the suspension but they ask me to wait for response. 

What should I do?

User avatar
RussW
Joomla! Exemplar
Joomla! Exemplar
Posts: 9352
Joined: Sun Oct 22, 2006 4:42 am
Location: Sunshine Coast, Queensland, Australia
Contact:

Re: Potential Exploit Checking Script....

Post by RussW » Sat May 05, 2007 3:46 am

Talk to your host? they are most likely evaluating the script as to its use and purpose, seeing as it popped their own security.

This is actually goodness, your host is pro-actively attempting to protect you (and themselves) against potential exploits... Congratulations to your host for their approach and attitude to security. However, this may mean that you cannot make use of the posted script on your account.


This script probably got detected by a script of theirs looking for common or known exploits. This script contains some "keywords" of common and known exploits, so is their script. The result being, that their script considers this script to be a possible exploit script itself (a false positive) because our search keywords match their search keywords and suspended the account to avoid abuse of your account.
Joomla! on the fabulous Sunshine Coast...
hotmango, web & print http://www.hotmango.me/
The Styleguyz https://www.thestyleguyz.com/


Locked

Return to “Security - 1.0.x”