Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: Web Backdoor Shell Detection on Servers Share/Save - My123World.Com!

  1. #1
    ... I am no Expert b0nd.g4h@gmail.com b0nd's Avatar
    Join Date
    Jul 2010
    Location
    irc.freenode.net #g4h
    Posts
    744

    Web Backdoor Shell Detection on Servers

    Hi Guys,

    I found couple of good scripts which could be helpful for system admins to detect the presence of web backdoor shells on their servers. So just sharing them here:

    1. Web Shell Detection Using NeoPI - A python Script
    (https://github.com/Neohapsis/NeoPI)

    2. PHP Shell Scanner - A perl Script

    3. PHP script to find malicious code on a hacked server - A PHP Script
    (http://25yearsofprogramming.com/blog/2010/20100315.htm)

    I've tested the 1st and 2nd and found them good. 3rd one probably needs some customization.

    Btw for a quick one, the following grep command can also be used:
    Code:
    grep -RPl --include=*.{php,txt,asp} "(passthru|shell_exec|system|phpinfo|base64_decode|chmod|mkdir|fopen|fclose|readfile) *\(" /var/www/
    The command says:
    1. Check files with extensions php or txt or asp only. You can add in more.
    2. The pattern matching strings would be "passthru", shell_exec and so on. You can add/remove patterns.
    3. The directory from where a recursive search has to be started. In this case it is /var/www/

    Rgds
    Last edited by b0nd; 06-30-2011 at 07:21 AM. Reason: typo
    [*] To follow the path: look to the master, follow the master, walk with the master, see through the master,
    ------> become the master!!! <------
    [*] Everyone has a will to WIN but very few have the will to prepare to WIN
    [*] Invest yourself in everything you do, there's fun in being serious

  2. #2
    Garage Newcomer
    Join Date
    Jun 2011
    Location
    My blog: http://r00tsec.blogspot.com
    Posts
    1
    Great post, I will share this in my blog. Thank you for this post.

  3. #3
    Security Researcher
    Join Date
    May 2011
    Location
    Pune, Maharashtra, India
    Posts
    237
    Blog Entries
    1
    either the top post is copied or this article is coped to pentestit without any credit

    http://www.pentestit.com/2011/06/10/...shell-servers/
    Website :
    To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.

    Blog :
    To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.

  4. #4
    ... I am no Expert b0nd.g4h@gmail.com b0nd's Avatar
    Join Date
    Jul 2010
    Location
    irc.freenode.net #g4h
    Posts
    744
    Quote Originally Posted by Anant Shrivastava View Post
    either the top post is copied or this article is coped to pentestit without any credit

    http://www.pentestit.com/2011/06/10/...shell-servers/
    err...

    1. No question of copying in the top post as I said I found something over net and shared here. Would I copy without giving credit?
    2. Yes, the post has been copied as such from here and posted on pentest.it but I can see the credit has been given to me there. "Fast and easy thanks to B0nd for sharing it."

    Probably you overlooked that part or the author edited it later on.

    Rgds
    [*] To follow the path: look to the master, follow the master, walk with the master, see through the master,
    ------> become the master!!! <------
    [*] Everyone has a will to WIN but very few have the will to prepare to WIN
    [*] Invest yourself in everything you do, there's fun in being serious

  5. #5
    Security Researcher
    Join Date
    May 2011
    Location
    Pune, Maharashtra, India
    Posts
    237
    Blog Entries
    1
    Quote Originally Posted by b0nd View Post
    err...

    1. No question of copying in the top post as I said I found something over net and shared here. Would I copy without giving credit?
    2. Yes, the post has been copied as such from here and posted on pentest.it but I can see the credit has been given to me there. "Fast and easy thanks to B0nd for sharing it."

    Probably you overlooked that part or the author edited it later on.

    Rgds
    might have overlooked.... Well the dates of posting already said that this was original...
    Website :
    To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.

    Blog :
    To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.

  6. #6
    Infosec Enthusiast AnArKI's Avatar
    Join Date
    Jul 2010
    Location
    London
    Posts
    514
    Blog Entries
    2
    I think pentestit picked it from our twitter feeds.

  7. #7
    dont u think pentestit could have included g4g post link has the reference

    To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.


    To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.


    To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.


    Hire a Hacker by the Night and Hire a Chief Security Officer (CSO) by the Day.

  8. #8
    Laurel421
    Guest
    either the top post is copied


  9. #9
    ... I am no Expert b0nd.g4h@gmail.com b0nd's Avatar
    Join Date
    Jul 2010
    Location
    irc.freenode.net #g4h
    Posts
    744
    Enough is enough. Anyone utter a single word me copying the top post and will find himself landing in ban list.
    First and last warning to you Laurel421. Just seen couple of more sense less posts by you.
    [*] To follow the path: look to the master, follow the master, walk with the master, see through the master,
    ------> become the master!!! <------
    [*] Everyone has a will to WIN but very few have the will to prepare to WIN
    [*] Invest yourself in everything you do, there's fun in being serious

  10. #10
    Infosec Enthusiast AnArKI's Avatar
    Join Date
    Jul 2010
    Location
    London
    Posts
    514
    Blog Entries
    2
    @Laurel421 watch ur words

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •