shell scanner

u4xlol

u4xlol

Verified User
Joined
Nov 12, 2009
Messages
60
hello

I am looking for a strong Shell scanner for directadmin
Who can help me?
thanks
 
Are you looking for a tool to scan your users' directories to make sure they haven't uploaded a php shell? If so, then I don't think you should (or need to) limit yourself by having your post in the CentOS subforum. So I've moved it.

If I'm wrong, please explain.

Jeff
 
hello

thank you but this is maleware detector , i am looking for shell scanner only
help me plz
 
hi
I want find any shell on my servers
i have many shared server and i I like them to be safe

thanks
 
Detected Threats:
LMD 1.4.0 has a total of 7,241 (5393 MD5 / 1848 HEX) signatures (before updates), below is a listing of the top 60 threats by prevalence detected by LMD:
base64.inject.unclassed perl.ircbot.xscan
bin.dccserv.irsexxy perl.mailer.yellsoft
bin.fakeproc.Xnuxer perl.shell.cbLorD
bin.ircbot.nbot perl.shell.cgitelnet
bin.ircbot.php3 php.cmdshell.c100
bin.ircbot.unclassed php.cmdshell.c99
bin.pktflood.ABC123 php.cmdshell.cih
bin.pktflood.osf php.cmdshell.egyspider
bin.trojan.linuxsmalli php.cmdshell.fx29
c.ircbot.tsunami php.cmdshell.ItsmYarD
exp.linux.rstb php.cmdshell.Ketemu
exp.linux.unclassed php.cmdshell.N3tshell
exp.setuid0.unclassed php.cmdshell.r57
gzbase64.inject php.cmdshell.unclassed
html.phishing.auc61 php.defash.buno
html.phishing.hsbc php.exe.globals
perl.connback.DataCha0s php.include.remote
perl.connback.N2 php.ircbot.InsideTeam
perl.cpanel.cpwrap php.ircbot.lolwut
perl.ircbot.atrixteam php.ircbot.sniper
perl.ircbot.bRuNo php.ircbot.vj_denie
perl.ircbot.Clx php.mailer.10hack
perl.ircbot.devil php.mailer.bombam
perl.ircbot.fx29 php.mailer.PostMan
perl.ircbot.magnum php.phishing.AliKay
perl.ircbot.oldwolf php.phishing.mrbrain
perl.ircbot.putr4XtReme php.phishing.ReZulT
perl.ircbot.rafflesia php.pktflood.oey
perl.ircbot.UberCracker php.shell.rc99
perl.ircbot.xdh php.shell.shellcomm
Click to expand...
http://www.rfxn.com/projects/linux-malware-detect/
 
snk said:
check this tool
Click to expand...

Seems to be a good thing:

Code: 
# cd /usr/local/src
# wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
# tar -zxvf maldetect-current.tar.gz
# cd maldetect-1.4.1
# ./install.sh

here is output:

Code: 
Linux Malware Detect v1.4.1
            (C) 2002-2011, R-fx Networks <[email protected]>
            (C) 2011, Ryan MacDonald <[email protected]>
inotifywait (C) 2007, Rohan McGovern <[email protected]>
This program may be freely redistributed under the terms of the GNU GPL

installation completed to /usr/local/maldetect
config file: /usr/local/maldetect/conf.maldet
exec file: /usr/local/maldetect/maldet
exec link: /usr/local/sbin/maldet
exec link: /usr/local/sbin/lmd
cron.daily: /etc/cron.daily/maldet

maldet(19402): {sigup} performing signature update check...
maldet(19402): {sigup} local signature set is version 2012011929852
maldet(19402): {sigup} latest signature set already installed


Note, /etc/cron.daily/maldet should be changed for compatibility with Directadmin's structure of homedirs:

Code: 
#!/bin/bash

# clear quarantine/session/tmp data every 14 days
/usr/sbin/tmpwatch 336 /usr/local/maldetect/tmp >> /dev/null 2>&1
/usr/sbin/tmpwatch 336 /usr/local/maldetect/sess >> /dev/null 2>&1
/usr/sbin/tmpwatch 336 /usr/local/maldetect/quarantine >> /dev/null 2>&1
/usr/sbin/tmpwatch 336 /usr/local/maldetect/pub/*/ >> /dev/null 2>&1

# check for new release version
/usr/local/maldetect/maldet -d >> /dev/null 2>&1

# check for new definition set
/usr/local/maldetect/maldet -u >> /dev/null 2>&1

# if were running inotify monitoring, send daily hit summary
if [ "$(ps -A --user root -o "comm" | grep inotifywait)" ]; then
        /usr/local/maldetect/maldet --alert-daily >> /dev/null 2>&1
else
        # scan the last 2 days of file changes
        if [ -d "/home/virtual" ] && [ -d "/usr/lib/opcenter" ]; then
                # ensim
                /usr/local/maldetect/maldet -b -r /home/virtual/?/fst/var/www/html 2 >> /dev/null 2>&1
                /usr/local/maldetect/maldet -b -r /home/virtual/?/fst/home/?/public_html 2 >> /dev/null 2>&1
        elif [ -d "/etc/psa" ] && [ -d "/var/lib/psa" ]; then
                # psa
                /usr/local/maldetect/maldet -b -r /var/www/vhosts/?/httpdocs 2 >> /dev/null 2>&1
                /usr/local/maldetect/maldet -b -r /var/www/vhosts/?/subdomains/?/httpdocs 2 >> /dev/null 2>&1
        elif [ -d "/usr/local/directadmin" ]; then
                # DirectAdmin
                /usr/local/maldetect/maldet -b -r /var/www/html/?/ 2 >> /dev/null 2>&1
                /usr/local/maldetect/maldet -b -r /home?/?/domains/?/public_html 2 >> /dev/null 2>&1
        else
                # cpanel, interworx and other standard home/user/public_html setups
                /usr/local/maldetect/maldet -b -r /home?/?/public_html 2 >> /dev/null 2>&1
        fi
fi
 
This line

Code: 
/usr/local/maldetect/maldet -b -r /home?/?/domains/?/public_html

makes Linux Malware Detect to scan all files in all public_html directories (by default 15 depth from starting point).

Does rkhunter scan user homes?
 
as I see it, there are 2 main possible ways of using such a scan:
  1. every X time, scan all user files (mainly the public_html folders of each domain)
  2. on file creation/modification
    this can be done pretty easy (although very resource consuming) and get everything FTPd, uploaded through DA File Manager, from a web script etc.
    the problem here is when you restore a user (i.e from another DA) this check could take a very long time (and a lot of CPU!).
 
Hi;
for directadmin file structure you have written /home?/?/domains/?/public_html 2.

Should that be /home/?/domains/?/public_html 2 or am I missing something?

zEitEr said:
Seems to be a good thing:

Code: 
# cd /usr/local/src
# wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
# tar -zxvf maldetect-current.tar.gz
# cd maldetect-1.4.1
# ./install.sh

here is output:

Code: 
Linux Malware Detect v1.4.1
            (C) 2002-2011, R-fx Networks <[email protected]>
            (C) 2011, Ryan MacDonald <[email protected]>
inotifywait (C) 2007, Rohan McGovern <[email protected]>
This program may be freely redistributed under the terms of the GNU GPL

installation completed to /usr/local/maldetect
config file: /usr/local/maldetect/conf.maldet
exec file: /usr/local/maldetect/maldet
exec link: /usr/local/sbin/maldet
exec link: /usr/local/sbin/lmd
cron.daily: /etc/cron.daily/maldet

maldet(19402): {sigup} performing signature update check...
maldet(19402): {sigup} local signature set is version 2012011929852
maldet(19402): {sigup} latest signature set already installed


Note, /etc/cron.daily/maldet should be changed for compatibility with Directadmin's structure of homedirs:

Code: 
#!/bin/bash

# clear quarantine/session/tmp data every 14 days
/usr/sbin/tmpwatch 336 /usr/local/maldetect/tmp >> /dev/null 2>&1
/usr/sbin/tmpwatch 336 /usr/local/maldetect/sess >> /dev/null 2>&1
/usr/sbin/tmpwatch 336 /usr/local/maldetect/quarantine >> /dev/null 2>&1
/usr/sbin/tmpwatch 336 /usr/local/maldetect/pub/*/ >> /dev/null 2>&1

# check for new release version
/usr/local/maldetect/maldet -d >> /dev/null 2>&1

# check for new definition set
/usr/local/maldetect/maldet -u >> /dev/null 2>&1

# if were running inotify monitoring, send daily hit summary
if [ "$(ps -A --user root -o "comm" | grep inotifywait)" ]; then
        /usr/local/maldetect/maldet --alert-daily >> /dev/null 2>&1
else
        # scan the last 2 days of file changes
        if [ -d "/home/virtual" ] && [ -d "/usr/lib/opcenter" ]; then
                # ensim
                /usr/local/maldetect/maldet -b -r /home/virtual/?/fst/var/www/html 2 >> /dev/null 2>&1
                /usr/local/maldetect/maldet -b -r /home/virtual/?/fst/home/?/public_html 2 >> /dev/null 2>&1
        elif [ -d "/etc/psa" ] && [ -d "/var/lib/psa" ]; then
                # psa
                /usr/local/maldetect/maldet -b -r /var/www/vhosts/?/httpdocs 2 >> /dev/null 2>&1
                /usr/local/maldetect/maldet -b -r /var/www/vhosts/?/subdomains/?/httpdocs 2 >> /dev/null 2>&1
        elif [ -d "/usr/local/directadmin" ]; then
                # DirectAdmin
                /usr/local/maldetect/maldet -b -r /var/www/html/?/ 2 >> /dev/null 2>&1
                /usr/local/maldetect/maldet -b -r /home?/?/domains/?/public_html 2 >> /dev/null 2>&1
        else
                # cpanel, interworx and other standard home/user/public_html setups
                /usr/local/maldetect/maldet -b -r /home?/?/public_html 2 >> /dev/null 2>&1
        fi
fi
Click to expand...
 
You must log in or register to reply here.
Back
Top