[nycbug-talk] Searching for suspect PHP files...

Andy Kosela akosela at andykosela.com
Tue Mar 3 04:22:07 EST 2009

Max Gribov <max at neuropunks.org> wrote:

> Matt Juszczak wrote:
> > Evening all,
> >
> >   
> Hi Matt,
> > In my latest chkrootkit reports (which I run nightly via periodic), I'm 
> > noticing lots and lots of "Suspect PHP Files" (via chkrootkit).  It seems, 
> > after checking the code, that its really just searching for PHP files in 
> > /tmp, and also searching for some other files throughout the system.
> >
> > I guess the question I have is - what's the point of this check?
> >   
> /tmp is the default storage for uploaded files (before they get moved to 
> their proper destination by some php code), and for php session data..
> All of this is tunable through php.ini.
> There are plenty of php-based backdoor scripts which allow to execute 
> shell commands, transfer files, look at your db, etc.
> One of such things, and seems to be really popular, is rst shell 
> http://www.sophos.com/security/analyses/viruses-and-spyware/trojrstdoora.html

Yes, /tmp is the favorite directory of all www script kiddies and other
crackers.  Mounting it noexec can help a little bit, but I also disable
world x rights for perl, ssh, nc, sh, c, as, etc., so they won't be able
to open a remote reverse shell.  I really think that php websites 
nowadays are number one on the crackers' list.         


More information about the talk mailing list