[nycbug-talk] Searching for suspect PHP files...
Andy Kosela
akosela at andykosela.com
Tue Mar 3 04:22:07 EST 2009
Max Gribov <max at neuropunks.org> wrote:
> Matt Juszczak wrote:
> > Evening all,
> >
> >
> Hi Matt,
>
> > In my latest chkrootkit reports (which I run nightly via periodic), I'm
> > noticing lots and lots of "Suspect PHP Files" (via chkrootkit). It seems,
> > after checking the code, that its really just searching for PHP files in
> > /tmp, and also searching for some other files throughout the system.
> >
> > I guess the question I have is - what's the point of this check?
> >
>
> /tmp is the default storage for uploaded files (before they get moved to
> their proper destination by some php code), and for php session data..
> All of this is tunable through php.ini.
>
> There are plenty of php-based backdoor scripts which allow to execute
> shell commands, transfer files, look at your db, etc.
> One of such things, and seems to be really popular, is rst shell
> http://www.sophos.com/security/analyses/viruses-and-spyware/trojrstdoora.html
Yes, /tmp is the favorite directory of all www script kiddies and other
crackers. Mounting it noexec can help a little bit, but I also disable
world x rights for perl, ssh, nc, sh, c, as, etc., so they won't be able
to open a remote reverse shell. I really think that php websites
nowadays are number one on the crackers' list.
--Andy
More information about the talk
mailing list