[nycbug-talk] Searching for suspect PHP files...

Jesse Callaway bonsaime at gmail.com
Tue Mar 3 09:50:17 EST 2009


On Tue, Mar 3, 2009 at 4:22 AM, Andy Kosela <akosela at andykosela.com> wrote:
> Max Gribov <max at neuropunks.org> wrote:
>
>> Matt Juszczak wrote:
>> > Evening all,
>> >
>> >
>> Hi Matt,
>>
>> > In my latest chkrootkit reports (which I run nightly via periodic), I'm
>> > noticing lots and lots of "Suspect PHP Files" (via chkrootkit).  It seems,
>> > after checking the code, that its really just searching for PHP files in
>> > /tmp, and also searching for some other files throughout the system.
>> >
>> > I guess the question I have is - what's the point of this check?
>> >
>>
>> /tmp is the default storage for uploaded files (before they get moved to
>> their proper destination by some php code), and for php session data..
>> All of this is tunable through php.ini.
>>
>> There are plenty of php-based backdoor scripts which allow to execute
>> shell commands, transfer files, look at your db, etc.
>> One of such things, and seems to be really popular, is rst shell
>> http://www.sophos.com/security/analyses/viruses-and-spyware/trojrstdoora.html
>
> Yes, /tmp is the favorite directory of all www script kiddies and other
> crackers.  Mounting it noexec can help a little bit, but I also disable
> world x rights for perl, ssh, nc, sh, c, as, etc., so they won't be able

Cool. How do you disable execution on those? I'm guessing the file
permissions, but was hoping maybe you have some trick.

> to open a remote reverse shell.  I really think that php websites
> nowadays are number one on the crackers' list.
>
> --Andy
> _______________________________________________
> talk mailing list
> talk at lists.nycbug.org
> http://lists.nycbug.org/mailman/listinfo/talk
>

-jesse



More information about the talk mailing list