[nycbug-talk] Searching for suspect PHP files...

Andy Kosela akosela at andykosela.com
Mon Mar 9 07:21:13 EDT 2009

Matt Juszczak <matt at atopia.net> wrote:

> > Yes, /tmp is the favorite directory of all www script kiddies and other
> > crackers.  Mounting it noexec can help a little bit, but I also disable
> > world x rights for perl, ssh, nc, sh, c, as, etc., so they won't be able
> > to open a remote reverse shell.  I really think that php websites
> > nowadays are number one on the crackers' list.
> Is there a document with a list of steps that could potentially help this? 
> Also, is there a possible default mtree file I could use for 6.3-RELEASE 
> since I didn't generate one in the beginning?  What's the best way to 
> audit an *existing* server with PHP running on it, etc.  We've got some 
> wordpress installs, etc. - unsure if any were vulnerable.

The only document you need is 'man mtree'.  There is no default mtree
specification file generated with at least sha256digest, and that's what
you need.  You also need to make sure to exclude (-X filename) any
directories with dynamically generated files.  For the overall security
of the site installing some type of WAF could help, like mod-security2.

 # mtree -c -K sha256digest -X mtree.exclude -p /path > host.mtree

 # mtree -X mtree.exclude -p /path < host.mtree

That's only two commands you need to know.  Of course you can script it
to send you alerts via email etc.


More information about the talk mailing list