How to find c99 shell script hacked files

c99 Shell Scripts are one of the main headache for almost all cPanel server administrators even though they use mod_security and all.

The c99 php (Hypertext Preprocessor) shell script is an awesome piece of hacking script. The only limitation of it being that it needs an unsecured uploader in order to get it uploaded and then the execution part is a piece of cake.

This c99 shell allows an attacker to hijack the web server process, allowing the attacker to issue commands, force brute etc on the server as the account under which PHP is running. The interface of this shell script is very user friendly, something not so much associated with hackers. Hackers are known to write either ugly looking interface codes or none interface at all, but this piece of code is very different, it may be called something which as been done very aesthetically.

How to find c99 shell script hacked files?  Use the following shell script to scan hacked php files in cpanel.

vi  scanfiles.sh

and paste the following script.

#!/bin/sh
cd /root
echo >> c99result.txt
for j in `ls /var/cpanel/users`
do
echo "Scanning user: $j"
cd /home/$j
find /home/$j -iname '*.php' > /root/c99list
for i in `cat /root/c99list`
do
result=$( perl -e 'alarm shift @ARGV; exec @ARGV' 10 php -q $i | grep -Eie '-rw-r--r--|drwxr-xr-x|drwxrwxrwx|-rw-r-xr-x|-rwxrwxrwx|-rw-rw-rw-|-rwx------')
if [ $? -eq 0 ]; then
echo "Possible Shell Script found on $i" >> /root/c99result.txt
fi
done

echo "Completed processing $j" >> /root/c99result.txt
done

Save and Exit.

Run this shell script to scan hacked files.

root@server1 [~]# ./scanfiles.sh

 

Once scanning process completed, check report file /root/c99result.txt.

Hjalp dette svar dig?

1 Kunder som kunne bruge dette svar