When malicious intruders compromise a web server, there's an excellent chance a famous Russian PHP script, r57shell, will follow. The r57shell PHP script gives the intruder a number of capabilities, including, but not limited to: downloading files, uploading files, creating backdoors, setting up a spam relay, forging email, bouncing a connection to decrease the risk of being caught, and even taking control of SQL databases. All these functions become readily available through an easy to use web interface, but now you can fight back.
A Turkish member on a forum I participate in released this nifty little bash command, but first, make sure you execute updatedb so find has an up to date image to search:
find /var/www/ -name "*".php -type f -print0 | xargs -0 grep r57 | uniq -c | sort -u | cut -d":" -f1 | awk '{print "rm -rf " $2}' | uniq
You can also search regular text (.txt) files:
find /var/www/ -name "*".txt -type f -print0 | xargs -0 grep r57 | uniq -c | sort -u | cut -d":" -f1 | awk '{print "rm -rf " $2}' | uniq
Or even cleverly disguised GIF image files:
find /var/www/ -name "*".gif -type f -print0 | xargs -0 grep r57 | uniq -c | sort -u | cut -d":" -f1 | awk '{print "rm -rf " $2}' | uniq
The command might appear scary, or even malicious to an inexperienced Linux admin, but here's the break down.
find /var/www/
find is a must know command when dealing with Linux. Find is what's used to perform command line file searches. The path /var/www is the directory find will search, in addition to all directories contained within www, but nothing above. For example, /var/mail is not searched. If your publicly accessible files are not contained in /var/www, then you'll obviously need to replace /var/www with the correct path.
-name "*".php -type f -print0
This portion of the command tells find to search file names (not directories) ending in .php. Anything else is ignored.
| xargs -0 grep r57
The pipe symbol ( | ) tells Linux to take the results of the first command (the PHP files we searched for), and pass them along to the second command, xargs. At this point, all located files are searched for any mention of r57, not just the file names, but the actual content within the files.
| uniq -c | sort -u
uniq will prevent duplicate results from displaying. The command is smart enough to know when multiple instances are found in a single file, resulting in a single mention instead of potentially hundreds, flooding your console with repeated messages. The -c parameter tells uniq to count the number of consecutive lines that were combined. sort will take the unordered results, and display them in some type of orderly fashion.
| cut -d":" -f1
cut will prevent the line of code that contains r57 from showing up in the results. The output is just a simple mention of the filename or names, and how many occurrences. There's no need to display the actual code if your intentions are to remove the malicious files.
| awk '{print "rm -rf " $2}'
awk, a programming language in itself, is a very powerful command with many beneficial uses. In this command, awk is instructed to print rm -rf with the file path and file name appended. Here's an example output:
rm -rf /var/www/users/domain.com/images/uploads/r57shell.php
rm -rf is used to delete files without asking questions. The, "are you sure you want to delete ..." is skipped, so be careful when using the -rf switch, it's very destructive if used without care. Notice the print portion - this means the command is only printed, not carried out. Once you've confirmed all the found files are malicious, you can easily dumb the results into a file, make the file executable, and delete the plague in one shot instead of manually deleting individual files one by one.
Another popular tool is the c99shell, which I also recommend searching for. Just change three characters:
find /var/www/ -name "*".php -type f -print0 | xargs -0 grep c99 | uniq -c | sort -u | cut -d":" -f1 | awk '{print "rm -rf " $2}' | uniq
If you're interested in seeing an example of the c99shell interface, here's a rooted site:
http://www.iett.gov.tr/en/kitap/
[tags]Linux, PHP, Security, Debian, Unix, exploit, shell, root, bash[/tags]
Word Count: 982
21 (Comments|Trackbacks)
[ RSS feed | Trackback URI | Leave a Comment ]
Awesome post, thanks for breaking down the command - this is highly useful - bookmarked and saved locally =)
You're very welcome
Linux FTW!
Thank you for taking the time to comment. Was your server/machine compromised?
This looks like a real ‘leet’ linux command but it misses
the point. Why would a hacker keep the name of c99.php or r57.php? Of course he wouldn’t! If you believe your server is compromised by this type of attack then you probably first need to look for files owned by the webserver (ie. apache, httpd). Also note that if a hacker has the ability to run commands then shells/tools could
be uploaded to many other locations and he could have gained root by using further exploits.
Ed
Ed,
Good point, but you'd be surprised. Most intrusions are by complete amateurs or "script kiddies" that don't have a true grasp of what it is they're doing.
If you're compromised by a competent intruder, chances are, you wouldn't want to reply on just this method..
-Guy
Yeah. I would also have guessed that a hacker would have changed the name. But not in this case. I found a c99.php and a r57.php in my main directory. I have downloaded and deleted them.
My index.html file was also replaced by another file...
I'm not sure if this is the right place to beg for some insight informaiton. But you guys seem to have a good understanding about this problem.
I really don't have that many skills in linux nor hacking. But the thing I don't understand is how the person managed to get the files there... The person could not have had any permission to write to that directory...
The only way I can see it got there, is that he/she exploited some script on the server. Or is there another hole that he can have used ?
Some will argue there is a 7 step process life-cycle for dealing with such events. Here they are, in order:
Preparation
Detection
Containment
Analysis
Eradication
Recovery
Follow-up (Lessons Learned)
Phase 1 involves securing your environment. Phase 2 is detecting the intrusion, Phase 3 is containing it. The fourth phase (Analysis) is where you should find how the attack got in which should reveal how to mitigate the risk for future attacks. Examine server logs around the estimated date of infection, you'll find some good stuff
I have to agree with Ed's comment. We were compromised recently with bad files scattered over the server. They were stored with unusual file types and names to make them hard to find.
Because the injection is through a poor URL, the initial scripts run as user 'apache'. Therefore using the find command to search for anything that belongs to user apache, and which has been created, modified, and/or accessed in the days since you think the exploits began, is a useful command you can used in addition to the ones above in the article.
Yes, find with a time/data parameter is a great method to find these nasties, especially if the attack took the time to conceal his or her weak tools..
This is a great command to know, but I would never have it rm -rf any files automatically. It found several legit files from a WHM billing script with encrypted php files. All the file needs is 'r57' anywhere, and it would be permanently deleted - not good.
Other than that, great command reference, I will be using it often. Maybe a tutorial on creating a script with several string searches and a cron entry?
Yea, you can always exclude the -rf to get a prompt for each discovered file.
I like your script suggestion, perhaps that will come in a follow up post?
This is a good script, it looks for content not file name so it does do the job - however it tends to delete whmcs files in the process - so be careful about that.
Will do - thanks for the heads up!
Regardless, this post was very helpful. Probably best is to follow this post, with its excellent command break-down, and then go further. I'm just wondering *how* to go further. What I'm thinking is, wonder if it is possible to get hold of one of the c99.php files, dissect it and then search for commands in your server? The "apache" owner idea also quite good.
Thanks all for this great great help.
i want c99shell in my box
Yes, to use "locate" you will have to refresh database first. On the other hand, "find" will be slower, but it will search on-line. "find" with "-exec" switch can delete files without piping to 'awk' ... Here is example how to delete "bad" PHP file with the find command:
find /var/www/ -name "r59*".php -type f -exec rm {} \;
You can first run only:
find /var/www/ -name "r59*".php -type f -print
to see what files will be deleted, and then put -exec flag. Hope this tip will help. Bye!
Hi,
what if r77 or c99 scripts are encrpted format . how to scan or search?
find / -name "*.php" -type f -size +10000k -exec ls -lh {} \; | awk '{ print $9 ": " $5 }'
This code will find +100k php files.
Maybe using egrep linux command searching for common words that are writen into r57 and c99 txt files i.e. egrep -ir "expression" server_root
egrep is a powerful toll that allows you to search inside any file including jpg, gif, etc...
You can download r57 and c99 and other files to use in the search at localroot.net and remember: don´t do to the others what you wouldn't like to yourself.
This will of course through a wobbly and display false info on php encoded files such as those protected with ioncube, several chars with the encoded file will contain"r57"
e.g. 089tgFR£4eddSEt r57 9Wfkdlssr r57 dWQQWs
spaced above to show
"but first, make sure you execute updatedb so find has an up to date image to search"
find dont use updatedb ...
Be careful searching for 'c99' as this is often used legitimately as part of HTML colors (e.g. #cc9999). Bottom line is to check the context before deleting.
Leave a Comment
Trackback Responses to This Post: