Home Dedicated Servers Specials Offers Streaming Host Managed Services Customer Login
 
     
     
 

Portal Home > Knowledgebase

EXPLOIT REMOVAL INSTRUCTIONS ON NON-VPS SERVER (Linux/Unix) - Help Desk
  EXPLOIT REMOVAL INSTRUCTIONS ON NON-VPS SERVER (Linux/Unix)
Article

EXPLOIT REMOVAL INSTRUCTIONS ON NON-VPS SERVER (Linux/Unix):

1. Execute the following 3 command lines as root by copy/paste. This will harden files commonly abused to upload exploits and list possible exploits. This script only searches for possible exploits owned by the webserver username, but it is possible that exploits could have been uploaded by a current or previous user account to the searched directories. So, you still need to manually investigate all files in the searched directories even if the script returns no results. Possible exploits found should be investigated and removed followed by rebooting the server to kill any running exploit processes. You can refer to the "xplts" file generated by these commands for later reference.

sh echo -e "\tHARDEN"|tee xplts;for x in `which wget curl fetch lynx links`;do chown -vv 0:0 $x|tee -a xplts;chmod -vv 0550 $x|tee -a xplts;done;echo -e "\n\tSEARCH"|tee -a xplts;for x in "/tmp /var/tmp /dev/shm /usr/local/apache/proxy /var/spool /usr/games";do ls -loAFR $x 2>&-|grep -E "^/| apache | nobody | unknown | www | web | htdocs "|grep -E "^/|^[bcdlsp-]|\.pl$"|grep -Ev "sess_|dos-"|tee -a xplts;done;echo -e "\n\tSUMMARY";

echo -e "Block File: \t\t`grep -Ev "^/" xplts|grep -E "^b"|wc -l|tr -d ' '`";echo -e "Character File: \t`grep -Ev "^/" xplts|grep -E "^c"|wc -l|tr -d ' '`";echo -e "Directory: \t\t`grep -Ev "^/" xplts|grep -E "^d"|wc -l|tr -d ' '`";echo -e "Symbolic Link: \t\t`grep -Ev "^/" xplts|grep -E "^l"|wc -l|tr -d ' '`";

echo -e "Socket Link: \t\t`grep -Ev "^/" xplts|grep -E "^s"|wc -l|tr -d ' '`";echo -e "FIFO: \t\t\t`grep -Ev "^/" xplts|grep -E "^p"|wc -l|tr -d ' '`";echo -e "Regular File: \t\t`grep -Ev "^/" xplts|grep -E "^-"|wc -l|tr -d ' '`" exit


2. You should also install and run rkhunter (http://www.rootkit.nl/projects/rootkit_hunter.html) which is a scanning tool to ensure you for about 99.9% you're clean of rootkits, backdoors, and local exploits. If any rootkits, backdoors, or local exploits are found by rkhunter,
On BSD sytems: cd /usr/ports/security/rkhunter; make install clean; rehash; rkhunter -c
On RedHat, Fedora, CentOS systems: yum -y install rkhunter; rkhunter -c



Article Details
Article ID: 34
Created On: 13 Sep 2009 12:26 AM

 This article was helpful  This article was not helpful

 User Comments Add a Comment
 Back

Language:


Quick Navigation

Client Login

Email

Password

Remember Me

Search


 
Terms of service Acceptable Use Policy © Copyright 2005-2009 HyperOIS. All Rights Reserved.
HyperOIS is registered trademarks of HyperOIS Online Internet Services LLC, Commercial Registration Egypt 32060