EXPLOIT REMOVAL INSTRUCTIONS ON NON-VPS SERVER (Linux/Unix)

EXPLOIT REMOVAL INSTRUCTIONS ON NON-VPS SERVER (Linux/Unix):

1. Execute the following 3 command lines as root by copy/paste. This will harden files commonly abused to upload exploits and list possible exploits. This script only searches for possible exploits owned by the webserver username, but it is possible that exploits could have been uploaded by a current or previous user account to the searched directories. So, you still need to manually investigate all files in the searched directories even if the script returns no results. Possible exploits found should be investigated and removed followed by rebooting the server to kill any running exploit processes. You can refer to the "xplts" file generated by these commands for later reference.

sh echo -e "\tHARDEN"|tee xplts;for x in `which wget curl fetch lynx links`;do chown -vv 0:0 $x|tee -a xplts;chmod -vv 0550 $x|tee -a xplts;done;echo -e "\n\tSEARCH"|tee -a xplts;for x in "/tmp /var/tmp /dev/shm /usr/local/apache/proxy /var/spool /usr/games";do ls -loAFR $x 2>&-|grep -E "^/| apache | nobody | unknown | www | web | htdocs "|grep -E "^/|^[bcdlsp-]|\.pl$"|grep -Ev "sess_|dos-"|tee -a xplts;done;echo -e "\n\tSUMMARY";

echo -e "Block File: \t\t`grep -Ev "^/" xplts|grep -E "^b"|wc -l|tr -d ' '`";echo -e "Character File: \t`grep -Ev "^/" xplts|grep -E "^c"|wc -l|tr -d ' '`";echo -e "Directory: \t\t`grep -Ev "^/" xplts|grep -E "^d"|wc -l|tr -d ' '`";echo -e "Symbolic Link: \t\t`grep -Ev "^/" xplts|grep -E "^l"|wc -l|tr -d ' '`";

echo -e "Socket Link: \t\t`grep -Ev "^/" xplts|grep -E "^s"|wc -l|tr -d ' '`";echo -e "FIFO: \t\t\t`grep -Ev "^/" xplts|grep -E "^p"|wc -l|tr -d ' '`";echo -e "Regular File: \t\t`grep -Ev "^/" xplts|grep -E "^-"|wc -l|tr -d ' '`" exit


2. You should also install and run rkhunter (http://www.rootkit.nl/projects/rootkit_hunter.html) which is a scanning tool to ensure you for about 99.9% you're clean of rootkits, backdoors, and local exploits. If any rootkits, backdoors, or local exploits are found by rkhunter,
On BSD sytems: cd /usr/ports/security/rkhunter; make install clean; rehash; rkhunter -c
On RedHat, Fedora, CentOS systems: yum -y install rkhunter; rkhunter -c

  • Email, SSL
  • 0 Users Found This Useful
Was this answer helpful?

Related Articles

Restrict SSH Access by IP Address on Linux

  Opening SSH to the outside world on your home LAN is a convenience if you are away from...

Modsecurity 2 [Anti Exploits]

Please review http://forum.hyperois.com/viewtopic.php?t=23 This an tutorial for Server...

Mod_evasive

  One way to stop one of the more basic attacks on a server is mod_evasive.This how-to...