Category Archives: Webserver

LSOF (list open files)

November 22, 2011   admin   No comments

Lsof merupakan utility yang hampir mirip dengan netstat -an tapi mungkin lebih lengkap kali ya, karena qta juga bisa melihat file2 yang sedang dijalakan apa saja oleh suatu program, mulai dr binary file, library dan file2 yang berhubungan dengan program yg sedang berjalan.. la wong namanya aja “List open files” ker..

Install lsof di FreeBSD:

cd /usr/ports/sysutils/lsof
make install clean
rehash

Install lsof di CentOS:

yum install lsof

lsof -l

perintah ini akan memperlihatkan smuaaa list prog yang sedang berjalan, sengaja ga dicapture hasilnya (panjang bokkk)

lsof -c named
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
named 89535 named cwd VDIR 4,12 512 16662 /chroot/named/conf
named 89535 named rtd VDIR 4,12 512 16656 /chroot/named
named 89535 named jld VDIR 4,12 512 16656 /chroot/named
named 89535 named txt VREG 4,17 3507739 7774967 /usr/local/sbin/named
named 89535 named txt VREG 4,12 142236 16549 /libexec/ld-elf.so.1
named 89535 named txt VREG 4,12 1017456 8301 /lib/libcrypto.so.3
named 89535 named txt VREG 4,12 884716 8280 /lib/libc.so.5
named 89535 named 0u VCHR 2,2 0t0 7 /dev/null
named 89535 named 1u VCHR 2,2 0t0 7 /dev/null
named 89535 named 2u VCHR 2,2 0t0 7 /dev/null
named 89535 named 3u unix 0xc40a0000 0t0 ->0xc181a288
named 89535 named 4u VCHR 2,2 0t0 7 /dev/null
named 89535 named 5r VCHR 248,0 0t0 16 /dev/random
named 89535 named 22u IPv4 0xc3f980b4 0t0 UDP *:54519

lengkap kan? kalau ga mau panjang2 atau mau lihat file apa yg dijalankan tinggal ketik

lsof -a -d cwd -c named
named 89535 named cwd VDIR 4,12 512 16662 /chroot/named/conf

kalau mau lihat pakai port berapa ya tinggal

lsof -a -c named | grep "*:"
named 89535 named 22u IPv4 0xc3f980b4 0t0 UDP *:54519
Read More

.htaccess on suPHP servers

April 01, 2011   admin   9 Comments

What should my .htaccess file look like if my account is on a suPHP server?
You should remove the lines that begin with “php_value” and “php_flag”. You will need to move these files to a file named php.ini and upload php.ini into your public_html directory. Then, add the following line into the .htaccess file in your public_html:

suPHP_ConfigPath /home/username/public_html

where “username” is your cPanel username. You will need to remove php_value and php_flag from ALL .htaccess files you may have. However, you only need to add the suPHP_ConfigPath line in the .htaccess file in your public_html directory only.

Please note that you will need to change the format of your php_value and php_flag lines into the php.ini format. (Refer to the FAQ entry on how your php.ini file should be formatted).

Read More

How to mass chmod file and folder ?

June 16, 2010   admin   2 Comments

Mass chmod folder :

find /home/*/public_html -type d -exec chmod 755 {} \;

Mass chmod file :

find /home/*/public_html -type f -exec chmod 644 {} \;

Tested with freebsd server and working 100% :D

Read More

Find r57 and c99 Shells Hidden Inside PHP and TXT Files

June 16, 2010   admin   7 Comments

When malicious intruders compromise a web server, there’s an excellent chance a famous Russian PHP script, r57shell, will follow. The r57shell PHP script gives the intruder a number of capabilities, including, but not limited to: downloading files, uploading files, creating backdoors, setting up a spam relay, forging email, bouncing a connection to decrease the risk of being caught, and even taking control of SQL databases. All these functions become readily available through an easy to use web interface, but now you can fight back.

A Turkish member on a forum I participate in released this nifty little bash command, but first, make sure you execute updatedb so find has an up to date image to search:

find /var/www/ -name "*".php -type f -print0 | xargs -0 grep r57 | uniq -c | sort -u | cut -d":" -f1 | awk '{print "rm -rf " $2}' | uniq

You can also search regular text (.txt) files:

Read More

Mencari file inject di webserver

February 22, 2010   admin   1 Comment

scanning

OK langsung saja, command berikut adalah yang biasa saya pakai untuk scanning php file inject di webserver FreeBSD. Saya catat di sini biar gak lupa. :D
1. Scanning php files dalam path si username dan mencari 1 kata / strings dalam files php sesuai dengan kata yang kita cari:

server2# find /home/username/ -name "*".php -type f -print0| xargs -0 grep "powered by rapidleech" | uniq -c | sort -u | cut -d":" -f1 | awk '{print "Warning - please check this files " $2}' | uniq

2. Scanning php files dalam path si username dan beberapa kata / strings dalam files php:

server2# find /home/username/ -name "*".php -type f -print0| xargs -0 egrep "rapidleech|c99|r57" | uniq -c | sort -u | cut -d":" -f1 | awk '{print "Warning - please check this files " $2}' | uniq

Tambahan…

Read More