how i can detect and disable C99 shell?

Portal Home > Knowledgebase > Articles Database > how i can detect and disable C99 shell?

Posted by Cyru$, 08-15-2008, 03:05 PM
how i can detect and disable C99 shell and another shell script exp:r57 .... i searching on forum and i fund some topic but i know that hackers can patch yhem :d how i can really disable shell script thanks all
Posted by RDOSTI, 08-15-2008, 03:08 PM
Edit php.ini disable_functions = shell() , exec(), etc etc Regards
Posted by david510, 08-15-2008, 03:12 PM
Have a check in the /tmp partition for the scripts. See if any of the accounts has got 777 permissions. If yes, check that domains apache access logs for the following. If you find any suspicious entry with GET and if it comes from similar IP you may block it. grep txt /path/to/apache/access_logs | grep http
Posted by zacharooni, 08-15-2008, 08:57 PM
disable_functions = "symlink,shell_exec,exec,proc_close,proc_open,popen,system,dl,passthru,escapeshellarg,escapeshellcmd,shell_exec,myshellexec,c99_buff_prepare,c99_sess_ put,fpassthru"
Posted by tchryan, 08-15-2008, 09:37 PM
That a whole lot of trouble disabling that many functions for any serious web host, use mod_security or if you have the resources an IDS/IPS solution in front of your servers/network. For example you can use the below snort rules and if you do in-line filtering with any number of package sets that combine iptables+snort (or really any filtering method based on snort) you get very good results: http://www.emergingthreats.net/rules...response.rules The important rules to note relative of php shells and related tools are as follows: Last edited by tchryan; 08-15-2008 at 09:44 PM.
Posted by zacharooni, 08-15-2008, 09:46 PM
That's a nice bit of rules, but not everyone has their own datacenter
Posted by tchryan, 08-15-2008, 10:30 PM
Now let look at adapting some of the above successful rules to mod_security for a simpler approach at dealing with the more common php shells. The first thing to note is we want to check against the content of a page to more accurately find php shells but this also increases the potential for false positive hits if you do not provide an extensive enough match criteria. Use of these rules is at your own risk, evaluate them carefully: Last edited by tchryan; 08-15-2008 at 10:40 PM.
Posted by Cyru$, 08-18-2008, 11:00 AM
thanks all for help
Posted by Zizzi, 01-14-2010, 12:32 AM
Sorry for grave digging this thread but I wanted to share a tool that I wrote for anyone that might also have this question. This is a link to the tool I have written for this purpose. It scans files and looks at their contents for signatures from common PHP shells such as GNY and C99. esux.net/python_php_shell_virus_web_scan_detection Enjoy -- Zizzi
Posted by CoderJosh, 01-14-2010, 08:16 AM
If you have shell access (SSH), you can use ClamAV's clamscan to find such shell scripts.