How to Detect R57 and C99 Shells in Your Server

How to detect r57 and c99 Shells in your server
by Janeth Kent Date: 26-07-2013 shell script c99 r57 malware hacking

When malicious intruders compromise a web server, there's an excellent chance a famous Russian PHP script, r57shell, will follow. The r57 and C99 shell PHP script gives the intruder a number of capabilities, including, but not limited to: downloading files, uploading files, creating backdoors, setting up a spam relay, forging email, bouncing a connection to decrease the risk of being caught, and even taking control of SQL databases. All these functions become readily available through an easy to use web interface, but now you can fight back.

First, make sure you execute updatedb so find has an up to date image to search:

find /var/www/  -name "*".php  -type f -print0  | xargs -0 grep r57 | uniq -c  | sort -u  | cut -d":" -f1  | awk '{print "rm -rf " $2}' | uniq

You can also search regular text (.txt) files:

find /var/www/  -name "*".txt  -type f -print0  | xargs -0 grep r57 | uniq -c  | sort -u  | cut -d":" -f1  | awk '{print "rm -rf " $2}' | uniq

Or even cleverly disguised GIF image files:

find /var/www/  -name "*".gif  -type f -print0  | xargs -0 grep r57 | uniq -c  | sort -u  | cut -d":" -f1  | awk '{print "rm -rf " $2}' | uniq

The command might appear scary, or even malicious to an inexperienced Linux admin, but here's the break down.

find /var/www/

find is a must know command when dealing with Linux. Find is what's used to perform command line file searches. The path /var/www is the directory find will search, in addition to all directories contained within www, but nothing above. For example, /var/mail is not searched. If your publicly accessible files are not contained in /var/www, then you'll obviously need to replace /var/www with the correct path.

-name "*".php  -type f -print0

This portion of the command tells find to search file names (not directories) ending in .php. Anything else is ignored.

| xargs -0 grep r57

The pipe symbol ( | ) tells Linux to take the results of the first command (the PHP files we searched for), and pass them along to the second command, xargs. At this point, all located files are searched for any mention of r57, not just the file names, but the actual content within the files.

| uniq -c  | sort -u

uniq will prevent duplicate results from displaying. The command is smart enough to know when multiple instances are found in a single file, resulting in a single mention instead of potentially hundreds, flooding your console with repeated messages. The -c parameter tells uniq to count the number of consecutive lines that were combined. sort will take the unordered results, and display them in some type of orderly fashion.

| cut -d":" -f1

cut will prevent the line of code that contains r57 from showing up in the results. The output is just a simple mention of the filename or names, and how many occurrences. There's no need to display the actual code if your intentions are to remove the malicious files.

| awk '{print "rm -rf " $2}'

awk, a programming language in itself, is a very powerful command with many beneficial uses. In this command, awk is instructed to print rm -rf with the file path and file name appended. Here's an example output:

rm -rf /var/www/users/

rm -rf is used to delete files without asking questions. The, "are you sure you want to delete ..." is skipped, so be careful when using the -rf switch, it's very destructive if used without care. Notice the print portion - this means the command is only printed, not carried out.

Another popular tool is the c99shell, which I also recommend searching for. Just change three characters:

find /var/www/  -name "*".php  -type f -print0  | xargs -0 grep c99 | uniq -c  | sort -u  | cut -d":" -f1  | awk '{print "rm -rf " $2}' | uniq

Once you've confirmed all the found files are malicious, you can easily dumb the results into a file, make the file executable, and delete the plague in one shot instead of manually deleting individual files one by one.

by Janeth Kent Date: 26-07-2013 shell script c99 r57 malware hacking hits : 10143  
Janeth Kent

Janeth Kent

Licenciada en Bellas Artes y programadora por pasión. Cuando tengo un rato retoco fotos, edito vídeos y diseño cosas. El resto del tiempo escribo en MA-NO WEB DESIGN END DEVELOPMENT.


Related Posts

Dark Mode on website using CSS and JavaScript

In today’s article we are going to learn how to build pretty much standard these days on the web pages and that is the alternative color mode and switching between…

JavaScript: Spread and Rest operators

In today’s article we are going to talk about one of the features of the ES6 version(ECMAScript 2015) of JavaScript which is Spread operator as well as Rest operator. These features…

Javascript: what are callbacks and how to use them.

Today we are going to learn about a concept that is widely used in javascript and that is used quite a lot by today's frameworks, libraries, especially NodeJS. This is…

HTTP Cookies: how they work and how to use them

Today we are going to write about the way to store data in a browser, why websites use cookies and how they work in detail. Continue reading to find out how…

The package managers npm and yarn: main differences

Npm and yarn are package managers that help to manage a project’s dependencies. A dependency is, as it sounds, something that a project depends on, a piece of code that…

The Javascript asign() method to merge and clone objects

In this article, we will be covering Object.assign()method in javascript in detail with examples. A javascript object is a collection of key-value pairs. Keys are also known as properties of object. Keys…

All the javascript functions and methods to manipulate arrays

This article will show that the prominent JavaScript array functions are .map(), .filter(), and .reduce(), and will then go through examples of instances in which .every() and .some() would save…

TypeScript: The evolution of JavaScript

When you're involved in the development of a large project, programming languages like JavaScript don't seem to be the best solution. Their lack of elements such as Language Aids has…

Awesome JavaScript Games and Js Software to create Games

Best sites js13kGames 2019 - Highlights from the js13kGames 2019 competition. js13kGames 2018 - 13 Games in ≤ 13kB of JavaScript. js13kGames 2017 - Build a game in 13kB or less with js13kGames. Adventure Triangle:…

Is JavaScript good for machine learning?

One of the things you always hear when you are talking to someone related to the M.L. world is that, one must learn Python because the vast majority of the…

First steps into JavaScript – a practical guide 3

After we learned the basic ofaccessing DOM elementsandhow to modify them,we are ready for the more exciting parts – handling DOM events. This allows us to make our web way more…

JavaScript: Promises explained with simple real life examples

Handling asynchronous data flows is complex, who hasn't faced codes like this one?: checkWeather('palma de mallorca', (error, weather) => { if (error) throw error; if (weather === 'well') { return checkFlights('palma…

We use our own and third-party cookies to improve our services, compile statistical information and analyze your browsing habits. This allows us to personalize the content we offer and to show you advertising related to your preferences. By clicking on "Understood" YOU AGREE TO THE USE OF THESE COOKIES. You can also SET OR DISCONTINUE the installation of cookies by clicking on "Settings" or "Reject".

Understood Reject Settings More Info