How to detect r57 and c99 Shells in your server

How to detect r57 and c99 Shells in your server
by Janeth Kent Date: 26-07-2013 shell script c99 r57 malware hacking

When malicious intruders compromise a web server, there's an excellent chance a famous Russian PHP script, r57shell, will follow. The r57 and C99 shell PHP script gives the intruder a number of capabilities, including, but not limited to: downloading files, uploading files, creating backdoors, setting up a spam relay, forging email, bouncing a connection to decrease the risk of being caught, and even taking control of SQL databases. All these functions become readily available through an easy to use web interface, but now you can fight back.

First, make sure you execute updatedb so find has an up to date image to search:

find /var/www/  -name "*".php  -type f -print0  | xargs -0 grep r57 | uniq -c  | sort -u  | cut -d":" -f1  | awk '{print "rm -rf " $2}' | uniq

You can also search regular text (.txt) files:

find /var/www/  -name "*".txt  -type f -print0  | xargs -0 grep r57 | uniq -c  | sort -u  | cut -d":" -f1  | awk '{print "rm -rf " $2}' | uniq

Or even cleverly disguised GIF image files:

find /var/www/  -name "*".gif  -type f -print0  | xargs -0 grep r57 | uniq -c  | sort -u  | cut -d":" -f1  | awk '{print "rm -rf " $2}' | uniq

The command might appear scary, or even malicious to an inexperienced Linux admin, but here's the break down.

find /var/www/

find is a must know command when dealing with Linux. Find is what's used to perform command line file searches. The path /var/www is the directory find will search, in addition to all directories contained within www, but nothing above. For example, /var/mail is not searched. If your publicly accessible files are not contained in /var/www, then you'll obviously need to replace /var/www with the correct path.

-name "*".php  -type f -print0

This portion of the command tells find to search file names (not directories) ending in .php. Anything else is ignored.

| xargs -0 grep r57

The pipe symbol ( | ) tells Linux to take the results of the first command (the PHP files we searched for), and pass them along to the second command, xargs. At this point, all located files are searched for any mention of r57, not just the file names, but the actual content within the files.

| uniq -c  | sort -u

uniq will prevent duplicate results from displaying. The command is smart enough to know when multiple instances are found in a single file, resulting in a single mention instead of potentially hundreds, flooding your console with repeated messages. The -c parameter tells uniq to count the number of consecutive lines that were combined. sort will take the unordered results, and display them in some type of orderly fashion.

| cut -d":" -f1

cut will prevent the line of code that contains r57 from showing up in the results. The output is just a simple mention of the filename or names, and how many occurrences. There's no need to display the actual code if your intentions are to remove the malicious files.

| awk '{print "rm -rf " $2}'

awk, a programming language in itself, is a very powerful command with many beneficial uses. In this command, awk is instructed to print rm -rf with the file path and file name appended. Here's an example output:

rm -rf /var/www/users/

rm -rf is used to delete files without asking questions. The, "are you sure you want to delete ..." is skipped, so be careful when using the -rf switch, it's very destructive if used without care. Notice the print portion - this means the command is only printed, not carried out.

Another popular tool is the c99shell, which I also recommend searching for. Just change three characters:

find /var/www/  -name "*".php  -type f -print0  | xargs -0 grep c99 | uniq -c  | sort -u  | cut -d":" -f1  | awk '{print "rm -rf " $2}' | uniq

Once you've confirmed all the found files are malicious, you can easily dumb the results into a file, make the file executable, and delete the plague in one shot instead of manually deleting individual files one by one.

by Janeth Kent Date: 26-07-2013 shell script c99 r57 malware hacking hits : 16684  
Janeth Kent

Janeth Kent

Licenciada en Bellas Artes y programadora por pasión. Cuando tengo un rato retoco fotos, edito vídeos y diseño cosas. El resto del tiempo escribo en MA-NO WEB DESIGN AND DEVELOPMENT.


Related Posts

How to upload files to the server using JavaScript

In this tutorial we are going to see how you can upload files to a server using Node.js using JavaScript, which is very common. For example, you might want to…

How to combine multiple objects in JavaScript

In JavaScript you can merge multiple objects in a variety of ways. The most commonly used methods are the spread operator ... and the Object.assign() function.   How to copy objects with…

The Payment Request API: Revolutionizing Online Payments (Part 2)

In the first part of this series, we explored the fundamentals of the Payment Request API and how it simplifies the payment experience. Now, let's delve deeper into advanced features…

The Payment Request API: Revolutionizing Online Payments (Part 1)

The Payment Request API has emerged as the new standard for online payments, transforming the way transactions are conducted on the internet. In this two-part series, we will delve into…

Let's create a Color Picker from scratch with HTML5 Canvas, Javascript and CSS3

HTML5 Canvas is a technology that allows developers to generate real-time graphics and animations using JavaScript. It provides a blank canvas on which graphical elements, such as lines, shapes, images…

How do you stop JavaScript execution for a while: sleep()

A sleep()function is a function that allows you to stop the execution of code for a certain amount of time. Using a function similar to this can be interesting for…

Mastering array sorting in JavaScript: a guide to the sort() function

In this article, I will explain the usage and potential of the sort() function in JavaScript.   What does the sort() function do?   The sort() function allows you to sort the elements of…

Infinite scrolling with native JavaScript using the Fetch API

I have long wanted to talk about how infinite scroll functionality can be implemented in a list of items that might be on any Web page. Infinite scroll is a technique…

Sorting elements with SortableJS and storing them in localStorage

SortableJS is a JavaScript extension that you will be able to use in your developments to offer your users the possibility to drag and drop elements in order to change…

What is a JWT token and how does it work?

JWT tokens are a standard used to create application access tokens, enabling user authentication in web applications. Specifically, it follows the RFC 7519 standard. What is a JWT token A JWT token…

Template Literals in JavaScript

Template literals, also known as template literals, appeared in JavaScript in its ES6 version, providing a new method of declaring strings using inverted quotes, offering several new and improved possibilities. About…

How to use the endsWith method in JavaScript

In this short tutorial, we are going to see what the endsWith method, introduced in JavaScript ES6, is and how it is used with strings in JavaScript. The endsWith method is…