Cpanel security: scanning for usage or upload of c99 shell script (or other scripts)

Sometimes users upload stuff to your server or use scripts you don’t want used. To detect them fast, I wrote this script.


#!/usr/bin/perl

use Digest::Perl::MD5 'md5_hex';

chdir('/root/');
`touch ./scanned` if not -f "./scanned";

%h = ();
open(F, "scanned");
while() {
chomp;
$h{$_} = 1;
}
close F;

@x = `cd /etc/httpd/domlogs/; grep c99me *`;
open(F, ">>scanned");
$s = "";
foreach(@x) {
chomp;
$m = md5_hex($_);
next if $h{$m};
print F "$mn";
$s.=$_."n";
}
close F;

if ($s) {
$sendmail = "/usr/sbin/sendmail -t";
open(SENDMAIL, "|$sendmail") or die "Cannot open $sendmail: $!";
print SENDMAIL "Reply-to: root@myserver.orgn";
print SENDMAIL "Subject: Found some illegal stuff on servern";
print SENDMAIL "To: alerts@somewhere.comn";
print SENDMAIL "Content-type: text/plainnn";
print SENDMAIL $s;
close(SENDMAIL);
}

Be the first to leave a comment. Don’t be shy.

Join the Discussion

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>