Hackers using myshell.php and other to gain access.. Need help
i do ve some resellers and some of there clients are using scripts like cgishell
or
MyShell 1.1.0 build 20010923"
somethign like these.
Can please some one tell me the linux command to go through all the .php files in all homedirs and check for a string?
like as an example there is a file called user.php (which is in reality a shell script like myshell) and they r using it to gain shell access to the system ( php safe mode aint helping here) some how they get shadow or install something as nobody user gain root access wolaaaa.......
SO there is a file in /home/user10/public_html/user.php
however i do have some strings which are more likely same. like
$shellUser
$dirLimit = "";
$autoErrorTrap = 1;
$voidCommands = array("top","xterm","su","vi","pico","netscape");
$TexEd = "pico";
$editWrap ="wrap='OFF'";
or
Header('WWW-Authenticate: Basic realm="MyShell"');
this is part of a script.......
so i can trace those
just like it detect spam stuff and cpanel send u email
Is there a way or a command which will tell me or i can run a cron every now and then and see whois suing shell scripts etc etc
Can some one please write me a command like that. or any way how to add it into cpanel so cpanel can track it also
Thanks
