Archives

Scan your server for PHP malware with findcrack0r.pl

The tool that we will present here is a regex-based PHP malware scanner (written in Perl). It will scan your server for PHP malicious files. In addition to cxs and maldet (links at the end of this post), this tool is very useful for ensuring your server security.

1. So, first of all, download the latest script version from https://repo.coydogsoftware.net/coydog/rxtools/blob/master/findcrack0r.pl and save it to your server.

2. Now, that you saved the script to your server, just run it with:

perl findcrack0r.pl -po /home -t $(date +%Y-%m-%d)

The command we use will scan the /home directory (including all subdirectories) only for *.php file. The script will create a directory with the current date in /home/root/support/ (like /home/root/support/2018-07-18). In this directory, the script will create two files – one for suspicious malware PHP files, the other one for the symlinks founded:

root@www [~/support/2018-07-18]# ls
./  ../  scan-20180718234534.txt  symlinks-20180718234534.txt
root@www [~/support/2018-07-18]#

 

You should adjust the command line per your needs. See below the script’s input options. You might also need to enter the full Perl path.

 

root@www [/]# perl findcrack0r.pl -h
Usage:
  -t    ticket number for output dir
  -a  account list, comma-delimited. Will search only public_html
  -b     Number of bytes per file to scan. Default is 500000
  -p    restrict searches to *.php (faster but may miss stuff)
  -S    Skip checking symlinks
  -d    grep for defacements
  -o    other directories to search, independently of -a docroots. May be needed for addon/subdomains
  -u    user homedir prefix (default /home)
  -D    Debug mode. Output a more detailed log which identifies signature matches.
  -N    Show files which do NOT match on stderr (debug feature only)
  -e       exclude files wth names ending in . Workaround if scan hangs on js
  -r    regex debugging
  -c    use cache
  -q    quiet
  -h    print this help message and quit
root@www [/]#
Please notice that the script will report many ionCube PHP encrypted files. Double-check them (and all other files) before taking any action, as they might be legit files. Make backups before deleting any files!
 
 
The script file as of July 19, 2018 – just for information –  findcrack0r.txt – download the latest version from the developer site!
 

Other security tools for your server:
https://configserver.com/cp/cxs.html
https://www.rfxn.com/projects/linux-malware-detect/

Related post: Disable dangerous PHP functions on your web hosting server

Share this post:

Secure SSH with Google Authenticator Two-Factor Authentication on CentOS

It’s a good idea to secure the SSH login with a two-factor authentication method. We will show in this article how to secure SSH with Google Authenticator.

Steps:

  1. Install the Google Authenticator from Google Play
    google authenticator 1

     

  2. Install the Google Authenticator module:
    [root@cwp1 ~]# yum install google-authenticator
    Loaded plugins: fastestmirror
    Loading mirror speeds from cached hostfile
     * base: mirror.sesp.northwestern.edu
     * epel: mirror.beyondhosting.net
     * extras: bay.uchicago.edu
     * updates: mirror.math.princeton.edu
    Resolving Dependencies
    --> Running transaction check
    ---> Package google-authenticator.x86_64 0:1.04-1.el7 will be installed
    --> Finished Dependency Resolution
    
    Dependencies Resolved
    
    ========================================================================================================================
     Package                               Arch                    Version                      Repository             Size
    ========================================================================================================================
    Installing:
     google-authenticator                  x86_64                  1.04-1.el7                   epel                   48 k
    
    Transaction Summary
    ========================================================================================================================
    Install  1 Package
    
    Total download size: 48 k
    Installed size: 97 k
    Is this ok [y/d/N]: y
    Downloading packages:
    google-authenticator-1.04-1.el7.x86_64.rpm                                                       |  48 kB  00:00:00
    Running transaction check
    Running transaction test
    Transaction test succeeded
    Running transaction
      Installing : google-authenticator-1.04-1.el7.x86_64                                                               1/1
      Verifying  : google-authenticator-1.04-1.el7.x86_64                                                               1/1
    
    Installed:
      google-authenticator.x86_64 0:1.04-1.el7
    
    Complete!
    [root@cwp1 ~]#
    

     

  3. To configure the google-authenticator module use the google-authenticator command. Read the questions and ask according to your needs:
    [root@cwp1 ~]# google-authenticator
    
    Do you want authentication tokens to be time-based (y/n) y
    Warning: pasting the following URL into your browser exposes the OTP secret to Google:
      https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/root@cwp1%3Fsecret%3DC5ZIEY5TTOX3UNJXESKISMF2GQ%26issuer%3Dcwp1
    ssh qr code
    Your new secret key is: C5ZIEY5TTOX3UNJXESKISMF2GQ
    Your verification code is 604902
    Your emergency scratch codes are:
      92416476
      84187850
      96774355
      80714386
      19340003
    
    Do you want me to update your "/root/.google_authenticator" file? (y/n) y
    
    Do you want to disallow multiple uses of the same authentication
    token? This restricts you to one login about every 30s, but it increases
    your chances to notice or even prevent man-in-the-middle attacks (y/n) y
    
    By default, a new token is generated every 30 seconds by the mobile app.
    In order to compensate for possible time-skew between the client and the server,
    we allow an extra token before and after the current time. This allows for a
    time skew of up to 30 seconds between authentication server and client. If you
    experience problems with poor time synchronization, you can increase the window
    from its default size of 3 permitted codes (one previous code, the current
    code, the next code) to 17 permitted codes (the 8 previous codes, the current
    code, and the 8 next codes). This will permit for a time skew of up to 4 minutes
    between client and server.
    Do you want to do so? (y/n) n
    
    If the computer that you are logging into isn't hardened against brute-force
    login attempts, you can enable rate-limiting for the authentication module.
    By default, this limits attackers to no more than 3 login attempts every 30s.
    Do you want to enable rate-limiting? (y/n) y
    [root@cwp1 ~]#
    

     

  4. Scan the QR code with the Google Authenticator app from your phone:
    google authenticator 2 
  5. Your root@server-name account will be added to Google Authenticator
    google authenticator 3 
  6. Now let’s configure PAM. Edit the file /etc/pam.d/sshd
    [root@cwp1 ~]# nano /etc/pam.d/sshd
    

    And add the line:

    auth required pam_google_authenticator.so
    

    So the top of the file looks like:

    #%PAM-1.0
    auth required pam_google_authenticator.so
    auth       required     pam_sepermit.so
    auth       substack     password-auth
    auth       include      postlogin
    

     

  7. Now we must instruct OpenSSH to permit two-factor authentications. Open the file /etc/ssh/sshd_config :
    [root@cwp1 ~]# nano /etc/ssh/sshd_config
    

    Add the line (or comment out the line if it already exists):

    ChallengeResponseAuthentication yes

     

  8. Restart the sshd server:
    [root@cwp1 ~]# service sshd restart
    Redirecting to /bin/systemctl restart  sshd.service
    [root@cwp1 ~]#
    
    Do NOT close the current SSH connection. Open another SSH connection and check if you are able to connect with the two-factor authentication. If you can’t connect, investigate the cause by checking the SSH log file – /var/log/secure . If you can’t fix the issue, undo the actions from 6.(editing the file /etc/pam.d/sshd) and 7.(editing the file /etc/ssh/sshd_config) to be able to connect only with the password.
  9. Everything is set up at this moment. On the next logins, the system will ask for the verification code.

Related KB articles:
How to install nano editor with yum
Change the default SSH server port number

Share this post:

How to remove IP address from mail blacklists

We will discuss in this post how to submit IPs reconsideration requests to most used email services like Gmail, AOL, Yahoo and Microsft(MSN, Outlook). Usually, you will find out that your IP is blocked by an email provider when your users are not able to send emails to that provider.

Many persons recommend searching on MXToolBox to see if your IP is blocked or no. The result is not fully relevant, as major email service providers are not in the MXToolBox list.
There is no guarantee if and when your IP(s) will be removed from blacklists.

 

1. Yahoo.

The main URL to start with is https://help.yahoo.com/kb/postmaster/ . You will find many information on Yahoo SMTP error codes and their reasons, Yahoo Complaint Feedback Loop program etc.

ip review yahoo

To submit your IP for review: https://help.yahoo.com/contact/postmaster/newsenderapp Notice that you must have a Yahoo.com account.

2. AOL.

Postmaster help page is located at https://postmaster.info.aol.com/

To submit an IP review visit https://postmaster.info.aol.com/trouble-ticket

ip review aol

3. Microsoft (MSN/Outlook/Live/Hotmail).

Postmaster troubleshooting is available at https://postmaster.live.com/pm/troubleshooting.aspx

You can report a delivery issue at http://go.microsoft.com/fwlink/?LinkID=614866

ip review microsoft

We also recommend you to register to Outlook.com Smart Network Data Services (you need to have a Microsoft account). This is very useful to monitor SPAM complaints. When an MSN/Live/Outlook/Hotmail user marks a message sent from one of your IPs as SPAM, you will receive a copy of the message.

Also, you will see stats for your IPs:

ip review snds

4.Gmail.

Google uses a simple form to report “a delivery between your domain and Google”: https://support.google.com/mail/contact/msgdelivery

ip review google

You should investigate the cause that lead to your IP beeing on a blacklist. Check email server logs to see who is sending SPAM emails.
Share this post:

Can I delete files in /var/log/journal?

In the directory /var/log/journal/ are kept the log files created by the journal service (systemd).
Sometimes, this directory can have a large size. You can check with the du command or by using the journalctl –disk-usage command as:

root@web [~]# journalctl --disk-usage
Archived and active journals take up 934.1M on disk.
root@web [~]#
journalctl is a utility that allows querying the contents of the systemd journal

Info for the argument used above:

–disk-usage
Shows the current disk usage of all journal files. This shows the sum of the disk usage of all archived and active journal files.

It’s ok to clear a little these files if you don’t need the log data. You can just delete the files, but the best method is to use the journalctl utility as:

journalctl --vacuum-size=200M

If you see the size of the directory /var/log/journal is still large, change the value 200M to 100M etc.

Info for this argument:

–vacuum-size=, –vacuum-time=, –vacuum-files= Removes archived journal files until the disk space they use falls below the specified size (specified with the usual “K”, “M”, “G” and “T” suffixes), or all archived journal files contain no data older than the specified timespan (specified with the usual “s”, “m”, “h”, “days”, “months”, “weeks” and “years” suffixes), or no more than the specified number of separate journal files remain.

For more journalctl information, check the manual with the man journalctl command.

Related KB article: How to get the size of a directory in Linux

Share this post:

Not all files showing in FTP client

You have a lot of files (thousands or millions) in a directory and your FTP client do not show all of them? Find out that the issue has nothing to do with your FTP client.
The FTP server is the one that decides how many files to show.

For example for pure-ftp (a very popular FTP server for cPanel servers) the limit is 10000. You can modify this value anytime according to your needs by editing the file /etc/pure-ftpd.conf and set the maximum number of files to be displayed:

# 'ls' recursion limits. The first argument is the maximum number of
# files to be displayed. The second one is the max subdirectories depth

LimitRecursion 10000 8

Don’t forget to restart the FTP server (in our case for pure-ftp server):

root@web [~]# service pure-ftpd restart
If you want to see more files in the FTP client and you don’t have root access, you should contact your host.
Notice that for large number of files, the FTP client will take some time to list all of them.
The number of files you will effectively see is the number in the ftp server configuration-2. In Unix systems all directories contain two special entries . (directory itself) and .. (for parent directory).
Share this post:
Page 1 of 3
1 2 3