Answer the question
In order to leave comments, you need to log in
V
V
Vyacheslav Shevchenko2018-02-10 07:55:48
Vyacheslav Shevchenko, 2018-02-10 07:55:48
How did the shell get on the server?
Hello.
We got a shell on the server, which connected some file to all index php files. The site is made on bitrix and the connected file was in the upload folder.
I'm assuming that the file was just uploaded by a simple form.
3 answer(s)
@WebDev2030
Install mod_security and activate the necessary rules. (along the way, you can add mod_evasive - it will not be superfluous)
@yii16
@skul
H
Host-Eiweb, 2018-02-10 @WebDev2030
- Check if fail2ban is installed and working correctly
- Add a new user with root rights, block access to the root user
- Change all passwords.
- Check directory permissions.
- Add a .htaccess file to the directory with image files with rules that disable PHP in this directory, and display all scripts as HTML.
For example:
php_flag engine 0
AddType "text/html" .php .cgi .pl .fcgi .fpl .phtml .shtml .php2 .php3 .php4 .php5 .asp .jsp
Install mod_security and activate the necessary rules. (along the way, you can add mod_evasive - it will not be superfluous)
P
Padre, 2018-02-10 @yii16
You are guessing wrong. Most likely:
1) Picked up the password for FTP
2) Picked up the password for SSH
3) Picked up the password for the admin panel
4) Uploaded the file to the folder for uploading pictures, for example
S
skul, 2020-12-16 @skul
Use auditd to know where Shell came from and who is modifying files. Keep audit logs as long as possible.
In this situation, in order to find out where the shell came from, you will most likely have to guess on the coffee grounds and search the web server logs by the date the shell file was modified.
Similar questions
V
Q
C
D
T
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question