Selamlar geçenlerde birisi sunucumdaki arkadaşının hostuna shell atmış benim db bilgilerimi felan verdi bende shelli buldum echoll.php idi içini açtım kodlanmış birşeyler vardı o accaunt u komple sildim. sonra mod secretiy kurdum kurulumu sanırım düzgün bitirdi httpd.conf u bu hale getirdim:
#
# This is the main Apache HTTP server configuration file. It contains the
# configuration directives that give the server its instructions.
# See <URL:http://httpd.apache.org/docs/2.2> for detailed information.
# In particular, see
# <URL:http://httpd.apache.org/docs/2.2/mod/directives.html>
# for a discussion of each configuration directive.
#
# Do NOT simply read the instructions in here without understanding
# what they do. They're here only as hints or reminders. If you are unsure
# consult the online docs. You have been warned.
ServerRoot "/etc/httpd"
Listen 80
#LoadModule dummy_module /usr/lib/apache/mod_dummy.so
LoadModule php5_module /usr/lib/apache/libphp5.so
LoadModule flvx_module /usr/lib/apache/mod_flvx.so
Include /etc/httpd/conf/extra/httpd-phpmodules.conf
#LoadModule deflate_module modules/mod_deflate.so
LoadModule security_module /usr/lib/apache/mod_security.so
#Bu bölümde yaptığımız adres bazlı engelleme. Yani eğer tarayıcıda adres satırında aşağıdakiler geçiyorsa kişinin o sayfayı açmasını engelliyoruz.
SecFilterSelective THE_REQUEST "act=cmd"
SecFilterSelective THE_REQUEST "act=tools"
SecFilterSelective THE_REQUEST "act=gof"
SecFilterSelective THE_REQUEST "act=ls"
SecFilterSelective THE_REQUEST "act=mk"
SecFilterSelective THE_REQUEST "act=f&"
SecFilterSelective THE_REQUEST "r57"
SecFilterSelective THE_REQUEST "c99"
#Bu bölümde yaptığımızda dizin bazlı engelleme. Aşağıdaki klasörleri web(apache) üzerinden görüntülemeye kapatıyoruz.
SecFilter /boot/
SecFilter /dev/
SecFilter /etc/
SecFilter /initrd/
SecFilter /lib/
SecFilter /lost+found/
SecFilter /mnt/
SecFilter /proc/
SecFilter /root/
SecFilter /sbin/
SecFilter /tmp/
SecFilter /usr/
SecFilter /usr/local/apache/
SecFilter /usr/local/mysql/
SecFilter /var/
User apache
Group apache
ServerAdmin admin@localhost
DocumentRoot "/var/www/html"
<Directory /home/*>
AllowOverride All
Options -MultiViews -Indexes FollowSymlinks IncludesNoExec +Includes
<Limit GET POST OPTIONS PROPFIND>
Order allow,deny
Allow from all
</Limit>
<LimitExcept GET POST OPTIONS PROPFIND>
Order deny,allow
Deny from all
</LimitExcept>
</Directory>
<Directory />
Options All
AllowOverride All
</Directory>
<Directory "/var/www/html">
Options Indexes FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
<IfModule mod_suphp.c>
suPHP_Engine On
suPHP_UserGroup webapps webapps
</IfModule>
</Directory>
<IfModule dir_module>
DirectoryIndex index.html index.htm index.shtml index.php index.php5 index.php4 index.php3 index.phtml index.cgi
</IfModule>
<FilesMatch "^\.ht">
Order allow,deny
Deny from all
Satisfy All
</FilesMatch>
ErrorLog /var/log/httpd/error_log
LogLevel warn
<IfModule log_config_module>
#replace %b with %O for more accurate logging
<IfModule mod_logio.c>
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %O" common
LogFormat "%O" bytes
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
</IfModule>
CustomLog /var/log/httpd/access_log common
</IfModule>
<IfModule alias_module>
# Include some DirectAdmin alias
Include conf/extra/httpd-alias.conf
</IfModule>
<Directory "/var/www/cgi-bin">
AllowOverride None
Options None
Order allow,deny
Allow from all
</Directory>
DefaultType text/plain
<IfModule mime_module>
TypesConfig conf/mime.types
AddType application/x-gzip .tgz
AddEncoding x-compress .Z
AddEncoding x-gzip .gz .tgz
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz
AddType application/x-shockwave-flash .swf
AddHandler cgi-script .cgi .pl .pm
AddHandler type-map var
AddHandler flv-stream .flv
AddType text/html .shtml
AddOutputFilter INCLUDES .shtml
AddType video/x-ms-asf .avi
AddType video/mpeg .mpg
AddType video/mpeg .mpeg
AddType video/quicktime .mov
AddType video/x-ms-wmv .wmv
AddType video/x-flv .flv
AddType video/x-ms-flv .flv
AddType video/flv .flv
AddType application/octet-stream .mov .mp3 .flv
</IfModule>
#EnableMMAP off
#EnableSendfile off
#######################################################################################
# Do not change anything in included files, because they are rewritten by DirectAdmin #
#######################################################################################
# This is needed for PHP
Include conf/extra/httpd-php-handlers.conf
# Server-pool management (MPM specific)
Include conf/extra/httpd-mpm.conf
# Multi-language error messages
Include conf/extra/httpd-multilang-errordoc.conf
# Fancy directory listings
Include conf/extra/httpd-autoindex.conf
# Language settings
Include conf/extra/httpd-languages.conf
# User home directories
#Include conf/extra/httpd-userdir.conf
# Real-time info on requests and configuration
Include conf/extra/httpd-info.conf
# Virtual hosts
Include conf/extra/httpd-vhosts.conf
# Local access to the Apache HTTP Server Manual
#Include conf/extra/httpd-manual.conf
# Distributed authoring and versioning (WebDAV)
Include conf/extra/httpd-dav.conf
# Various default settings
Include conf/extra/httpd-default.conf
# Secure (SSL/TLS) connections
Include conf/extra/httpd-ssl.conf
# Deflate module settings
Include conf/extra/httpd-deflate.conf
# All the DirectAdmin vhosts
Include conf/extra/directadmin-vhosts.conf
# All suPHP directives
Include conf/extra/httpd-suphp.conf
# All the other includes needed by the custombuild script
Include conf/extra/httpd-includes.conf
#######################################################################################
# End of included files that are rewritten by DirectAdmin #
#######################################################################################
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>
# Alias for RoundCube webmail
#Alias /roundcube /var/www/html/roundcube/
<FilesMatch "\.(flv|gif|jpg|jpeg|png|ico)$">
Header set Cache-Control "max-age=2592000"
</FilesMatch>
<FilesMatch "\.(js|css|pdf|swf)$">
Header set Cache-Control "max-age=604800"
</FilesMatch>
<FilesMatch "\.(html|htm|txt)$">
Header set Cache-Control "max-age=600"
</FilesMatch>
<FilesMatch "\.(pl|php|cgi|spl|scgi|fcgi)$">
Header unset Cache-Control
</FilesMatch>sonra BitDefender-Console-Antivirus-7.0.1-3.linux-gcc29x.i586.rpm programını kurdum ve çıkan sonuç:
[root@shellciyiz ~]# bdc --files /home
BDC/Linux-Console v7.0 (build 2492) (i386) (Dec 11 2003 13:24:00)
Copyright (C) 1996-2003 SOFTWIN SRL. All rights reserved.
/home/clas/domains/kankilerim.com/public_html/Kankilerim.exe infected: Win32.Parite.B
/home/clas/domains/kankilerim.com/public_html/Kankilerim1.exe infected: Win32.Parite.B
/home/apoftp/domains/asksokagim.net/public_html/tumyedeklerrr/SaGoPa_KaJMeR/NoMercy.exe infected: Win32.Parite.B
/home/apoftp/domains/asksokagim.net/public_html/tumyedeklerrr/Kankilerim.exe infected: Win32.Parite.B
/home/apoftp/domains/asksokagim.net/public_html/tumyedeklerrr/pti800/PTI800.exe infected: Win32.Parite.B
/home/apoftp/domains/asksokagim.net/public_html/tumyedeklerrr/nomercy/nomercy/mirc.exe infected: Win32.Parite.B
Results:
Folders :19073
Files :112887
Packed :8031
Infected files :6
Suspect files :0
Warnings :0
Identified viruses:1
I/O errors :0
Files/second :69
Scan time :00:27:07
[root@shellciyiz ~]#
bu irc müşterisi sonırım mirc script inde trojan var ama win makina içindir shell olduğunu sanmıyorum sizce şuan makinama shell atabilirlermi? extra olarak birşeyler yapmama gerek var mı?
