Guardian: guard the system

    “Once, in the cold winter season,
    We uploaded a mountain to the backdoor server ...”


    Folk admin work



    In general, one day a php-shell was discovered on one of the servers, through which malicious hackers broke a good diary ™ of a good person.
    After two hours of picking in the Apache logs, there was a hole through which the shell was flooded.
    They covered the hole, the diary was brought back to life from backups, and they sat down to think.

    After the third bottle of beer, the idea came up: “Why not catch system calls from php scripts?”.
    The point is that most php shells use the exec () functions one way or another ; , system (); , shell_exec (); or passthru ();. Accordingly, the execution of these functions can be intercepted and quietly recorded in the log that such and such a script on such and such a line called the exec () function with the parameter "rm -rf /".
    No sooner said than done. The good man kastigar  was delivered to those. task and work began to boil.
    I’m not going to tell you the intricacies of the Zend Engine, but in the end an extension for PHP4 / PHP5 was born under the code name BAXTEP.
    Initially, we did not plan to upload the code to the public, because everything was written in general “for ourselves” and “from and to” it was not tested, but the open source spirit still took its toll - and the sources were posted on GoogleCode .

    Assembly and installation:



    The extension supports PHP versions 4 and 5.

    Requirements:

    - packages for developing PHP4 / PHP5 (php4-dev, php5-dev)
    - gcc
    - subversion

    We take the sources:

    svn checkout http://baxtep.googlecode.com/svn/trunk/ baxtep


    We collect: After assembly, we take out baxtep.so from the ./modules/ directory and put it in extension_dir, and add approximately the following lines to php.ini: You need to create the log file yourself. In addition, php scripts must have sufficient rights to write to this file: That's it, restart Apache, write a test script and watch the log. There will be something like this: Format: UPD: l0rda has compiled packages for CentOS 5 (i386 and x86_64), you can download it here: rpm.l0rda.biz/CentOS/5/RPMS/i386 , key: rpm.l0rda.biz/L0RDA- KEY

    cd baxtep
    phpize
    ./configure
    make




    ;;;;;;;;;;
    ; BAXTEP ;
    ;;;;;;;;;;
    ; Load extension
    extension=baxtep.so

    ; Absolute path to logfile. File must exist and have write access for php
    baxtep.logfile = "/tmp/baxtep_messages"




    touch /tmp/baxtep_messages
    chmod 777 /tmp/baxtep_messages




    2009-03-13 07:59:05 BAXTEP: system CMDLINE: `pwd` FILE: /var/www/html/test.php on line 5 URI: /test.php



    ГГГГ-ММ-ДД ЧЧ:ММ:СС BAXTEP: функция CMDLINE: команда FILE: полный путь к файлу на ФС on line N URI: собственно REQUEST_URI


    Also popular now: