Guardian: guard the system
“Once, in the cold winter season,
We uploaded a mountain to the backdoor server ...”
Folk admin work
In general, one day a php-shell was discovered on one of the servers, through which malicious hackers broke a good diary ™ of a good person.
After two hours of picking in the Apache logs, there was a hole through which the shell was flooded.
They covered the hole, the diary was brought back to life from backups, and they sat down to think.
After the third bottle of beer, the idea came up: “Why not catch system calls from php scripts?”.
The point is that most php shells use the exec () functions one way or another ; , system (); , shell_exec (); or passthru ();. Accordingly, the execution of these functions can be intercepted and quietly recorded in the log that such and such a script on such and such a line called the exec () function with the parameter "rm -rf /".
No sooner said than done. The good man kastigar was delivered to those. task and work began to boil.
I’m not going to tell you the intricacies of the Zend Engine, but in the end an extension for PHP4 / PHP5 was born under the code name BAXTEP.
Initially, we did not plan to upload the code to the public, because everything was written in general “for ourselves” and “from and to” it was not tested, but the open source spirit still took its toll - and the sources were posted on GoogleCode .
The extension supports PHP versions 4 and 5.
Requirements:
- packages for developing PHP4 / PHP5 (php4-dev, php5-dev)
- gcc
- subversion
We take the sources:
We collect: After assembly, we take out baxtep.so from the ./modules/ directory and put it in extension_dir, and add approximately the following lines to php.ini: You need to create the log file yourself. In addition, php scripts must have sufficient rights to write to this file: That's it, restart Apache, write a test script and watch the log. There will be something like this: Format: UPD: l0rda has compiled packages for CentOS 5 (i386 and x86_64), you can download it here: rpm.l0rda.biz/CentOS/5/RPMS/i386 , key: rpm.l0rda.biz/L0RDA- KEY
We uploaded a mountain to the backdoor server ...”
Folk admin work
In general, one day a php-shell was discovered on one of the servers, through which malicious hackers broke a good diary ™ of a good person.
After two hours of picking in the Apache logs, there was a hole through which the shell was flooded.
They covered the hole, the diary was brought back to life from backups, and they sat down to think.
After the third bottle of beer, the idea came up: “Why not catch system calls from php scripts?”.
The point is that most php shells use the exec () functions one way or another ; , system (); , shell_exec (); or passthru ();. Accordingly, the execution of these functions can be intercepted and quietly recorded in the log that such and such a script on such and such a line called the exec () function with the parameter "rm -rf /".
No sooner said than done. The good man kastigar was delivered to those. task and work began to boil.
I’m not going to tell you the intricacies of the Zend Engine, but in the end an extension for PHP4 / PHP5 was born under the code name BAXTEP.
Initially, we did not plan to upload the code to the public, because everything was written in general “for ourselves” and “from and to” it was not tested, but the open source spirit still took its toll - and the sources were posted on GoogleCode .
Assembly and installation:
The extension supports PHP versions 4 and 5.
Requirements:
- packages for developing PHP4 / PHP5 (php4-dev, php5-dev)
- gcc
- subversion
We take the sources:
svn checkout http://baxtep.googlecode.com/svn/trunk/ baxtep
We collect: After assembly, we take out baxtep.so from the ./modules/ directory and put it in extension_dir, and add approximately the following lines to php.ini: You need to create the log file yourself. In addition, php scripts must have sufficient rights to write to this file: That's it, restart Apache, write a test script and watch the log. There will be something like this: Format: UPD: l0rda has compiled packages for CentOS 5 (i386 and x86_64), you can download it here: rpm.l0rda.biz/CentOS/5/RPMS/i386 , key: rpm.l0rda.biz/L0RDA- KEY
cd baxtep
phpize
./configure
make
;;;;;;;;;;
; BAXTEP ;
;;;;;;;;;;
; Load extension
extension=baxtep.so
; Absolute path to logfile. File must exist and have write access for php
baxtep.logfile = "/tmp/baxtep_messages"
touch /tmp/baxtep_messages
chmod 777 /tmp/baxtep_messages
2009-03-13 07:59:05 BAXTEP: system CMDLINE: `pwd` FILE: /var/www/html/test.php on line 5 URI: /test.php
ГГГГ-ММ-ДД ЧЧ:ММ:СС BAXTEP: функция CMDLINE: команда FILE: полный путь к файлу на ФС on line N URI: собственно REQUEST_URI