Server brains : what software can scan an apache server for installed exploits and stuff?

[biskoppen]

If I wanted all my configuation files, htaccess'es .. php files.. etc .. scanned for exploits and vira's installered by dirty russians.. what do I wanna use for this?

[blazin]

At my old company we used to use Clam... http://www.clamav.net/lang/en/

[signupdamnit]

If you're making $200,000 a year with those servers then you should throw a decent guy $100-$200 a month ($1,200 to $2,400 a year) to come in and handle these things for you every now and then. Otherwise you're asking for trouble and being pennywise and pound foolish. One day of downtime due to an unnecessary incident and you'll lose more than you would pay the admin for a full year.

[Shedevils]

We recently did some scans with clamscan on a server that we had found php backdoors and it did not detect them.

Really you are going to have to hand check for php backdoors. And lock it all down with only a few IP's able to use ssh or sftp.

[Klen]

Quote:

Originally Posted by Shedevils

We recently did some scans with clamscan on a server that we had found php backdoors and it did not detect them.

Really you are going to have to hand check for php backdoors. And lock it all down with only a few IP's able to use ssh or sftp.

Yes i would agree with that,i also used some two specialized scanners and they didn't found anything.

[ifapdb]

No quick way really, but if you have a bunch of php exploits - probably best to start over and move files over in batches making sure permissions are correct.

Check any user uploadable files to see if they are really what they're supposed to be. Jpg, gif, png etc. Exploitable .htaccess can make those files executable.

grep for common php exploit methods (exec/system/decode/chmod/mkdir/etc.)

You should then "train" clamav for any of the patterns you find for future scans.

All assuming they came in through bad scripts, if it's via shell/ftp, all bets are off.

[marlboroack]

Quote:

Originally Posted by signupdamnit

If you're making $200,000 a year with those servers then you should throw a decent guy $100-$200 a month ($1,200 to $2,400 a year) to come in and handle these things for you every now and then. Otherwise you're asking for trouble and being pennywise and pound foolish. One day of downtime due to an unnecessary incident and you'll lose more than you would pay the admin for a full year.

I agree with what he said. I actually know a few people who you can hire to do this.

[dubsix]

run these and you'll be covered

http://www.ossec.net/
http://www.rfxn.com/projects/linux-malware-detect/

[vdbucks]

proper security, permissions and common sense will save you 99.9% of the time as opposed to relying on a piece of software to cover your ass.

As stated above though.. seriously, if you're making 200k+ a year then hire someone who knows wtf they're doing.. no 5 minute lesson on server security via gfy is going to do much to protect you in the end.

[fris]

nmap and nessus

[AdultEUhost]

install rkhunter as well !

[raymor]

I actually just "finished" a new tool chain that finds a heck of a lot more than clam does. Clam is mainly for detecting Windows virises in email. On the server we just did, Clam found two files. Our tools and process found over seven hundred.
It's pretty in depth. For example, bad guys will hide a hack script in a folder full of jpeg files and name the shell "bonnie2.jpg" or whatever, so we have a tool which opens every supposed image and makes sure it really is an image.

There's still quite a bit of process involved - it's not a fully automated tool. Therefore at this point it's an in house tool we can use to take care of it for you.

[raymor]

Btw a lot of what was said we agree with, like grepping for exec, popen, etc. We've just developed a procedure and tools to do the things suggested in an organized and efficient way. Our overall rule os that every file is suspicious until we prove it's ok.

[fris]

as always keep your software updated with latest php, mysql, apache