403Webshell
Server IP : 103.119.228.120  /  Your IP : 3.139.236.93
Web Server : Apache
System : Linux v8.techscape8.com 3.10.0-1160.119.1.el7.tuxcare.els2.x86_64 #1 SMP Mon Jul 15 12:09:18 UTC 2024 x86_64
User : nobody ( 99)
PHP Version : 5.6.40
Disable Function : shell_exec,symlink,system,exec,proc_get_status,proc_nice,proc_terminate,define_syslog_variables,syslog,openlog,closelog,escapeshellcmd,passthru,ocinum cols,ini_alter,leak,listen,chgrp,apache_note,apache_setenv,debugger_on,debugger_off,ftp_exec,dl,dll,myshellexec,proc_open,socket_bind,proc_close,escapeshellarg,parse_ini_filepopen,fpassthru,exec,passthru,escapeshellarg,escapeshellcmd,proc_close,proc_open,ini_alter,popen,show_source,proc_nice,proc_terminate,proc_get_status,proc_close,pfsockopen,leak,apache_child_terminate,posix_kill,posix_mkfifo,posix_setpgid,posix_setsid,posix_setuid,dl,symlink,shell_exec,system,dl,passthru,escapeshellarg,escapeshellcmd,myshellexec,c99_buff_prepare,c99_sess_put,fpassthru,getdisfunc,fx29exec,fx29exec2,is_windows,disp_freespace,fx29sh_getupdate,fx29_buff_prepare,fx29_sess_put,fx29shexit,fx29fsearch,fx29ftpbrutecheck,fx29sh_tools,fx29sh_about,milw0rm,imagez,sh_name,myshellexec,checkproxyhost,dosyayicek,c99_buff_prepare,c99_sess_put,c99getsource,c99sh_getupdate,c99fsearch,c99shexit,view_perms,posix_getpwuid,posix_getgrgid,posix_kill,parse_perms,parsesort,view_perms_color,set_encoder_input,ls_setcheckboxall,ls_reverse_all,rsg_read,rsg_glob,selfURL,dispsecinfo,unix2DosTime,addFile,system,get_users,view_size,DirFiles,DirFilesWide,DirPrintHTMLHeaders,GetFilesTotal,GetTitles,GetTimeTotal,GetMatchesCount,GetFileMatchesCount,GetResultFiles,fs_copy_dir,fs_copy_obj,fs_move_dir,fs_move_obj,fs_rmdir,SearchText,getmicrotime
MySQL : ON |  cURL : ON |  WGET : ON |  Perl : ON |  Python : ON |  Sudo : ON |  Pkexec : ON
Directory :  /scripts/

Upload File :
current_dir [ Writeable] document_root [ Writeable]

 

Command :

[ Back ]     

Current File : /scripts/hackcheck
#!/usr/local/cpanel/3rdparty/bin/perl

# cpanel - scripts/hackcheck                       Copyright 2022 cPanel, L.L.C.
#                                                           All rights reserved.
# copyright@cpanel.net                                         http://cpanel.net
# This code is subject to the cPanel license. Unauthorized copying is prohibited

use Cpanel::Rand                 ();
use Cpanel::FileUtils::TouchFile ();
use Cpanel::SafeDir::MK          ();

$| = 1;

my $tmpdir    = Cpanel::Rand::gettmpdir();    # audit case 46806 ok
my $is_hacked = '';
if ( -d $tmpdir ) {
    foreach my $num ( 0 .. 9 ) {
        Cpanel::FileUtils::TouchFile::touchfile("$tmpdir/$num");
        if ( !-f "$tmpdir/$num" ) {
            $is_hacked = "Could not create file $tmpdir/$num: $!";
            last;
        }
        elsif ( !unlink("$tmpdir/$num") ) {
            $is_hacked = "Could not remove file $tmpdir/$num: $!";
            last;
        }
        Cpanel::SafeDir::MK::safemkdir("$tmpdir/$num");
        if ( !-d "$tmpdir/$num" ) {
            $is_hacked = "Could not create directory $tmpdir/$num: $!";
            last;
        }
        elsif ( !rmdir("$tmpdir/$num") ) {
            $is_hacked = "Could not remove directory $tmpdir/$num: $!";
            last;
        }
    }
    if ( !$is_hacked ) {
        if ( !rmdir($tmpdir) ) {
            $is_hacked = "Could not remove directory $tmpdir: $!";
        }
    }
}
else {    # Can't make random directory in /tmp
    $is_hacked = "Failed to create directory $tmpdir: $!";
}

my $msg = <<"EOM";
Attempts to create new directories or files whose filenames begin with numbers have failed.
This is indicative of a root compromise of the server.

The exact error encountered was:

$is_hacked

EOM

if ($is_hacked) {
    print "[hackcheck] Possible rootkit detected\n$msg";

    require Cpanel::Notify;
    Cpanel::Notify::notification_class(
        'class'            => 'Check::Hack',
        'application'      => 'Check::Hack',
        'constructor_args' => [
            'origin' => 'hackcheck',
            'reason' => $is_hacked
        ]
    );
}

exit if -e '/etc/disablehackcheck';

foreach my $account (qw(xfs daemon)) {
    my @pwnam = getpwnam($account);
    next if !$pwnam[0];
    if ( $pwnam[1] !~ m{^[\!\*]} ) {
        system( "/usr/bin/passwd", "-l", $account );
    }
}

my ( $user, $uid );
open( my $passwd, '<', "/etc/passwd" );
while (<$passwd>) {
    next if (m/^\#/);
    ( $user, undef, $uid, undef ) = split( /:/, $_, 3 );
    next if ( !defined $uid );
    if ( $uid == 0 && $user ne "root" && $user ne "toor" ) {
        system( '/usr/bin/passwd', '-l', $user );
        print "[hackcheck] $user has a uid 0 account (root access).\n";

        require Cpanel::Notify;
        Cpanel::Notify::notification_class(
            'class'            => 'Check::Hack',
            'application'      => 'Check::Hack',
            'constructor_args' => [
                'origin'          => 'hackcheck',
                'suspicious_user' => $user
            ]
        );
    }
}
close($passwd);

Youez - 2016 - github.com/yon3zu
LinuXploit