1

I am attempting to track down how a Wordpress site keeps getting hacked, and one of the things I am trying to track is which files are being hit by the "touch" command to forge the last_modified dates (which many hacks do to hide themselves and is happening in this instance). I created a script named newtouch that simply logs with a timestamp all parameters that are sent to it, and then aliased touch to be newtouch. This works fine when I ssh in, but when I attempt to call it from php it is not recognizing the alias. I did some research, and realized that is because php is running under a different shell:

$ php -r 'echo shell_exec("echo $0");' sh

There was no .profile in the home directory, so I created one, but no matter what I put in it I cannot get the shell to recognize it for some reason. To test I tried a simple alias named touch2 that simply echoes the word test, and have tried all of the following inside of .profile, none of which worked:

alias touch2='echo test'

alias touch2 'echo test'

touch2 () {
    echo test
}

regardless of which I try, I get the same results:

$ sh
$ alias
$ touch2
sh: touch2: command not found

$ php -r 'echo shell_exec("alias");'
$ php -r 'echo shell_exec("touch2");'
sh: touch2: command not found

Any help is appreciated, thank you.

Michael VanDeMar
  • 157
  • 1
  • 1
  • 10
  • 1
    Your personal aliases don't mean anything to the system for a new user ( especially if they have gotten to root ) or happen to execute touch as /path/to/touch/exec – zellio Aug 12 '11 at 06:24
  • 2
    If you set up an aliased command for the shell user, it will not prevent direct invokation of `/usr/bin/touch` (bypasses alias) nor the php-internal `touch()` function (which is more likely to be used anyway). – mario Aug 12 '11 at 06:25
  • You guys answered fast, the post was only half written but submitted accidentally as I was adding tags, sorry about that. Also, this is definitely being done through php, not through another shell. – Michael VanDeMar Aug 12 '11 at 06:33
  • @mario - I realize that there might be other ways for the files to get modified, but these are all scripted attacks and aren't going to get creative on their own. The more options I block the better chance I have of diagnosing this situation. I have the php touch() command blocked via the php.ini disable_functions directive. Plus, really curious why the .profile isn't getting read at all. Thanks. – Michael VanDeMar Aug 12 '11 at 08:18
  • 1
    @mvandemar: Neither `.profile` nor `.bashrc` are read if it isn't an interactive shell. You will need to set `BASH_ENV=` to force execution of a script. Set it system-wide to have any effect. Also make sure it's actually `bash` and not `dash` or other minimized shells. – mario Aug 12 '11 at 12:05
  • @mario - Thanks. I think it's a Bourne shell based on the "sh" output. Since I don't have system wide access, and based on what I read [here](http://stackoverflow.com/questions/3428647/php-exec-path-variable-missing-elements/3428799#3428799) it looks like the only other option would be to call it before running the script, so unless there is a per-user bin I think I am out of luck. I appreciate the help though. :) – Michael VanDeMar Aug 12 '11 at 15:52
  • 1
    Well `SetEnv` in your `.htaccess` might possibly work too. – mario Aug 12 '11 at 16:07

1 Answers1

1
#!/path/to/bash

mv /path/to/touch /some/where/else
chmod -x /some/where/else/touch
chown root:root /some/where/else/touch
mv /path/to/new/touch /where/touch/was/before
zellio
  • 31,308
  • 1
  • 42
  • 61