Hi fellows, Can you please tell me if there's any aplication I could use to search for any malicious files or eval malicious coding on the files within my server. I use grepwin to search for malicious code, but I've to download files to local PC I prefer not to... Thanks
Here is a little piece of code that I run. It searches within cgi and php files for certain strings, and then places the file name within another file so that you can go through them: find /home/ \( -name "*.cgi" -o -name "*.php" \) -print0 | xargs -0 egrep -l 'c99shell|r57shell|WebShell|phpshell|shell|c100|base64' >> /root/report Code (markup): As you can see, it is mostly looking for shell scripts, and encoded files. You can set this up to run as a cron, or, just run it manually. Once it's done running, you can just view the contents of the report file.
Hi RHS-Chris, thanks for your answer... but can you explain it in other words. like step by step I'm more into design, not server side issues. thanks a lot
That will search for .cgi and .php files within the /home directory. It scans the contents of them, looking for c99shell or r57shell or WebShell or phpshell or shell or c100 or base64 within these files. If it finds a file with any one of these listed in it, it places the name of the file in the report file, that is is found in the /root directory.
Thank you You can also just use cat to display the contents, instead of using an editor, ie: cat /root/report
I really want to do it as you said, but can you please explain me how to execute a command on server (to start), Im a kinda dummie on this matter. I've googled for "how to run a command on server" and there's loads of stuff out there, but not one explanation for dummies. Is PsTools anyhow good for this? thanks for your help.
To be honest, if this is a production server, and your not familiar with command line / server administration, then I would suggest that you not just run commands without understanding what they could do, as you could do some serious damage to your server. My suggestion would be that you set up a test box to play with, so that you can do things without worrying about taking down the production server, or, find someone to do the server management for you (hint hint )
I would suggest that you could also add: iframe, document\.write, unescape, CRYPT, GNU GPL and gzinflate to your list of keywords to search for. Since you're not deleting any specific files, you're just using your script to search for interesting strings. We find those a lot on infected websites.