Questions? Start a Support Ticket
User Registration
Customer Login

Knowledgebase

Portal Home > Knowledgebase > Articles Database > entire server hacked - best way to check for malicious code?


entire server hacked - best way to check for malicious code?




Posted by Riyaz_Shaukatali, 07-07-2013, 01:07 AM
Hello everyone, This is a hypothetical question and I've been looking for an answer since a few weeks now. If an entire server was hacked and all the domains were found having public_html/hacked.html file. What is the best way to search all the .php files for malicious code (Shells to be specific)? Is there any linux command to search for malicious code through all the .php files under /home for it?
Posted by ZKuJoe, 07-07-2013, 01:15 AM
The only valid option is to format the drives and rebuild the server from scratch after you've determined the source of the exploit. Restore the data from backups prior to the server being hacked and fix the hole that allowed the exploit. Searching files manually is not reliable and unless you know exactly what you are looking for it will be a waste of time.
Posted by TrentaHost, 07-07-2013, 01:23 AM
Great advice, also might I add that you should never wait till you get hacked to realize you should of protected your server from the start. I suggest you get some ClamAV scans done on a daily cron or even better a script to scan files while their being uploaded that way you can assure your protected.
Posted by Riyaz_Shaukatali, 07-07-2013, 01:25 AM
Exactly, the question here is *how* would you know which account exactly was exploited?
Posted by MilesWeb, 07-07-2013, 01:38 AM
If you have cPanel server, perform a chkrootkit & rkhunter. Scan the accounts with maldet and clamd. Refer URL http://docs.cpanel.net/twiki/bin/vie...ion/CompSystem as well. This will help in analyzing the security issue as well.
Posted by /dev/me, 07-07-2013, 08:24 AM
The first step is to determine on what level the machine is compromized. If it's on website or apache level, you may not need to reinstall the entire server. If you suspect a machine to be compromized, it's too late in my opinion to start scanning with rkhunter. rkhunter is incredibly verbose and anything may trigger it, including benign changes that your hoster, you, or your virtualization software made to the machine. You really should start with rkhunter *before* your machine is suspect and learn what its output means. But back to the original question, if *all* domains on your server contain malicious code in them, then it's most important to find out if you're rooted or not. If the machine is rooted, then all bets are off. You do not want to waste any time trying to clean it up because you will fail and it takes time away from useful actions like building up the new server. Just firewall it off the internet by denying everything except ssh from your own IP and reboot it with these settings. But don't trust that this will keep competend 'hackers' out of it because you can no longer be sure iptables is the same iptables you knew and trusted. But if it's your control panel admin account or apache itself that was compromized, then you have a chance. With just a simple find command you can probably assess the extend of the damage. You can run something like: find /path/to/websites -mtime N Where N is a number in days which is smaller than the last time you did something significant work on the website. If it /is/ compromized, there will be files there with datestamps at times you are sure not to have been working on the website. Study these files. They may be elaborate malicious PHP scripts, they may be legitimate scripts with an iframe of JavaScript injected into it, or they may just be a simple line like this: if ($_REQUEST['string']){eval($_REQUEST['string'])} Which is nice, because that script will execute any piece of PHP you throw at it in the form of a $_POST['string'] The advice is always the same though: Update your server software. Update your CMS and its plugins. Delete unnesecary pluging. Change passwords. And preferably delete the entire website and re-upload it.
Posted by Riyaz_Shaukatali, 07-07-2013, 09:26 AM
Thanks for that info. Suppose if I were to check ALL the files under /home/*/public_html for some string like "{eval($_REQUEST"? What is the best command for that? I tried grep 'eval($_REQUEST[' /home/*/public_html/* but that aint working.
Posted by /dev/me, 07-07-2013, 09:33 AM
something like:
Posted by Riyaz_Shaukatali, 07-07-2013, 10:05 AM
Thanks. eval('_u=_u.replace(/' + _aA[i] + '/g,_aA[i+5])'); That means anything to you?
Posted by /dev/me, 07-07-2013, 10:23 AM
Nope Well, it calls a replace, obviously. To me, it could be anything... anything at all
Posted by Riyaz_Shaukatali, 07-07-2013, 10:25 AM
Thanks for all your help. I realized this is a better way to find the string. And its easy as you can get a c99 or any such shell and grab a piece of text from it. find /home/ | xargs grep 'text' -sl
Posted by /dev/me, 07-07-2013, 10:54 AM
Oh, yeah, you are right! I shouldn't have put the *php ending on my command example. Luckily you wheren't fooled by my error
Posted by fshagan, 07-07-2013, 12:35 PM
I've always used this: grep -lr "string" . Where "string" is a few characters from the entire encoded file (I don't always use the first "eval" characters, but take 12 to 16 characters out of the middle; less false positives that way) I use CXS from ConfigServer; it's a paid option, but it has alerted me about suspicious files a few times (mostly false positives when a new WP plugin is installed). It uses clamav in its scans as well. rkhunter and maldet round out my daily scanning routine. There are a couple of free "site scanners" that take a URL like http://sitecheck.sucuri.net/scanner/ and http://safebrowsing.clients.google.c...ostingtalk.com (replace "webhostingtalk.com" with your URL to check) I'd love to get one that worked on an IP address for all the shared accounts on a server (that was free).
Posted by BestServerSupport, 07-07-2013, 01:10 PM
I think you should try using CXS (ConfigServer Exploit Scanner) and mod_suhasin to avoid such kind of hacking activity in future. It will prevent uploading malicious files on your server. In the meantime, I would also suggest you to make sure that your /tmp file is secure with no execution permissions. suPHP is also a very good option to enable to secure your PHP. It will show you exact owner of PHP processes running. Few more suggestions like below: 1. Do change your passwords regularly and always choose strong passwords. 2. Regularly scan your local machine with latest anti virus software. 3. Keep third party installed softwares/applications up to date with latest versions.
Posted by FLDataTeK, 07-07-2013, 06:53 PM
You might also use maldet. You can also run it in a realtime mode were it will scan files as they are uploaded or accessed. http://www.rfxn.com/projects/linux-malware-detect/
Posted by nokia6, 07-16-2013, 12:19 AM
I advance you get some ClamAV scans done on a daily cron or even better a script to scan files while their being uploaded that way you can assure your protected


Was this answer helpful?

Add to Favourites Add to Favourites    Print this Article Print this Article

Also Read
Is that enough? (Views: 737)
SimpleDNS - Basic fast dns query tools. (Views: 779)
FreeBSD 7 outperforms linux ? (Views: 712)
Onefusion Down for the count? (Views: 722)
RocketRaid / FakeRaid ? (Views: 678)


Language:

Our Services

Client Menu

Legal

Terms of Service | Privacy Policy | Refund Policy | Affiliates
Copyright © 2015 DC International LLC in partnership with Bragin IT Solutions Inc. - All Rights Reserved.