Web Hosting Forum - Net Hosting Talk

We are a community of individuals and businesses passionate about web hosting. Let's build, learn, and grow together.

How to find malicious code on the site without a scanner


Junior Member
Hello Members,

As you all know about Hacker scripts. Most often, when hacking, they upload files that are web shells, backdoors, “downloaders”, scripts for spam mailings, phishing pages + form handlers, doorways and hack marker files.

Injections in existing files. The second most popular type of malicious and hacker code placement is injections. Mobile and search redirects can be embedded into existing .htaccess site files, backdoors can be injected into php / perl scripts, and viral javascript fragments or redirects can be embedded into third-party resources in .js and .html templates. Injections are also possible in media files, for example, .jpg or. Often, malicious code consists of several components: the malicious code itself is stored in the exif header of the jpg file, and is executed using a small control script whose code does not look suspicious for the scanner.

Injections in the database. The database is the third target for the hacker. Here, static inserts, are possible, which redirect visitors to third-party resources, “spy” on them or infect the visitor’s computer | mobile device as a result of a drive-by attack (attack using hidden loading). In addition, in many modern CMS (IPB, vBulletin, MODx, etc.), template engines allow you to execute php code, and the templates themselves are stored in a database, so the php code of web shells and backdoors can be embedded directly into the database.

Injections in caching services

As a result of the incorrect or insecure configuration of caching services, for example, Memcached, injections into cached data are possible on the fly. In some cases, a hacker can inject malicious code into the pages of a site without directly hacking the latter. Injections/elements in the system components of the server.

If the hacker gained root access to the server, he can replace the elements of the webserver or caching server with infected ones. Such a web server will provide, on the one hand, control over the server using control commands, and on the other hand, from time to time, introduce dynamic redirects and malicious code to the site’s pages. As in the case of an injection into the caching service, the site administrator will most likely not be able to detect the fact of hacking the site, since all the files and the database will be original. This option is the most difficult to treat.

So, suppose that with the scanners you have already checked the files on the hosting and the database dump, but they did not find anything, and the virus continues to work on the page or the mobile redirect when opening the pages. How to search for further?

Manual Search

On Unix, it’s hard to find a more valuable pair of commands for finding files and fragments than find/grep
You don't have permission to view the spoiler content. Log in or register now.
Will find all files that have been changed in the last week. Sometimes hackers “twist” the date of the change in the scripts so as not to discover new scripts. Then you can search for php / html files that have
You don't have permission to view the spoiler content. Log in or register now.
If you need to find changes in a certain time interval, you can use the same find
You don't have permission to view the spoiler content. Log in or register now.
Grep is indispensable for searching files. It can search recursively for files for the specified fragment
You don't have permission to view the spoiler content. Log in or register now.
When hacking the server, it is useful to analyze files that have the guid / suid flag set
You don't have permission to view the spoiler content. Log in or register now.
To determine which scripts are currently running and load the hosting CPU, you can call
You don't have permission to view the spoiler content. Log in or register now.

Hosted File Analysis

We go to the directory upload, cache, tmp, backup, log, images, into which something is written by scripts or downloaded by users, and we look through the contents for new files with suspicious extensions. For example, for Joomla, you can check .php files in the images: find ./images -name '* .ph *' directory. Most likely, if something is found, it will be malicious. For WordPress, it makes sense to check the scripts for the wp-content / uploads, backup, and cache directories in the themes directory.

We are looking for files with strange names, for example, php, fyi.php, n2fd2.php. Files can be searched by non-standard character combinations, by the presence of numbers 3,4,5,6,7,8,9 in the file name.

We are looking for doorways for a large number of .html or .php files If there are several thousand .php or .html, most likely this is a doorway.

Logs of the web server, mail service, and FTP. The correlation of the date and time of sending the message (which can be found out from the log of the mail server or the service header of the spam email) with requests from access_log help to identify a way to send spam or find a script for a spam mail. FTP transfer logs analysis xferlog allows you to understand which files were downloaded at the time of the hacking, which was changed and by whom. If the PHP server is configured correctly, the mail server’s log or the service header of the spam email will contain the name or full path to the sending script, which helps determine the source of spam. Using the proactive defense logs of modern CMS and plugins, you can determine which attacks were carried out on the site and whether the CMS managed to resist them. Using access_log and error_log, you can analyze the actions of a hacker if the names of the scripts that he called are known IP address or User-Agent. In extreme cases, you can view POST requests on the day of hacking and infection of the site. Often, analysis allows you to find other hacker scripts that were downloaded or were already on the server at the time of the hacking.
  • Advertisement
  • To check suspected files on server or account you can run below script:

    find /home -mindepth 1 -maxdepth 3 -type f -name "*.suspected" -print >> /root/audit_servers.txt