Web Hosting Forum - Explore the Latest in Web Hosting Discussions

We are a community of individuals and businesses passionate about web hosting. Let's build, learn, and grow together.

Tutorial How to find malicious code on the site without a scanner

larryrush

Junior Member
Member
Hello Members,

As you all know about Hacker scripts, hackers most often upload files that are web shells, backdoors, “downloaders,” scripts for spam mailings, phishing pages + form handlers, doorways, and hack marker files.

Injections in existing files. The second most popular type of malicious and hacker code placement is injections. Mobile and search redirects can be embedded into existing .htaccess site files, backdoors can be injected into php / perl scripts, and viral javascript fragments or redirects can be embedded into third-party resources in .js and .html templates. Injections are also possible in media files, such as .jpg or. Often, malicious code consists of several components: it is stored in the EXIF header of the jpg file and is executed using a small control script whose code does not look suspicious to the scanner.

Injections in the database. The database is the third target for the hacker. Here, static inserts make it possible to redirect visitors to third-party resources, “spy” on them, or infect the visitor’s computer | or mobile device due to a drive-by attack (attack using hidden loading). In addition, in many modern CMS (IPB, vBulletin, MODx, etc.), template engines allow you to execute PHP code, and the templates themselves are stored in a database, so the PHP code of web shells and backdoors can be embedded directly into the database.

Injections in caching services

Because caching services, such as Memcached, are incorrectly or insecurely configured, injections into cached data are possible on the fly. In some cases, a hacker can inject malicious code into a site's pages without directly hacking the latter. Injections/elements in the server's system components.

If the hacker gains root access to the server, he can replace the elements of the web server or caching server with infected ones. Such a web server will provide, on the one hand, control over the server using control commands and, on the other hand, from time to time, introduce dynamic redirects and malicious code to the site’s pages. As in the case of an injection into the caching service, the site administrator will most likely not be able to detect the fact of hacking the site since all the files and the database will be original. This option is the most difficult to treat.

So, suppose that with the scanners, you have already checked the files on the hosting and the database dump, but they did not find anything, and the virus continues to work on the page or the mobile redirect when opening the pages. How do I search for further?

Manual Search

On Unix, it’s hard to find a more valuable pair of commands for finding files and fragments than find/grep
You don't have permission to view the spoiler content. Log in or register now.
I will find all the files that were changed last week. Sometimes, hackers “twist” the date of the change in the scripts so as not to discover new scripts. Then, you can search for PHP / HTML files that have
You don't have permission to view the spoiler content. Log in or register now.
If you need to find changes in a certain time interval, you can use the same find
You don't have permission to view the spoiler content. Log in or register now.
Grep is indispensable for searching files. It can search recursively for files for the specified fragment
You don't have permission to view the spoiler content. Log in or register now.
When hacking the server, it is useful to analyze files that have the guid / suid flag set
You don't have permission to view the spoiler content. Log in or register now.
To determine which scripts are currently running and load the hosting CPU, you can call
You don't have permission to view the spoiler content. Log in or register now.

Hosted File Analysis

We go to the directory upload, cache, tmp, backup, log, and images, into which something is written by scripts or downloaded by users, and we look through the contents for new files with suspicious extensions. For example, you can check .php files in the images for Joomla: find ./images -name '* .ph *' directory. Most likely, if something is found, it will be malicious. For WordPress, checking the scripts for the wp-content / uploads, backup, and cache directories in the themes directory makes sense.

We are looking for files with strange names, such as PHP, fyi.php, and n2fd2.php. Files can be searched using non-standard character combinations or the presence of numbers 3,4,5,6,7,8,9 in the file name.

We are looking for doorways for many .html or .php files. If there are several thousand .php or .html, most likely, this is a doorway.

Logs of the web server, mail service, and FTP. The correlation between the date and time of sending the message (which can be found from the mail server log or the service header of the spam email) and requests from access_log helps identify a way to send spam or find a script for spam mail. FTP transfer logs analysis xferlog allows you to understand which files were downloaded at the time of the hacking, which were changed, and by whom. If the PHP server is configured correctly, the mail server’s log or the service header of the spam email will contain the name or full path to the sending script, which helps determine the source of spam. Using the proactive defense logs of modern CMS and plugins, you can decide which attacks were carried out on the site and whether the CMS resisted them. Using access_log and error_log, you can analyze the actions of a hacker if the names of the scripts that he called are known IP addresses or User-Agent. In extreme cases, you can view POST requests on the day of hacking and infection of the site. Often, analysis allows you to find other hacker scripts that were downloaded or were already on the server at the time of the hacking.
 
  • Advertisement
  • To check suspected files on server or account you can run below script:

    find /home -mindepth 1 -maxdepth 3 -type f -name "*.suspected" -print >> /root/audit_servers.txt
     

    Advertisement

    Back
    Top