Finding a malicious script on my webserver with bash

StackOverflow https://stackoverflow.com/questions/17601509

  •  02-06-2022
  •  | 
  •  

Question

I'm encountering an issue on my webserver. Someone infected it with a leaked wordpress . The problem is the following, there is some malicious phpscript somewhere within a file. The malicious script is putting an iframe inside every files on the webserver (/home) But the thing is that I don't know where is the script and I have thousands of web files in /home, it could be anywhere. I know how to erase all the iframes but the idea is to delete the trigger. So I was wandering how i could fix it and i have maybe a solution, but i would need your advices

I noticed that the script is executed from time to time but completely randomly (approxmatively once time a week) Now let's assume that I erased all the malicious iframe with the following shell command (which I run every 30 minutes currently)

find /home -type f | xargs sed -i 's$<iframe src="[^"]*" width="2" height="2" frameborder="0"></iframe>$ $g'

Now that all my php file don't have a iframe, the idea would be to alert me when the iframe appears again. Like this, if I have the approximative time where the iframe appears, then I could have a look on the apache log to see which webscript is called.

So I created another bash shell and I would like to have your advices to know if it would be allright. I would run it every 30 min on the server until I received a mail.

Then I would look in the apache log to check the log on the last 30 minutes.

So here is the bash I was thinking about :

#!/bin/bash     
find /home -type f | xargs grep -q '<iframe src="[^"]*" width="2" height="2" frameborder="0"></iframe>'     #Find the string in all file on my all directory
if [ $? -eq 0 ] #if the result is not equal to zero
then
        echo "At the following time : " $(date +%H-%M-%S) | mail -s "[Serveur Leaked] Bad iframe has been found " me@mymail #we send a mail with the date
        find /home -type f | xargs sed -i 's$<iframe src="[^"]*" width="2" height="2" frameborder="0"></iframe>$ $g' #we replace the iframe with a whitespace
else    
        exit 1  
fi

exit 0

I really need to find a solution because right know as I said Im running the find and replace shell command every 30 minutes and it's taking a lot of process.

But i could not afford to let iframes too long on my server, that my websites would be blacklisted by google and i could not afford this.

Thanks a lot for your future advice.

Anselme

Was it helpful?

Solution

Once you have found an iframe file you wish to monitor, perhaps the shell scriptable version of inotify, inotifywait, would be the simplest solution. Use it in your script something like this:

#!/bin/sh
while inotifywait -e modify /var/log/messages; do
    if tail -n1 /var/log/messages | grep httpd; then
        kdialog --msgbox "Apache needs love!"
    fi
done

In general, there are better file monitoring tools, such as auditd which includes prebuilt utilities and is specifically designed for security and auditing.

Also, there is the fanotify that provides user information and can monitor entire volumes efficiently. Check out the excellent sample tool: fatrace.

inotify suffers from several significant problems: it can't reliably monitor newly created folders, and can't identify the source (PID) of file changes. Neither of these is here, but using inotify directly would require some coding.

OTHER TIPS

You could use inotify to get informed when your html files are changed and only run your script in that case.

When you know that your files get modified (e.g. by above inotify) you can use the proc system of the processes (or something like lsof) to find out which process has opened the modified file.

It may not be a PHP script that is causing this, hackers may have obtained passwords to your server. This site gives several resources that will guide you on what to check

http://wordpress.org/support/topic/new-malware-code-injection-attack

Here's Wordpress documentation on how to harden the installation

http://codex.wordpress.org/Hardening_WordPress

Changing the root password of your system would be a good place to start.

And to give you an idea of the level of malicious sophistication you may be up against

http://blog.sucuri.net/2013/05/auto-generated-iframes-to-blackhole-exploit-kit-following-the-cookie-trail.html

My sympathy.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top