Fli
11-21-2013, 09:20 PM
I appreciate my clients and i wish to offer them superior service. This requires preventing abusers, scammers to register or abuse service.
No hosting, VPS provider wants to receive complaints from datacenter and is afraid his server to be banned by datacenter.
I got an idea when some of my VPS user hosted a PayPal phishing site.
The server admin has access to all the VPS files and all the hosting account files.
So we can prevent fraud by scanning hosting server regularly agains suspicious phrasses. Here is the list of phrasses:
header('Location: https://www.paypal.com/');
header(\"Location: http://www.google.com\");
skype_injection_path=
Paypal Spam Result
(above phrasses are taken from the scripts in reported fraud/phishing hosting accounts..
Please do you know any other fraud, spam phrasses which are common for various fraud, spam, phishing scripts? Please share it and lets create good list.
The linux command to find occurence for such a phrasses in files: http://internetlifeforum.com/linux-forums/452-linux-how-find-files-find-files-containing-certain-phrasse-content/
.. In near future i want to make bash script which will regularly find the files containing above phrasses + notiffy admin by email.
and here it is..!
The linux bash script to find malicious/infected files and mail result to an server admin
use on your own risk, in my case it works perfectly
# Script to search /home direcotry and subdirectories for varous malicious content and report it to admin email.
[email protected]
# Declare new array named "phrasses" containing various malicious phrasses to search for in files. if character " or $ is in the phrasse, you need to add \ before it
declare -a phrasses
phrasses[0]="Paypal Spam Result"
phrasses[1]="header('Location: https://www.paypal.com/');"
phrasses[2]="skype_injection_path="
# Set folder path where are your users websites data (search path)
wheretosearch=/home
outputfile=/tmp/find_malicious_output.txt
rm -rf $outputfile;touch $outputfile
# list path and filename
# command="ls -lah >> $outputfile"
# can add "-mtime 24" or "-mmin -1440" into "find" command below if i run this script daily to check only last 24 hours created/changes files, this will reduce load on server. Also can use "-iname .php" to search trhu php files only etc. "/bin/nice -n 19" gives below find process lowest priority to prevent server ovelroading
for (( i=0;i<${#phrasses
};i++ )); do
phrasse=${phrasses[$i]}
echo "$phrasse"
/bin/nice -n 19 find $wheretosearch -type f -size -800k -mmin -1440 -exec grep -l "$phrasse" {} \; >> $outputfile
done
countlinesinoutfile="$(grep . -c $outputfile)"
if [ "$countlinesinoutfile" == "0" ];then
# output file is empty, no malicious files found, exit
exit
else
output="Malicious files finder script finished. Malicious files found there:
$(cat $outputfile)
Was found on $(hostname)
The script is located in /etc/cron.."
echo "$output"
echo "$output" | mail -s "$(hostname) Malicious Scanner Result" $adminmail
fi
rm -rf $outputfile
update to the above script:
# can add "-mtime 24" or "-mmin -1440" into "find" command below if i run this script daily to check only last 24 hours created/changes files, this will reduce load on server.# Also can use "-iname .php" to search trhu php files only etc.
# "/bin/nice -n 19" gives below find process lowest priority to prevent server ovelroading
# can add: -iname "*.php*" -o -iname "*.htm*" -o -iname "*.sh" -o -iname "*.pl" to grep only those filetypes
# can add ! -path "*/tmp*" ! -path "*/backup*" ! -path "*/usr*" to exclude certain pathes
for (( i=0;i<${#phrasses
};i++ )); do
phrasse=${phrasses[$i]}
echo "$phrasse"
/bin/nice -n 19 /usr/bin/ionice -c2 -n7 find $wheretosearch -type f -size -800k -mmin -1440 ! -path "*backup*" ! -path "*/usr*" -exec grep -l "$phrasse" {} \; >> $outputfile
What does it do? It searches in files content in path you set (wheretosearch=/home), in our case path where our users websites data are stored. The command "find" is used for this purpose. The admin is emailed with the list of files which are infected (contains phrasses you set).
This script can be run atomatically when you add it into folder like /etc/cron.weekly
It can be handy to run it daily and then modiffy search script by adding "-mtime 24" so script only search files modiffied/created in last 24 hours to decrease searver load.
You have any idea on how to improve the script?
Do you know some list of common malicious phrasses? Please kindly share your phrasses
Thank You
No hosting, VPS provider wants to receive complaints from datacenter and is afraid his server to be banned by datacenter.
I got an idea when some of my VPS user hosted a PayPal phishing site.
The server admin has access to all the VPS files and all the hosting account files.
So we can prevent fraud by scanning hosting server regularly agains suspicious phrasses. Here is the list of phrasses:
header('Location: https://www.paypal.com/');
header(\"Location: http://www.google.com\");
skype_injection_path=
Paypal Spam Result
(above phrasses are taken from the scripts in reported fraud/phishing hosting accounts..
Please do you know any other fraud, spam phrasses which are common for various fraud, spam, phishing scripts? Please share it and lets create good list.
The linux command to find occurence for such a phrasses in files: http://internetlifeforum.com/linux-forums/452-linux-how-find-files-find-files-containing-certain-phrasse-content/
.. In near future i want to make bash script which will regularly find the files containing above phrasses + notiffy admin by email.
and here it is..!
The linux bash script to find malicious/infected files and mail result to an server admin
use on your own risk, in my case it works perfectly
# Script to search /home direcotry and subdirectories for varous malicious content and report it to admin email.
[email protected]
# Declare new array named "phrasses" containing various malicious phrasses to search for in files. if character " or $ is in the phrasse, you need to add \ before it
declare -a phrasses
phrasses[0]="Paypal Spam Result"
phrasses[1]="header('Location: https://www.paypal.com/');"
phrasses[2]="skype_injection_path="
# Set folder path where are your users websites data (search path)
wheretosearch=/home
outputfile=/tmp/find_malicious_output.txt
rm -rf $outputfile;touch $outputfile
# list path and filename
# command="ls -lah >> $outputfile"
# can add "-mtime 24" or "-mmin -1440" into "find" command below if i run this script daily to check only last 24 hours created/changes files, this will reduce load on server. Also can use "-iname .php" to search trhu php files only etc. "/bin/nice -n 19" gives below find process lowest priority to prevent server ovelroading
for (( i=0;i<${#phrasses
};i++ )); do
phrasse=${phrasses[$i]}
echo "$phrasse"
/bin/nice -n 19 find $wheretosearch -type f -size -800k -mmin -1440 -exec grep -l "$phrasse" {} \; >> $outputfile
done
countlinesinoutfile="$(grep . -c $outputfile)"
if [ "$countlinesinoutfile" == "0" ];then
# output file is empty, no malicious files found, exit
exit
else
output="Malicious files finder script finished. Malicious files found there:
$(cat $outputfile)
Was found on $(hostname)
The script is located in /etc/cron.."
echo "$output"
echo "$output" | mail -s "$(hostname) Malicious Scanner Result" $adminmail
fi
rm -rf $outputfile
update to the above script:
# can add "-mtime 24" or "-mmin -1440" into "find" command below if i run this script daily to check only last 24 hours created/changes files, this will reduce load on server.# Also can use "-iname .php" to search trhu php files only etc.
# "/bin/nice -n 19" gives below find process lowest priority to prevent server ovelroading
# can add: -iname "*.php*" -o -iname "*.htm*" -o -iname "*.sh" -o -iname "*.pl" to grep only those filetypes
# can add ! -path "*/tmp*" ! -path "*/backup*" ! -path "*/usr*" to exclude certain pathes
for (( i=0;i<${#phrasses
};i++ )); do
phrasse=${phrasses[$i]}
echo "$phrasse"
/bin/nice -n 19 /usr/bin/ionice -c2 -n7 find $wheretosearch -type f -size -800k -mmin -1440 ! -path "*backup*" ! -path "*/usr*" -exec grep -l "$phrasse" {} \; >> $outputfile
What does it do? It searches in files content in path you set (wheretosearch=/home), in our case path where our users websites data are stored. The command "find" is used for this purpose. The admin is emailed with the list of files which are infected (contains phrasses you set).
This script can be run atomatically when you add it into folder like /etc/cron.weekly
It can be handy to run it daily and then modiffy search script by adding "-mtime 24" so script only search files modiffied/created in last 24 hours to decrease searver load.
You have any idea on how to improve the script?
Do you know some list of common malicious phrasses? Please kindly share your phrasses
Thank You