PDA

View Full Version : Find malicious files/SPAM scripts in a hosting account uing SSH shell



Fli
12-02-2016, 02:38 PM
What do you think is the best way to find mailicious files on an hosting account?

I know one can go to File manager and sort according to modification date/time and then delete malicious files that are last modified (backup first).

Here is the linux command to list last modified files:

for i in $(find /home/userhere/public_html -type f -print0 | xargs -0 stat --format '%Y :%y %n' | sort -nr | grep -vE "cache|error_log|excludephrasse2" | cut -d: -f2- | head -n 30|awk '{print $4}');do echo $i;done

It finds last 30 modified/created files in /home/userhere/public_html and its subdirectories. It excludes paths/files marked green separated by |

This command is nice because it can also be used to delete these files, just replace "echo $i" by "rm -f $i", but before removal exclude files you do not want to be removed. And be sure to have backup of all the files inside /home/userhere/public_html.

Here is the command to show top mailing scripts/pathes on server with Exim (mail server):

grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n