+ Post New Thread
Results 1 to 1 of 1

Thread: How to find malicious scripts on the server AKA ban clients before reports received

  1. #1
    Administrator Fli's Avatar
    Join Date
    Mar 2013
    Posts
    2,410
    Post Thanks / Like
    Blog Entries
    1

    How to find malicious scripts on the server AKA ban clients before reports received



    I appreciate my clients and i wish to offer them superior service. This requires preventing abusers, scammers to register or abuse service.

    No hosting, VPS provider wants to receive complaints from datacenter and is afraid his server to be banned by datacenter.

    I got an idea when some of my VPS user hosted a PayPal phishing site.
    The server admin has access to all the VPS files and all the hosting account files.

    So we can prevent fraud by scanning hosting server regularly agains suspicious phrasses. Here is the list of phrasses:




    (above phrasses are taken from the scripts in reported fraud/phishing hosting accounts..

    ​Please do you know any other fraud, spam phrasses which are common for various fraud, spam, phishing scripts? Please share it and lets create good list.

    The linux command to find occurence for such a phrasses in files: http://internetlifeforum.com/linux-forums/452-linux-how-find-files-find-files-containing-certain-phrasse-content/

    .. In near future i want to make bash script which will regularly find the files containing above phrasses + notiffy admin by email.

    and here it is..!

    The linux bash script to find malicious/infected files and mail result to an server admin

    use on your own risk, in my case it works perfectly

    # Script to search /home direcotry and subdirectories for varous malicious content and report it to admin email.

    [email protected]


    # Declare new array named "phrasses" containing various malicious phrasses to search for in files. if character " or $ is in the phrasse, you need to add \ before it
    declare -a phrasses
    phrasses[0]="Paypal Spam Result"
    phrasses[1]="header('Location: https://www.paypal.com/');"
    phrasses[2]="skype_injection_path="

    # Set folder path where are your users websites data (search path)
    wheretosearch=/home
    outputfile=/tmp/find_malicious_output.txt
    rm -rf $outputfile;touch $outputfile

    # list path and filename
    # command="ls -lah >> $outputfile"

    # can add "-mtime 24" or "-mmin -1440" into "find" command below if i run this script daily to check only last 24 hours created/changes files, this will reduce load on server. Also can use "-iname .php" to search trhu php files only etc. "/bin/nice -n 19" gives below find process lowest priority to prevent server ovelroading

    for (( i=0;i<${#phrasses[*]};i++ )); do
    phrasse=${phrasses[$i]}
    echo "$phrasse"
    /bin/nice -n 19 find $wheretosearch -type f -size -800k -mmin -1440 -exec grep -l "$phrasse" {} \; >> $outputfile
    done

    countlinesinoutfile="$(grep . -c $outputfile)"

    if [ "$countlinesinoutfile" == "0" ];then
    # output file is empty, no malicious files found, exit
    exit
    else

    output="Malicious files finder script finished. Malicious files found there:

    $(cat $outputfile)

    Was found on $(hostname)
    The script is located in /etc/cron.."

    echo "$output"
    echo "$output" | mail -s "$(hostname) Malicious Scanner Result" $adminmail

    fi
    rm -rf $outputfile
    update to the above script:
    # can add "-mtime 24" or "-mmin -1440" into "find" command below if i run this script daily to check only last 24 hours created/changes files, this will reduce load on server.# Also can use "-iname .php" to search trhu php files only etc.
    # "/bin/nice -n 19" gives below find process lowest priority to prevent server ovelroading
    # can add: -iname "*.php*" -o -iname "*.htm*" -o -iname "*.sh" -o -iname "*.pl" to grep only those filetypes
    # can add ! -path "*/tmp*" ! -path "*/backup*" ! -path "*/usr*" to exclude certain pathes


    for (( i=0;i<${#phrasses[*]};i++ )); do
    phrasse=${phrasses[$i]}
    echo "$phrasse"
    /bin/nice -n 19 /usr/bin/ionice -c2 -n7 find $wheretosearch -type f -size -800k -mmin -1440 ! -path "*backup*" ! -path "*/usr*" -exec grep -l "$phrasse" {} \; >> $outputfile
    What does it do? It searches in files content in path you set (wheretosearch=/home), in our case path where our users websites data are stored. The command "find" is used for this purpose. The admin is emailed with the list of files which are infected (contains phrasses you set).

    This script can be run atomatically when you add it into folder like /etc/cron.weekly
    It can be handy to run it daily and then modiffy search script by adding "-mtime 24" so script only search files modiffied/created in last 24 hours to decrease searver load.

    You have any idea on how to improve the script?

    Do you know some list of common malicious phrasses? Please kindly share your phrasses

    Thank You
    Attached Files Attached Files

+ Post New Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
 Protected by : ZB BLOCK  &  StopForumSpam