" rel="stylesheet" />
In Linux and some Unix-like systems, it is hard to find more useful commands for searching files than find and grep.
This command will look for all files that were modified in the past week.
find . -name '*.ph*' -mtime -7
Sometimes, attackers change file modification dates to avoid detection. In this case, you can use the following command to look for .php and .phtml files that have had their attributes changed.
find . -name '*.ph*' -ctime -7
If you need to look for file changes in a certain time frame, you can also use this find command.
find . -name '*.ph*' -newermt 2015-01-25 ! -newermt 2015-01-30 -ls
And let's not underestimate the grep command as well. This command can recursively search for certain patterns in the files, drilling down through all folders and files. Here is an example.
grep -ril 'example.com/google-analytics/jquery-1.6.5.min.js' *
When your web server is compromised, it is good practice to check files with the guid/suid flag, just to be safe.
sudo find / -perm -4000 -o -perm -2000
Finally, you can use a command like this to identify what PHP scripts are currently running in the background and possibly impacting website performance.
lsof +r 1 -p `ps axww | grep httpd | grep -v grep | awk '{ if(!str) { str=$1 } else { str=str","}} END{print str}'` | grep vhosts | grep php
Now that we know how to search for possibly malicious files, let's dive a bit deeper and list what exactly we are looking for and where.
You need to check all directories that are used for file uploading. For example, with Joomla you should look for .php files in the ./images folder. There is a high chance that if you find something, it will be malicious. For WordPress it is worth checking the wp-content/uploads, backup and theme cache directories.
find ./images -name '*.ph*'
Here are examples of strange file names to look out for: php, fyi.php, n2fd2.php. You should also look for unusual patterns in file names. For example:
find ./ -xdev -type d -print0 | while IFS= read -d '' dir; do echo "$(find "$dir" -maxdepth 1 -print0 | grep -zc .) $dir"; done | sort -rn | head -50
(Check this thread to find more details on the commands for checking directory file counts.)
It is much easier to analyze attack vectors and look for malware scripts on websites if some security precautions were already made beforehand. Integrity checks help to identify the changes on the file system in a timely manner, and detect malicious activities quickly. The easiest and most effective way to perform such checks is by using version control systems such as git, SVN, or CVS. For example, with git, if you correctly configure the .gitignore file, the process of integrity checking comes down to executing two commands:
git status # check all changed files
git diff # find malicious code
This guarantees that you have a backup copy of your files, and allows you to quickly restore the website to a previous state. Experienced server administrators can also use inotify, tripwire, auditd and similar tools to track file and folder access and changes.
Unfortunately, it is not always possible to configure the version control system or any site integrity check services on a server. In the case of shared hosting, it is not possible to use a version control system or system services. To overcome this problem you can use CMS extensions, in the form of a plugin or a stand-alone script, to track file changes. Some CMSs (e.g. Bitrix or DLE) already have built-in integrity checks.
If the website is using custom scripts or is built with static HTML files, you can use the following shell command to make a snapshot of currently stored files:
ls -lahR > original_file.txt
If any malware threats occur you can create another snapshot and then compare them using any comparison software you like, for example, WinDiff, AraxisMerge Tool, BeyondCompare, the diff command (on Linux) or even compare snapshots online.
In cases where antivirus solutions fail to clean a hacked website, it is useful to know how to do it yourself on the command line, with heuristics, and using built-in OS and CMS tools and features. Even with high-rate detection malware scanners such as ImunifyAV, being able to confirm the detection rates manually is an important, confidence-building skill.
ImunifyAV is the completely free antivirus and anti-malware scanner. Upgrade to ImunifyAV+ to access the built-in, one-click, fully automated cleanup feature, or get it as part of Imunify360's complete and comprehensive website security solution, which includes an intelligent WAF, IDS and IPS, Proactive Defense, automated kernel patch management and more.
By accepting you will be accessing a service provided by a third-party external to https://www.imunify360.com/