How to find malicious code on website

We can accept spiteful commands and the Maldet tool, ClamAV to find spiteful code on your website content.

Here is a little bit of code that I run. It seeks within cgi and php files for real strings, and then places the file name within a different file so that you can go through them:

find /home/ \( -name “*.cgi” -o -name “*.php” \) -print0 | xargs -0 egrep -l ‘c99shell|r57shell|WebShell|phpshell|shell|c100|base64’ >> /root/report

netstat -anp : Look for programs attached to ports that you did not install / authorize

find / ( -perm -a+w ) ! -type l >> world_writable.txt : Look at world_writable.txt to see all world-writable lists and catalogs. This will reveal places where an intruder can store files on your policy. NOTE: Fixing support on some PHP/CGI scripts that are not correctly coded will break them.

find / -nouser -o -nogroup >> no_owner.txt : Look at no_owner for all files that do not have a user or group associated with them. All files should be owned by a specific user or group to restrict access to them.

Linux Malware Detect (LMD) is a malware scanner for Linux released under the GNU GPLv2 license, that is designed around the threats faced in shared hosted environments. It uses warning data from network edge interference detection systems to extract malware that is actively being used in attacks and creates signatures for detection. Please use the following link to download and install Maldet.

http://www.rfxn.com/projects/linux-malware-detect/

Download malware detect

wget http://www.rfxn.com/downloads/maldetect-current.tar.gz 

 

tar -zxvf maldetect-current.tar.gz 

 

cd maldetect-1.4.2/

 

./install.sh

Once installation completed.

try to scan your files.

maldet -a /home/?/public_html

This will scan all your account files… This should be preferred with a screen.

To scan one particular folder, use this option.

maldet -a /home/testuser

ClamAV

Simply log into WHM, go to the cPanel section and click “Plugins.” Check the box next to “clamavconnector” and click Save at the bottom of the page. This will install ClamAV.

Update antivirus database:

freshclam

Scan a directory and print out infected files:

clamav -ri /home

Scan a directly and remove infected files and emails:

clamav -ri –remove /home

  • 0 Users Found This Useful
Was this answer helpful?

Related Articles

Install nginx as a reverse proxy cPanel plugin

Install Nginx on your cPanel/WHM server using the Engintron cPanel Plugin as a reverse proxy. It...

cPanel security settings checklist

You always use cpanel recommended Security Settings to avoid hacking and other suspicious...

libgcc_s.so.1 must be installed for pthread_cancel to work

libgcc_s.so.1 must be installed for pthread_cancel to work Most of time received libgcc error...

cPanel & WHM Version 74 Now in STABLE

cPanel has published cPanel & WHM Version 74 to the STABLE tier. It enters updates...

Installing cpanel on google cloud

Build a new CentOS 7 instance on your google cloud engine. From the cPanel & WHM System...

Powered by WHMCompleteSolution