Portal Home > Knowledgebase > Articles Database > How to find out hacked files on server?
How to find out hacked files on server?
Posted by KennyP, 07-10-2009, 12:03 AM |
My server was being hacked, I can find some HTML and PHP files which inserted the codes similar to the following by the hacker.
The inserted iframe src is not the same among the hacked files.
I am trying to find out all the hacked files on server, is there any way instead of checking the files manually?
|
Posted by mwatkins, 07-10-2009, 01:36 AM |
Search for iframe within html and php files. They may not all be hacks -- there are legitimate uses for iframe -- but its a good start.
However unless you stop the source, you will just end up with more. There have been many threads on this lately here.
|
Posted by KennyP, 07-10-2009, 01:43 AM |
Yes, you are right, but how can I search for the codes in all the files on my server? Can we have any shell command to do it?
|
Posted by linux-engineer, 07-10-2009, 01:55 AM |
This seems to iframe insertion attack.
I suggest you to upload files from backup as searching manually will not be possible.
And make sure you give 755 permissions to directories and 644 to files to avoid such issues in future.
|
Posted by KennyP, 07-10-2009, 01:58 AM |
I was trying to find the infected files with the following command.
find * | xargs grep 'http://a5g.ru:8080'
But the results are showing on screen and I am not able to read them all, can I have some refinement on the command?
|
Posted by Nelesh O, 07-10-2009, 03:05 AM |
Try the commands below to locate the infected files.
===================================================
find / -perm 766 -exec ls -al {} \; | grep "Aug 21" > files766.txtfind / -perm 666 -exec ls -al {} \; | grep "Aug 21" > files666.txtfind / -perm 777 -exec ls -al {} \; | grep "Aug 21" > files777.txt
Note : Replace the date " Jul 9" with the date your account was hacked.
OR
Try the command mentioned below :
============================
find /home -name '*.php' -o -name '*.htm*' | xargs grep -l iframe /dev/null
OR
Try the command mentioned below :
============================
#!/bin/bash
find / -type f -name *.php -exec replace '' '' -- {} > /dev/null \;echo "Removed Tag from PHP file"
find / -type f -name *.html -exec replace '' '' -- {} > /dev/null \;echo "Removed Tag from HTML file"
find / -type f -name *.htm -exec replace '' '' -- {} > /dev/null \;echo "Removed Tag from ALL files"
echo "Server Administrator"exit
|
Posted by timelead129, 07-10-2009, 04:41 AM |
First block the IP address 87.242.98.116 in firewall to reduce chaces of further infection. Change your FTP password, as well as that of other accounts that may be using the same password.
Search your webpages using grep for strings like "document.write(unescape(" OR other notable string that you can detect on the affected page.
Check whether there has been any uploads or changes in the account that you did not do by yourslef.
Run clamscan on the accounts home dir /home/username.
Last edited by timelead129; 07-10-2009 at 04:53 AM.
|
Posted by KennyP, 07-10-2009, 05:43 AM |
More files are infected now, can you show me how to block the IP? I have a cPanel server here.
|
Posted by KennyP, 07-10-2009, 05:45 AM |
The hacker is doing more on my server now, I have no idea on how to stop him, anyone can help me?
|
Posted by AttackerNET, 07-10-2009, 06:44 AM |
|
Posted by supportexpertz, 07-10-2009, 07:32 AM |
Hi ,
Please use the following script
===============
find /home \( -name "*.php" -o -name "*.html" -o -iname "*.htm" \) -exec grep -l "a5g.ru" {} \; -exec sed -i "/"a5g.ru"/d" {} \;
===============
The above command will remove the line which contains the word " a5g.ru " . The command will search all the files under /home
We are advising you to take necessary backups before running the above script.
The basic steps that is to be done to prevent this type of attack in future are
1) Scan your server periodically and check for rootkits and vulnerablilities.
2) Update all the 3rd party softwares to the latest version
3) Make sure your ftp paswords are updated
4) Ensure that appropriate file permissions are used for every file and directory on the web server
Last edited by supportexpertz; 07-10-2009 at 07:39 AM.
|
Posted by mnaumann, 07-10-2009, 08:16 AM |
This is, of course, a question that matters now. However, you seem to be doing the second step before the first.
Your server is compromised. At this time it is unclear whether the compromise is limited to an unpriviliged or not (i.e. whether the root account is compromised, too).
You state that the attacker (which is most likely not a real person but some script which is executed on many compromised servers such as yours at the same time) is still making modifications to your web pages. As such, the attacker is still having control over parts or all of your server.
The first thing you need to do now is to prevent this from continuing.
I recommend that you take notes of all actions you take, including time and date. This way you will be able to roll back any revertable changes you make now.
If you have remote access through a serial console to your server, then disable the network interface now and examine the situation through the serial console.
Alternatively, if you have KVM access, do the same.
If you have neither remote serial console nor KVM access then use either iptables firewalling or hosts.allow/hosts.deny to limit access to your server to incoming connections from another server you manage. Disabling the web and FTP servers is another option but may well be insufficient to lock the attacker out (they may have a backdoor installed which comes with its own server process and will still function after you took down the web and FTP server).
If this seems to complicated, contact your ISP/hosting provider, they will be able and want to help you out (it is in their interest, too).
Now notify your clients that an unplanned outage has occured and make an ETA based on how long you think it will take you to follow the steps outlined below.
Once this is done, you should investigate how the attacker was able to intrude the system and when. And once that is clear, you should revert to the most recent backup which was made before the attacker ganed access to your system.
If this is not an option, you can also try to find out which alterations the attacker has made and to try to revert them. This is, howeever, unsafe, since you can not be sure that there have not been additional alterations made which you are not aware of.
Only after you are completely convinced that you have both removed the vulnerability the attacker used to compromise your system and the alterations they made, reenable network access to your system and inform your clients/users what has happened and how you reacted to it.
|
Posted by KennyP, 07-10-2009, 08:43 AM |
By using the provided scripts, I think I have temporary removed the infected files on server.
I have to investigate the source and take necessary prevention now, the advices by mnaumann are great enough but I am not able to take down the server, as downtime mean a big loss to me.
I think I should hire a system admin to solve the problem, as mentioned by Sys Admin, this is not a time for tranning myself.
How can I find a reliable system admin on Internet? Is there any place to find the expert?
|
Posted by mnaumann, 07-12-2009, 06:27 AM |
Sure, just post a request in the Systems Management Requests forum.
Last edited by mnaumann; 07-12-2009 at 06:29 AM.
Reason: added URL
|
Posted by serveradminz, 07-12-2009, 08:51 AM |
You can use the following script for search and replace iframe
find /home \( -name "*.php" -o -name "*.html" -o -iname "*.htm" \) -exec grep -l "a5g.ru" {} \; -exec sed -i "/"a5g.ru"/d" {} \;
You can install mod_security and add sec2 rules from gotroot rules for avoiding further injection and malware attacks.
|
Posted by SA-ChrisM, 07-12-2009, 11:19 AM |
I see it touched on a bit, but no one in this thread really goes into finding the source of the attack moreso than trying to recover from the effects of it. Think about it as if you were trying to remove a branch from a thorn three and you keep getting stabbed by the thorns. Would you keep putting band aids on your hands to stop the bleeding and try again? No, you'd fix the problem at it's root and get a pair of gloves.
First and foremost, chances are you have 1. Insecure scripts that are being exploited. 2. Insecure FTP passwords that are being exploited.
Now if these iframe insertions are happening through different user accounts, we can probably rule out Upload/modification via FTP (possibly). Chances are you've got an old insecure php script somewhere that's being exploited.
If this is a cPanel machine, the first thing I'd do is run '/scripts/phpopenbasedirctl on' , More than likely this is a PHP script that's being exploited, and this will force the attacker/script owner to stay within the confines of the homedirectory that's being exploited. So you'll effectively limit this to one site.
Next up, if you're not running suPHP, you should be. You can fix this via Easyapache (once again, assuming cPanel here). This will further help mitigate the damage a single hacked site can do. It'll also leave a trail as any files this user creates, will be owned by the hacked site.
Now, you can either a: wait for it to happen again and run the permissions trail back down to the offending site and from there go through their access logs and look for very obviously suspect traffic. It should really jump out at you. or b: Apply a *proper* mod_security ruleset as mentioned above, however you should REALLY prune out all the unnecessary signatures as those rulesets are meant to block *everything* and add a ton of overhead to Apache. No point in filtering Windows only exploits when you're running a linux server, etc.
And as per the usual, if you keep running into this, you should look into hiring an admin to take a look through and sort this out for you. A good admin should be able to find the point of intrusion and kill it in about 30 minutes to an hour at most.
|
Posted by Crashus, 07-12-2009, 01:39 PM |
hello,
you can use something like this to check files:
grep -R a5g * |awk -F: '{print $1}'
this will print you a list of all affected files.
However it is better to use find script to replace that lines, and be sure to change all of your ftp passwords. 90% that they have been stolen from your total commander of far manager or etc. from your local computer via some virus. Better change all of your passwords and be sure not to check 'Save/Remember password' option in any program.
Injection also possible in old versions of CMSes like joomla and wordpress.
Hope this helps.
|
Add to Favourites Print this Article
Also Read