Search for Malicious Code on the Site without Scanners

Search for Malicious Code on the Site without Scanners
How To
17:02, 03 November 2020
4 867
0

Hacker scripts. Most often, when hacked, they download files that are web shells, backdoors, loaders, scripts for spam mailings, phishing pages + form handlers, doorways and hacking token files.

Injections in existing files. The second most popular type of placement of malicious and hacker code is injections. Mobile and search redirects can be injected into existing site files .htaccess, backdoors can be injected into php / perl scripts, viral jаvascript fragments or redirects to third-party resources can be embedded into .js and .html templates. Injections are also possible in media files, for example .jpg or. Malicious code often consists of several components: the malicious code itself is stored in the exif header of a jpg file, and is executed using a small control script, the code of which does not look suspicious to the scanner.

Injections in the database. The database is the third target for a hacker. Here, static inserts,,, are possible, which redirect visitors to third-party resources, “spy” on them, or infect the visitor's computer | mobile device as a result of a drive-by attack (attack using hidden download). In addition, in many modern CMS (IPB, vBulletin, modx, etc.), templating tools allow you to execute php code, and the templates themselves are stored in the database, so the php code of web shells and backdoors can be embedded directly into the database.

Injections in caching services

As a result of incorrect or unsafe configuration of caching services, for example, memcached, injections into cached data are possible on the fly. In some cases, a hacker can inject malicious code into website pages without directly breaking the latter. Injects / incited items in server system components.

If a hacker gains root access to the server, he can replace the elements of the web server or caching server with infected ones. Such a web server will, on the one hand, provide control over the server using control commands, and on the other hand, from time to time, it will inject dynamic redirects and malicious code into website pages. As in the case of an injection into the caching service, the site administrator will most likely not be able to detect the fact of a hacked site, since all files and the database will be original. This option is the most difficult to treat.

So, let's say that you have already checked the files on the hosting and the database dump with scanners, but they did not find anything, and the viral redirect is still on the page or the mobile redirect continues to work when the pages are opened. How to look further?

Manual search

On unix, it's hard to find a more valuable pair of commands for finding files and fragments than find / grep.

find. -name '* .ph *' -mtime -7
will find all files that have changed in the last week. Sometimes hackers "twist" the modified date of the scripts so as not to find new scripts. Then you can search for php / phtml files for which the find attributes have changed.
-name '* .ph *' -сtime -7

find. -name '* .ph *' -newermt 2015-01-25! -newermt 2015-01-30 -ls

To search in files, grep is irreplaceable. It can search recursively through the files the specified snippet
grep -ril 'stummann.net/steffen/google-analytics/jquery-1.6.5.min.js' *

When hacking the server, it is useful to analyze the files that have the guid / suid flag set
find / -perm -4000 -o -perm -2000

To determine which scripts are currently running and load the hosting CPU, you can call
lsof + r 1 -p `ps axww | grep httpd | grep -v grep | awk '{if (! str) {str =} else {str = str ","}} END {print str}' `| grep vhosts | grep php

Analyze files on hosting

  1. Go to the upload, cache, tmp, backup, log, images directories, into which something is written by scripts or uploaded by users, and scan the contents for new files with suspicious extensions. For example, for joomla, you can check the .php files in the images directory: find ./images -name '* .ph *' Most likely, if something is found, it will be malicious. For WordPress it makes sense to check the wp-content / uploads directory, backup and cache directories for scripts.
  2. We are looking for files with strange names For example, php, fyi.php, n2fd2.php. Files can be searched for - by non-standard combinations of characters - by the presence of numbers 3,4,5,6,7,8,9 in the file name
  3. We are looking for doorways by a large number of .html or .php files If there are several thousand .php files or .html, most likely a doorway.
  4. Logs of the web server, mail service and FTP. Correlation of the date and time the message was sent (which can be found from the mail server log or the service header of a spam message) with requests from the access_log helps to identify a way to send spam or to find a spam mailer script. Analysis of the FTP xferlog transfer log allows you to understand which files were uploaded at the time of the hack, which ones were changed and by whom. A properly configured mail server log or the service header of a spam message, if PHP is configured correctly, will contain the name or full path to the sender script, which helps to determine the source of spam. By the logs of proactive protection of modern CMS and plugins, you can determine what attacks were carried out on the site and whether the CMS was able to resist them. By access_log and error_log, you can analyze the actions of the hacker, if the names of the scripts that he called are known, IP address or User Agent. As a last resort, you can view POST requests on the day the site was hacked and infected. The analysis often allows you to find other hacker scripts that were downloaded or were already on the server at the time of the hacking.
 Ctrl 
Enter
Noticed a bug
Highlight text and press Ctrl+Enter
Comments (0)
Top in category
Guide Mod BIOS Mainboard ASUS H110M-K/D/CS/E/E.M2, B150M-K, H270-PLUS, Z170-PRO,.. running Intel CoffeeLake CPU Guide Mod BIOS Mainboard ASUS H110M-K/D/CS/E/E.M2, B150M-K, H270-PLUS, Z170-PRO,.. running Intel CoffeeLake CPU
The processors that are tested with stable operation include: i3-9100F, i3-8350K, i3-8300, i3-8100T, G4900T, G5500T, G4900, G4920, G5500 and G5400T..
10-03-2020, 18:47
143 647
5
Request your Mod BIOS Mainboard SkyLake, KabyLake running Intel CoffeeLake CPU Request your Mod BIOS Mainboard SkyLake, KabyLake running Intel CoffeeLake CPU
Please view this article to know how to update Mod BIOS for yoru mainboard before request your bios mainboard. Your Mod BIOS will be upload and post here as..
01-03-2020, 11:07
31 843
2
Site UG Viet Nam Open Reg Nick - Sell Nick Diễn Đàn UG Viet Nam 2021 Site UG Viet Nam Open Reg Nick - Sell Nick Diễn Đàn UG Viet Nam 2021
Có 1 cách kiếm tiền Online vô cùng lợi hại, ko phải gõ capcha, ko phải ptc mà cũng ko cần làm offer... Đó chính là UG, vậy UG là gì !? Vì sao nó lợi hại!?..
01-03-2020, 10:28
21 653
0
Hướng dẫn xóa 100% Vietnamese Keyboard trong máy tính Windows 10 Hướng dẫn xóa 100% Vietnamese Keyboard trong máy tính Windows 10
Trong bài viết này, mình sẽ hướng dẫn các bạn cách xóa Vietnamese Keyboard Win 10 khi không sử dụng đến và loại bỏ những rắc rối của nó. Ngoài ra, mình cũng sẽ..
11-10-2020, 20:15
5 132
0
Hướng dẫn cài đặt Microsoft Store cho Windows 10 Enterprise Hướng dẫn cài đặt Microsoft Store cho Windows 10 Enterprise
Windows 10 Enterprise LTSB 2016 / LTSC 2019 mặc định sẽ không có Store và các ứng dụng đi kèm bởi vì phiên bản này phục vụ cho doanh nghiệp. Bài viết này mình..
04-12-2020, 16:11
5 130
0
Hướng dẫn cách lấy mũi taro bị gãy khi đang gia công Hướng dẫn cách lấy mũi taro bị gãy khi đang gia công
Ngành cơ khí ngày càng được nhà nước quan tâm, hàng năm số doanh nghiệp được thành lập trong ngành cơ khí lên tới hàng chục nghìn. Với một thị trường rộng lớn..
24-03-2021, 13:45
5 029
0
Hướng dẫn cách cài đặt mới Windows 10 bằng USB Hướng dẫn cách cài đặt mới Windows 10 bằng USB
Trong bài viết này, mình muốn chia sẻ đến các bạn cách cài đặt Windows 10 từ USB đầy đủ nhất, đây là cách khá phổ biến mà bạn nên biết bởi nó sẽ giúp bạn tiết..
03-12-2020, 20:05
4 937
0
Hướng Dẫn Cài Đặt Phần Mềm Repack Hướng Dẫn Cài Đặt Phần Mềm Repack
Repack là dạng phần mềm được đóng gói lại với crack sẵn do các cracker đến từ Nga thực hiện. Người dùng chỉ cần tải xuống cài đặt và sử dụng bình thường với..
21-08-2021, 18:05
4 902
0