Web Server Malware Investigating

These snippets are based on this article

Starting points

Example of good check

[user@host home]$ wp checksum core --path=/home/user/public_html
 Success: WordPress install verifies against checksums.

Example of Issue

user@ubuntu-malware:~/public_html$ wp checksum core
 Warning: File should not exist: wp-admin/x.php
 Success: WordPress install verifies against checksums.

 

Search domlogs/accesslogs

 awk '$9 ~ 200 && $6 ~ /POST/ { print }' /path/to/logs

swap out post with method you want to search GET, POST, HEAD

swap out 200 with request you want to search by, 200, 301, 302, 401, 404, 500, 503

find /path/to/investigate -ctime (# of days you want to look back for modified files)
for x in $(find / -type f -name '*.php'); do fgrep -HF ($Malware Terms) $x; done 2> /dev/null

Malware Terms

base64_decode

sh_decrypt_phase

eval

rot13

gzinflate

preg_replace

 

Scanners

GravityScan: External service to scan the site for vulnerabilities and common malware.

 

Access

look for server logins:

last (command shows last ssh logins)