Check for malicious code in public_html
Posted: 2023 May 03, 22:31
Command
Command breakdown
Code: Select all
find /home/*/public_html/ -type f -mtime -7 -maxdepth 4 -exec egrep -q “eval\(|exec\(|gzinflate\(|base64_decode\(|str_rot13\(|gzuncompress\(|rawurldecode\(|strrev\(|ini_set\(chr|chr\(rand\(|shell_exec\(|fopen\(|curl_exec\(|popen\(|x..x..” {} \; -print > /tmp/suspected-malware.txt- find – This is a Linux tool that can search for files installed by default in most servers.
- /home/*/public_html/ – This is the path that find looks for files. The * is automatically replaced by all the directory names under /home.
- -type f – This denotes that I’m looking only for files, and not directories, which makes find more efficient.
- -mtime -7 – This denotes that the files should have a modification date within the last 7 days.
- -maxdepth 4 – This denotes that I need only files within 4 layers of directories from public_html. This makes find execute faster.
- -exec egrep “pattern” {} \; – This passes each file found by find to the command egrep that will look for malicious code pattern in those files.
- -print – This will output the file name if a malware pattern was found in a file.
- > /tmp/suspected-malware.txt – This will store the output into /tmp/suspected-malware.txt, one each line.