Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
What would be good ways to scan for malicious php scripts?
Probably Linux Malware Detect (LMD) because it's got quite an extensive array of hashes and signatures. Be certain though the intention should not be to maintain the situation and "fix" things by cleaning up but to (have clients) migrate verified safe content to another, pristine, properly hardened machine using only current software.
Distribution: Mint 20.1 on workstation, Debian 11 on servers
Posts: 1,336
Rep:
Could also look at date time stamps, I would treat any file with a new modify/create time stamp as malicious. There is probably a way to list these files using find/grep/sed etc, may be able to find an example online.
Apparently my original comment didn't sit so well with the moderators, but ... if you don't have an authoritative copy, somewhere else, of what's supposed to be on this server, andespecially if you are using outdated copies of WordPress, then you're absolutely going to need to find some source, outside of this machine, from which to begin to reconstruct it. You really can't trust anything that's here.
WordPress installations should all be brought to the most current versions of the software. Then, you must assume that all of the content has somehow been tampered-with, injecting malicious script-tags and so on. Any script that's not part of the WordPress gear that has now been replaced must also be suspect. But, really, it goes deeper than this. If a system has been hacked-into, you should assume no less than "it has been root-kitted." Remote privilege-escalation is much easier to do than you might imagine. It's not particularly difficult to replace "a tool that you trust" with a version of that tool which conceals text.
The bottom line is: you can't trust anything here. Everything must be replaced, and the replacement must come from [i]somewhere else.[/] Nothing less will do. Various "malware detectors" exist, but, like all anti-virus strategies, they are "too little, too late." (And, they tacitly assume that the underlying system is actually reliable ... not a valid assumption.
In far, far, far too many cases, people maintain systems simply by logging-in to them, making changes directly, and keeping no backup copy – no authoritative image copy – anywhere. Someone hacks into the thing, often quite thoroughly, and you have nothing apart from the now-damaged content of the system to fall back on. You must maintain all production systems using version-control and replicated, multi-version databases.
Last edited by sundialsvcs; 08-29-2014 at 12:54 PM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.