LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 08-28-2014, 11:15 AM   #1
Train
Member
 
Registered: Mar 2014
Distribution: Crunchbang
Posts: 44

Rep: Reputation: Disabled
Question Hacked by Yunus-Incredibl


A company server that has lots of outdated installes of WordPress was hacked this week by Yunus-Incredibl.

This server has no complete backup.

What would be good ways to scan for malicious php scripts?

I attached one of the malicious scripts for review.
Attached Files
File Type: txt my-fucking-plugin.txt (64.3 KB, 57 views)

Last edited by Train; 09-02-2014 at 11:53 AM. Reason: Spelling error.
 
Old 08-28-2014, 01:19 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,409
Blog Entries: 55

Rep: Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582
Quote:
Originally Posted by Train View Post
What would be good ways to scan for malicious php scripts?
Probably Linux Malware Detect (LMD) because it's got quite an extensive array of hashes and signatures. Be certain though the intention should not be to maintain the situation and "fix" things by cleaning up but to (have clients) migrate verified safe content to another, pristine, properly hardened machine using only current software.
 
Old 08-28-2014, 07:15 PM   #3
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Yawnstown, Ohio
Distribution: Mojave
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
LMD is good start...

quick get 'er done recipe:
Code:
wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
untar it
cd into it
sudo install.sh
maldet -d; maldet -u
maldet -b -r /path/to/scan
read log when it's done.

References:
Code:
maldet --help
HOWTO : Linux Malware Detect on Ubuntu 12.04 LTS 64-bit
Install Linux Malware Detect in RHEL, CentOS and Fedora"
 
Old 08-29-2014, 01:46 AM   #4
Red Squirrel
Senior Member
 
Registered: Dec 2003
Distribution: Mint 17.1 KDE on workstation, CentOS 6.x on servers
Posts: 1,145

Rep: Reputation: 47
Could also look at date time stamps, I would treat any file with a new modify/create time stamp as malicious. There is probably a way to list these files using find/grep/sed etc, may be able to find an example online.
 
Old 08-29-2014, 08:18 AM   #5
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Yawnstown, Ohio
Distribution: Mojave
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
Code:
malware detect scan report for my-kungfu:
SCAN ID: 082914-0736.31194
TIME: Aug 29 07:36:56 -0400
PATH: /home*/*/public_html
RANGE: 2 days
TOTAL FILES: 11
TOTAL HITS: 1
TOTAL CLEANED: 0

...
FILE HIT LIST:
{HEX}php.cmdshell.unclassed.352 : /tmp/my-fucking-plugin.txt
===============================================
Linux Malware Detect v1.4.2 < proj@rfxn.com >
 
Old 08-29-2014, 01:52 PM   #6
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 9,078
Blog Entries: 4

Rep: Reputation: 3177Reputation: 3177Reputation: 3177Reputation: 3177Reputation: 3177Reputation: 3177Reputation: 3177Reputation: 3177Reputation: 3177Reputation: 3177Reputation: 3177
Apparently my original comment didn't sit so well with the moderators, but ... if you don't have an authoritative copy, somewhere else, of what's supposed to be on this server, and especially if you are using outdated copies of WordPress, then you're absolutely going to need to find some source, outside of this machine, from which to begin to reconstruct it. You really can't trust anything that's here.

WordPress installations should all be brought to the most current versions of the software. Then, you must assume that all of the content has somehow been tampered-with, injecting malicious script-tags and so on. Any script that's not part of the WordPress gear that has now been replaced must also be suspect. But, really, it goes deeper than this. If a system has been hacked-into, you should assume no less than "it has been root-kitted." Remote privilege-escalation is much easier to do than you might imagine. It's not particularly difficult to replace "a tool that you trust" with a version of that tool which conceals text.

The bottom line is: you can't trust anything here. Everything must be replaced, and the replacement must come from [i]somewhere else.[/] Nothing less will do. Various "malware detectors" exist, but, like all anti-virus strategies, they are "too little, too late." (And, they tacitly assume that the underlying system is actually reliable ... not a valid assumption.

In far, far, far too many cases, people maintain systems simply by logging-in to them, making changes directly, and keeping no backup copy – no authoritative image copy – anywhere. Someone hacks into the thing, often quite thoroughly, and you have nothing apart from the now-damaged content of the system to fall back on. You must maintain all production systems using version-control and replicated, multi-version databases.

Last edited by sundialsvcs; 08-29-2014 at 01:54 PM.
 
Old 09-02-2014, 11:51 AM   #7
Train
Member
 
Registered: Mar 2014
Distribution: Crunchbang
Posts: 44

Original Poster
Rep: Reputation: Disabled
Thanks for your responses.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] My network is hacked for sure. I want to reinstall but it will be hacked again. MsRefusenik Linux - Security 19 10-18-2010 06:02 PM
I've been hacked hippocrat Linux - Security 3 09-07-2010 06:43 PM
I think I've been hacked :( suavecu Linux - Security 5 11-24-2006 12:51 AM
hacked? WRSpithead Linux - Security 2 08-30-2006 04:21 AM
Got Hacked! Why? hagen00 Linux - Security 13 08-20-2006 09:44 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:33 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration