In the wake of the recent SoakSoak WordPress vulnerability, among others I have began searching for a better way to keep tabs on malicious code that may get uploaded to client’s hosting accounts.
Maldet uses a constantly updated database of malware hashes to identify and quarantine (if required) malicious files. Maldet can be set to run automatically via cron, watch newly updates files, and more.
I had to deal with a malicious script that was inserted into a website today and was sending out spam. Typically I have a few tools I run, but I couldn’t locate this particular infection. Time to take another angle, Exim logs. The following shows the most used script directories which will help narrow down the suspects substantially.
A quick one-liner to purge the Exim mail queue:
For example, if you wanted to scan all files in the current directory, and all sub directories for any calls to base64_decode, you could do something like this:
find all files, then execute grep on them, printing out matching lines, filenames and line numbers, finally write output to resultb64.txt
Another twist on this is to filter the filetypes a bit:
Lastly, if we wanted to find and replace (with nothing) a string:
To quickly and easily clone a table using T-SQL, the following is useful:
This will create the destination table and copy all source columns and data into it.
Needed to audit some apache logs, installed scalp, grabbed the XML, and it promptly puked:
Seems there is some issue with the regex in the XML file. I found this handy thread which outlines the fixes: code.google.com/p/apache-scalp/issues/de… and another person posted a XML will all the fixes: pastebin.com/uDziqcD5
Backup of the XML is below just in case pastebin goes down: default_filter (rename to .xml)