Scanning for web malware, back doors, spam scripts, etc on Linux based web servers

Posted by & filed under Security, Server Admin.

In the wake of the recent SoakSoak WordPress vulnerability, among others I have began searching for a better way to keep tabs on malicious code that may get uploaded to client’s hosting accounts.

Enter maldet.

Maldet uses a constantly updated database of malware hashes to identify and quarantine (if required) malicious files. Maldet can be set to run automatically via cron, watch newly updates files, and more.



Exim – Find a list of the most commonly used scripts

Posted by & filed under Server Admin.

I had to deal with a malicious script that was inserted into a website today and was sending out spam. Typically I have a few tools I run, but I couldn’t locate this particular infection. Time to take another angle, Exim logs. The following shows the most used script directories which will help narrow down the suspects substantially.

grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n

Recursively finding strings in files

Posted by & filed under Linux, Server Admin.

For example, if you wanted to scan all files in the current directory, and all sub directories for any calls to base64_decode, you could do something like this:

find . -type f -exec grep -A 2 -B 2 -H -i -n "base64_decode" {} + > resultb64.txt

find all files, then execute grep on them, printing out matching lines, filenames and line numbers, finally write output to resultb64.txt

Another twist on this is to filter the filetypes a bit:

find . -name "*.html" -or -name "*.php" -or -name "*.js" -exec grep -A 2 -B 2 -H -i -n "base64_decode" {} + > resultb64.txt

Lastly, if we wanted to find and replace (with nothing) a string:

find ./ -name "*.html" -or -name "*.php" -exec sed -i 's#STRING TO FIND##g' '{}' \;

T-SQL: Quickly Clone a Table

Posted by & filed under Code Snippets, Programming.

To quickly and easily clone a table using T-SQL, the following is useful:

SELECT * INTO [Schema].[dbo].[destination_table] FROM [Schema].[dbo].[source_table]

This will create the destination table and copy all source columns and data into it.

Apache Scalp fixed XML file

Posted by & filed under Server Admin.

Needed to audit some apache logs, installed scalp, grabbed the XML, and it promptly puked:

web@web:~/apache-scalp$ python --log /var/log/apache2/access.log
Loading XML file 'default_filter.xml'...
The rule '(?:union\s*(?:all|distinct|[(!@]*)?\s*[([]*\s*select)|(?:\w\s+like\s+\")|(?:like\s*"\%)|(?:"\s*like\W*["\d])|(?:"\s*(?:n?and|x?or|not |\|\||\&\&)\s+[\s\w]+=\s*\w+\s*having)|(?:"\s*\*\s*\w+\W+")|(?:"\s*[^?\w\s=.,;)(]+\s*[(@"]*\s*\w+\W+\w)|(?:select\s*[\[\]()\s\w\.,"-]+from)|(?:find_in_set\s*\()' cannot be compiled properly

Seems there is some issue with the regex in the XML file. I found this handy thread which outlines the fixes:… and another person posted a XML will all the fixes:

Backup of the XML is below just in case pastebin goes down: default_filter (rename to .xml)