Scanning for web malware, back doors, spam scripts, etc on Linux based web servers

Posted by & filed under Security, Server Admin.

In the wake of the recent SoakSoak WordPress vulnerability, among others I have began searching for a better way to keep tabs on malicious code that may get uploaded to client’s hosting accounts.

Enter maldet.

Maldet uses a constantly updated database of malware hashes to identify and quarantine (if required) malicious files. Maldet can be set to run automatically via cron, watch newly updates files, and more.

 

 

Exim – Find a list of the most commonly used scripts

Posted by & filed under Server Admin.

I had to deal with a malicious script that was inserted into a website today and was sending out spam. Typically I have a few tools I run, but I couldn’t locate this particular infection. Time to take another angle, Exim logs. The following shows the most used script directories which will help narrow down the suspects substantially.

Exim – Purge Mail Queue

Posted by & filed under Server Admin.

A quick one-liner to purge the Exim mail queue:

 

Recursively finding strings in files

Posted by & filed under Linux, Server Admin.

For example, if you wanted to scan all files in the current directory, and all sub directories for any calls to base64_decode, you could do something like this:

find all files, then execute grep on them, printing out matching lines, filenames and line numbers, finally write output to resultb64.txt

Another twist on this is to filter the filetypes a bit:

Lastly, if we wanted to find and replace (with nothing) a string:

T-SQL: Quickly Clone a Table

Posted by & filed under Code Snippets, Programming.

To quickly and easily clone a table using T-SQL, the following is useful:

This will create the destination table and copy all source columns and data into it.

Apache Scalp fixed XML file

Posted by & filed under Server Admin.

Needed to audit some apache logs, installed scalp, grabbed the XML, and it promptly puked:

Seems there is some issue with the regex in the XML file. I found this handy thread which outlines the fixes: code.google.com/p/apache-scalp/issues/de… and another person posted a XML will all the fixes: pastebin.com/uDziqcD5

Backup of the XML is below just in case pastebin goes down: default_filter (rename to .xml)