I'm encountering an issue on my webserver. Someone infected it with a leaked wordpress . The problem is the following, there is some malicious phpscript somewhere within a file. The malicious script is putting an iframe inside every files on the webserver (/home) But the thing is that I don't know where is the script and I have thousands of web files in /home, it could be anywhere. I know how to erase all the iframes but the idea is to delete the trigger. So I was wandering how i could fix it and i have maybe a solution, but i would need your advices
I noticed that the script is executed from time to time but completely randomly (approxmatively once time a week) Now let's assume that I erased all the malicious iframe with the following shell command (which I run every 30 minutes currently)
find /home -type f | xargs sed -i 's$<iframe src="[^"]*" width="2" height="2" frameborder="0"></iframe>$ $g'
Now that all my php file don't have a iframe, the idea would be to alert me when the iframe appears again. Like this, if I have the approximative time where the iframe appears, then I could have a look on the apache log to see which webscript is called.
So I created another bash shell and I would like to have your advices to know if it would be allright. I would run it every 30 min on the server until I received a mail.
Then I would look in the apache log to check the log on the last 30 minutes.
So here is the bash I was thinking about :
#!/bin/bash
find /home -type f | xargs grep -q '<iframe src="[^"]*" width="2" height="2" frameborder="0"></iframe>' #Find the string in all file on my all directory
if [ $? -eq 0 ] #if the result is not equal to zero
then
echo "At the following time : " $(date +%H-%M-%S) | mail -s "[Serveur Leaked] Bad iframe has been found " me@mymail #we send a mail with the date
find /home -type f | xargs sed -i 's$<iframe src="[^"]*" width="2" height="2" frameborder="0"></iframe>$ $g' #we replace the iframe with a whitespace
else
exit 1
fi
exit 0
I really need to find a solution because right know as I said Im running the find and replace shell command every 30 minutes and it's taking a lot of process.
But i could not afford to let iframes too long on my server, that my websites would be blacklisted by google and i could not afford this.
Thanks a lot for your future advice.
Anselme