4

I'm encountering an issue on my webserver. Someone infected it with a leaked wordpress . The problem is the following, there is some malicious phpscript somewhere within a file. The malicious script is putting an iframe inside every files on the webserver (/home) But the thing is that I don't know where is the script and I have thousands of web files in /home, it could be anywhere. I know how to erase all the iframes but the idea is to delete the trigger. So I was wandering how i could fix it and i have maybe a solution, but i would need your advices

I noticed that the script is executed from time to time but completely randomly (approxmatively once time a week) Now let's assume that I erased all the malicious iframe with the following shell command (which I run every 30 minutes currently)

find /home -type f | xargs sed -i 's$<iframe src="[^"]*" width="2" height="2" frameborder="0"></iframe>$ $g'

Now that all my php file don't have a iframe, the idea would be to alert me when the iframe appears again. Like this, if I have the approximative time where the iframe appears, then I could have a look on the apache log to see which webscript is called.

So I created another bash shell and I would like to have your advices to know if it would be allright. I would run it every 30 min on the server until I received a mail.

Then I would look in the apache log to check the log on the last 30 minutes.

So here is the bash I was thinking about :

#!/bin/bash     
find /home -type f | xargs grep -q '<iframe src="[^"]*" width="2" height="2" frameborder="0"></iframe>'     #Find the string in all file on my all directory
if [ $? -eq 0 ] #if the result is not equal to zero
then
        echo "At the following time : " $(date +%H-%M-%S) | mail -s "[Serveur Leaked] Bad iframe has been found " me@mymail #we send a mail with the date
        find /home -type f | xargs sed -i 's$<iframe src="[^"]*" width="2" height="2" frameborder="0"></iframe>$ $g' #we replace the iframe with a whitespace
else    
        exit 1  
fi

exit 0

I really need to find a solution because right know as I said Im running the find and replace shell command every 30 minutes and it's taking a lot of process.

But i could not afford to let iframes too long on my server, that my websites would be blacklisted by google and i could not afford this.

Thanks a lot for your future advice.

Anselme

4

3 回答 3

3

这可能不是 PHP 脚本导致的,黑客可能已经获得了您服务器的密码。该网站提供了一些资源,将指导您检查什么

http://wordpress.org/support/topic/new-malware-code-injection-attack

这是有关如何加强安装的 Wordpress 文档

http://codex.wordpress.org/Hardening_WordPress

更改系统的 root 密码将是一个不错的起点。

为了让您了解您可能面临的恶意复杂程度

http://blog.sucuri.net/2013/05/auto-generated-iframes-to-blackhole-exploit-kit-following-the-cookie-trail.html

我的同情。

于 2013-07-17T03:26:44.547 回答
3

inotify当您的 html 文件发生更改时,您可以使用它来获取通知,并且只在这种情况下运行您的脚本。

当您知道您的文件被修改(例如通过上面的 inotify)时,您可以使用进程的 proc 系统(或类似的东西lsof)来找出哪个进程打开了修改后的文件。

于 2013-07-15T10:21:28.893 回答
3

一旦你找到了你想要监控的 iframe 文件,也许 inotify 的 shell 脚本版本inotifywait将是最简单的解决方案。在您的脚本中使用它,如下所示:

#!/bin/sh
while inotifywait -e modify /var/log/messages; do
    if tail -n1 /var/log/messages | grep httpd; then
        kdialog --msgbox "Apache needs love!"
    fi
done

一般来说,有更好的文件监控工具,例如auditd,它包含预构建的实用程序,专为安全和审计而设计。

此外,还有提供用户信息并可以有效监控整个卷的fanotify 。查看出色的示例工具:fatrace

inotify 存在几个重大问题:它无法可靠地监视新创建的文件夹,并且无法识别文件更改的源 (PID)。这些都不在这里,但是直接使用 inotify 需要一些编码。

于 2013-07-17T02:24:37.603 回答