Cara mencari file shell / inject php hacking di web – Centos

Kali ini saya akan membagikan cara mencari file shell / inject php hacking di web (cpanel) – Centos . Biasanya file shell yang di inject ke web berupa file .php dan mengandung base64_decode .

Langsung saja berikut caranya

1. Install Linux Malware Detect (LMD)

--- Install ---
yum -y update
wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
tar xfz maldetect-current.tar.gz
cd maldetect-*
./install.sh

--- Config LMD ---
nano /usr/local/maldetect/conf.maldet

Default :

    # Enable Email Alerting
    email_alert="1"
    # Email Address in which you want to receive scan reports
    email_addr="igeek.web@gmail.com"
    # Use with ClamAV
    scan_clamscan="1"
    # Enable scanning for root owned files. Set 1 to disable.
    scan_ignore_root="0"
    # Move threats to quarantine
    quarantine_hits="1"
    # Clean string based malware injections
    quarantine_clean="1"
    # Suspend user if malware found.
    quarantine_suspend_user="1"
    # Minimum userid value that be suspended
    quarantine_suspend_user_minuid="500"

change :
email_alert=1 – If you want to receive email alerts

email_addr=”user@yourdomain.tld” – Type the address where you want to receive the malware email alerts

quar_hits=1 t for malware hits

quar_clean=1 – Clears the detected malware injections

Command :
 /usr/local/maldetect/maldet -b -a /home/yuby/public_html/*

2. Menggunakan command find :

#grep -RPn "(base64_decode) *\(" /home/yuby/* >> /home/yuby/text.txt

#grep -RPn "(passthru|shell_exec|system|phpinfo|base64_decode |chmod|mkdir|fopen|fclose|readfile) *\(" ./ 

#grep -RPn "(passthru|shell_exec|system|phpinfo|base64_decode |chmod|mkdir|fopen|fclose|readfile) *\(" /home/*public_html/* >> hasil.txt