Kali ini saya akan membagikan cara mencari file shell / inject php hacking di web (cpanel) – Centos . Biasanya file shell yang di inject ke web berupa file .php dan mengandung base64_decode .
Langsung saja berikut caranya
--- Install ---
yum -y update
wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
tar xfz maldetect-current.tar.gz
cd maldetect-*
./install.sh
--- Config LMD ---
nano /usr/local/maldetect/conf.maldet
Default :
# Enable Email Alerting
email_alert="1"
# Email Address in which you want to receive scan reports
email_addr="igeek.web@gmail.com"
# Use with ClamAV
scan_clamscan="1"
# Enable scanning for root owned files. Set 1 to disable.
scan_ignore_root="0"
# Move threats to quarantine
quarantine_hits="1"
# Clean string based malware injections
quarantine_clean="1"
# Suspend user if malware found.
quarantine_suspend_user="1"
# Minimum userid value that be suspended
quarantine_suspend_user_minuid="500"
change :
email_alert=1 – If you want to receive email alerts
email_addr=”user@yourdomain.tld” – Type the address where you want to receive the malware email alerts
quar_hits=1 t for malware hits
quar_clean=1 – Clears the detected malware injections
Command :
/usr/local/maldetect/maldet -b -a /home/yuby/public_html/*
2. Menggunakan command find :
#grep -RPn "(base64_decode) *\(" /home/yuby/* >> /home/yuby/text.txt
#grep -RPn "(passthru|shell_exec|system|phpinfo|base64_decode |chmod|mkdir|fopen|fclose|readfile) *\(" ./
#grep -RPn "(passthru|shell_exec|system|phpinfo|base64_decode |chmod|mkdir|fopen|fclose|readfile) *\(" /home/*public_html/* >> hasil.txt