Cara mencari file shell / inject php hacking di web – Centos


Kali ini saya akan membagikan cara mencari file shell / inject php hacking di web (cpanel) – Centos . Biasanya file shell yang di inject ke web berupa file .php dan mengandung base64_decode .

Langsung saja berikut caranya

  1. Install Linux Malware Detect (LMD)
--- Install ---
yum -y update
wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
tar xfz maldetect-current.tar.gz
cd maldetect-*

--- Config LMD ---
nano /usr/local/maldetect/conf.maldet

Default :

    # Enable Email Alerting
    # Email Address in which you want to receive scan reports
    email_addr="[email protected]"
    # Use with ClamAV
    # Enable scanning for root owned files. Set 1 to disable.
    # Move threats to quarantine
    # Clean string based malware injections
    # Suspend user if malware found.
    # Minimum userid value that be suspended

change :
email_alert=1 – If you want to receive email alerts

email_addr=”[email protected]” – Type the address where you want to receive the malware email alerts

quar_hits=1 t for malware hits

quar_clean=1 – Clears the detected malware injections

Command :
 /usr/local/maldetect/maldet -b -a /home/yuby/public_html/*

2. Menggunakan command find :

#grep -RPn "(base64_decode) *\(" /home/yuby/* >> /home/yuby/text.txt

#grep -RPn "(passthru|shell_exec|system|phpinfo|base64_decode |chmod|mkdir|fopen|fclose|readfile) *\(" ./ 

#grep -RPn "(passthru|shell_exec|system|phpinfo|base64_decode |chmod|mkdir|fopen|fclose|readfile) *\(" /home/*public_html/* >> hasil.txt
