How to find malicious code on website
We can use malicious commands and Maldet tool, ClamAV to find malicious code on your website content.
Here is a little piece of code that I run. It searches within cgi and php files for certain strings, and then places the file name within another file so that you can go through them:
find /home/ \( -name “*.cgi” -o -name “*.php” \) -print0 | xargs -0 egrep -l ‘c99shell|r57shell|WebShell|phpshell|shell|c100|base64′ >> /root/report
netstat -anp : Look for programs attached to ports that you did not install / authorize
find / ( -perm -a+w ) ! -type l >> world_writable.txt : Look at world_writable.txt to see all world writable files and directories. This will reveal locations where an attacker can store files on your system. NOTE: Fixing permissions on some PHP/CGI scripts that are not properly coded will break them.
find / -nouser -o -nogroup >> no_owner.txt : Look at no_owner for all files that do not have a user or group associated with them. All files should be owned by a specific user or group to restrict access to them.
Linux Malware Detect (LMD) is a malware scanner for Linux released under the GNU GPLv2 license, that is designed around the threats faced in shared hosted environments. It uses threat data from network edge intrusion detection systems to extract malware that is actively being used in attacks and generates signatures for detection. Please use the following link to download and install Maldet.
Download malware detect
wget http://www.rfxn.com/downloads/maldetect-current.tar.gz tar -zxvf maldetect-current.tar.gz cd maldetect-1.4.2/ ./install.sh
Once installation completed.
try to scan your files.
maldet -a /home/?/public_html
This will scan all your account files… This should preferred with screen.
To scan one particular folder, use this option.
maldet -a /home/testuser
Simply log into WHM, go to the cPanel section and click “Plugins.” Check the box next to “clamavconnector” and click save at the bottom of the page. This will install ClamAV.
Update antivirus database:
Scan a directory and print out infected files:
clamav -ri /home
Scan a directly and remove infected files and emails:
clamav -ri –remove /home