Find modified and hacked files

Finding files, uploaded and left by hackers, as well as files, which they have modified, is a complex event. It might be enough with one of the following steps or require all of them (if not more).

  1. finding files, which were modified several days ago;
  2. finding files with specific content;
  3. reviewing and cleaning files;
  4. deleting files.

It is very easy to do this through shell console.

 

# go to website's root webfolder
cd ~username/public_html

# find files, which were modified, e.g. within today
find . -type f -mtime 0 -ls

# find files, which were modified, e.g. within last 5 days
find . -type f -mtime -5 -ls

# find only PHP files, which were modified within last 10 days
find . -type f -name \*.php -mtime -10 -ls

# sometimes you need to find also modified folders
# e.g. for last 30 days
find . -mtime -30 -ls

 

Now let’s look at how to find files with bad content and which content might be considered as bad. PHP programming language has ecstatically huge number of functions, but some of them might be more dangerous, than others, if used by wrong persons. Those include eval(), system(), exec(). Therefore I usually search for them inside all website files and then go through them manually. Here is a very helpful linux shell command.

 

# look for content inside a file
grep -H "content to find" filename.txt

# combine it with find command
find . -type f -exec grep -H "eval(" {} \;

# even better combination with output to external file
# for future review and analysis (goes on one line)
find . -type f -name \*.php -exec grep -H "eval(" {} \; > /root/hacked_files.txt

 

I hope, that these commands help you maintain clean and safe Internet. If you have more questions or require help, please don’t hesitate to contact me.

Please do not forget to upgrade your scripts, once you have cleaned your website! If website can not be upgraded at once, it might be a good idea to set it into readonly mode!

Facebooktwittergoogle_plusredditpinterestlinkedinmail