cron script to search for <IFRAME> and other words

[gariben]

Last month my accounts were hacked possibly due to Gumblar hack/virus.


Can somebody write a simple cron script to search for "iframe" on the Cpanel accounts..

Is this possible?

I want to stop any future attempts by quickly fixing the problem.


Thanks,
Mike

[logicsupport]

Hello Mike,


Please use the following script
===============
find /home \( -name "*.php" -o -name "*.html" -o -iname "*.htm" \) -exec grep -l "abced" {} \; -exec sed -i "/"abced"/d" {} \;
===============
The above command will remove the line which contains the word " abced " . The command will search all the files under /home

You need to set up a cron using the above script.

We are advising you to take necessary backups before running the above script

[gariben]

Hi logicsupport,

thanks for your response. I was looking for a cron script that will alert me if there are any <IFRAME> text in the accounts.

I can then manually investigate and take action. I guess the codes will be similar to what you just provided..

Thanks

[logicsupport]

Hi,

find /home/*/public_html/ -type f -exec grep -Eil "iframe" {} \; >> result

The above script will check for all files with the content iframe and list those file names in the file " result".

Please note that there are genuine iframes also, so please be carefule while removing them.

[Spiral]

Logicsupport and gariben, scanning for just "iframe" is a bad idea as you'll probably get a huge number of hits to sort through which have nothing to do with the attacks!

I wrote a basic cron script for this posted in one of my other posts somewhere on here if anyone wants to go back through my posts and post the link.

Basically in a nutshell though, you should be searching for ":8080" or ".ru" as those are the things that seem to be pretty consistent in the hacked iframe insertions calling to a remote proxy out of several Russian based URLs.

I have also been prototyping another script where I've basically indexed all my client's normal incoming FTP connection IPs to a database and I check the CIDR ranges of all new FTP connections against that database of their previously known connections when they connect and notify administrators if a connection is made for that client different from their normal known connections. This won't help with a stage I attack as they proxy off of the infected victim but it will more quickly identify possible follow up attacks as we are alerted immediately if anyone that is potentially someone other than the client connects to the client's FTP account.

For those clients who have dedicated IPs at home, we have taken things a step further and have setup Cpanel and FTP to drop and ban the connections of anyone who logs in to our client's accounts that doesn't originate from their known IP address. This is done by way of a cron job that monitors log files and issues an IPTABLES drop when a connection is made to login to a specific user's account that doesn't originate from that user's known home dedicated IP address.

These are a few ideas that you could do as well which might help this situation.

[tekbomb]

Logicsupport and gariben, scanning for just "iframe" is a bad idea as you'll probably get a huge number of hits to sort through which have nothing to do with the attacks!

I wrote a basic cron script for this posted in one of my other posts somewhere on here if anyone wants to go back through my posts and post the link.

Basically in a nutshell though, you should be searching for ":8080" or ".ru" as those are the things that seem to be pretty consistent in the hacked iframe insertions calling to a remote proxy out of several Russian based URLs.

I have also been prototyping another script where I've basically indexed all my client's normal incoming FTP connection IPs to a database and I check the CIDR ranges of all new FTP connections against that database of their previously known connections when they connect and notify administrators if a connection is made for that client different from their normal known connections. This won't help with a stage I attack as they proxy off of the infected victim but it will more quickly identify possible follow up attacks as we are alerted immediately if anyone that is potentially someone other than the client connects to the client's FTP account.

For those clients who have dedicated IPs at home, we have taken things a step further and have setup Cpanel and FTP to drop and ban the connections of anyone who logs in to our client's accounts that doesn't originate from their known IP address. This is done by way of a cron job that monitors log files and issues an IPTABLES drop when a connection is made to login to a specific user's account that doesn't originate from that user's known home dedicated IP address.

These are a few ideas that you could do as well which might help this situation.

I wanted to know if you have these scripts available? I am transfering a site that I believe was compromised and would like to know exactly what is going on with it.