Search for files & directories

[crazyaboutlinux]

Hi,

How do i search for particular pattern files & directories in entire server

an account is compromised, here is the details

Code:

/home/example/public_html/mailers/1.php
/home/example/public_html/mailers/2.php
/home/example/public_html/mailers/3.php
/home/example/public_html/mailers/4.php
/home/example/public_html/mailers/Mailer2.php
/home/example/public_html/mailers/Mailer3.php
/home/example/public_html/mailers/mailer4.php
/home/example/public_html/mailers/mailerinbox.php

So i ran below commands to search for directory "mailers" for other existing accounts & entire server & i got result as below

Code:

root@server [~]# find /home -name mailers
/home/example/public_html/mailers
root@server [~]# find /home -name mailer
root@sever [~]#
root@server [~]# find / -name 'mailers' -type d
/home/example/public_html/mailers

i didn't find "mailers" directory in other accounts now i want to search for files
1.php, 2.php, 3.php, 4.php, Mailer2.php, Mailer3.php, mailer4.php, mailerinbox.php

in entire server or other in other accounts

how can i do this ???

[crazyaboutlinux]

Is there any update on this ??

[k-planethost]

use maldet and clamav to see if it gets any results if there are viruses on this domain.
maldet is an excellent free choise you can set it t monitor users as well

also chirpys exploit scanner is a good solution.
try also the grep command did you receive any email from the DC that your server is spamming or ddos another box?

[crazyaboutlinux]

use maldet and clamav to see if it gets any results if there are viruses on this domain.
maldet is an excellent free choise you can set it t monitor users as well

also chirpys exploit scanner is a good solution.
try also the grep command did you receive any email from the DC that your server is spamming or ddos another box?

yes, i know maldet and clamav these are very good tool, i have already scanned entire system by these tools, but nothing is there. i just visited the website & came to know that it is hacked & then i checked manually pages & found mailers pages, we have not received any email from DC regarding spamming or ddos another box? actually it is not doing spamming.

[k-planethost]

use the grep command
grep -i -r 1.php /home
or
grep -i -r 4.php /home etc

[cPanelJeff]

If your slocate/mlocate database is up to date, another method would be to use the "locate" utility.

Here's an example:

Code:

[user@host ~]$ touch mailer
[user@host ~]$ ls mailer
mailer

[root@host ~]# locate -i mailer | grep ^/home
[root@host ~]#

[root@host ~]# updatedb
[root@host ~]# locate -i mailer | grep ^/home
/home/user/mailer

A few things to note:

1. Running "updatedb" can take a while. The more files that exist on your machine, the longer it'll take
2. You may already have a cron job that updates the mlocate database already. This is the cron job:

Code:

[root@host ~]# ls -l /etc/cron.daily/mlocate.cron
-rw-r--r-- 1 root root 137 Sep  3  2009 /etc/cron.daily/mlocate.cron

This is the mlocate db that contains the list of files and directories on your machine:

Code:

[root@host ~]# ls -l /var/lib/mlocate/mlocate.db 
-rw-r----- 1 root slocate 5602047 Mar 19 09:50 /var/lib/mlocate/mlocate.db

When "updatedb" is run, that's the file that gets updated. Again, you may already have a cron job in place which does this every day anyway.

You may also find the "locate" utility to be a bit quicker than running "find" when dealing with large amounts of data.