The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

cron script to search for <IFRAME> and other words

Discussion in 'Security' started by gariben, Jul 23, 2009.

  1. gariben

    gariben Member

    Joined:
    Sep 27, 2003
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Last month my accounts were hacked possibly due to Gumblar hack/virus.


    Can somebody write a simple cron script to search for "iframe" on the Cpanel accounts..

    Is this possible?

    I want to stop any future attempts by quickly fixing the problem.


    Thanks,
    Mike
     
  2. logicsupport

    logicsupport Well-Known Member

    Joined:
    Jun 5, 2007
    Messages:
    138
    Likes Received:
    0
    Trophy Points:
    16
    Hello Mike,


    Please use the following script
    ===============
    find /home \( -name "*.php" -o -name "*.html" -o -iname "*.htm" \) -exec grep -l "abced" {} \; -exec sed -i "/"abced"/d" {} \;
    ===============
    The above command will remove the line which contains the word " abced " . The command will search all the files under /home

    You need to set up a cron using the above script.

    We are advising you to take necessary backups before running the above script
     
  3. gariben

    gariben Member

    Joined:
    Sep 27, 2003
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Hi logicsupport,

    thanks for your response. I was looking for a cron script that will alert me if there are any <IFRAME> text in the accounts.

    I can then manually investigate and take action. I guess the codes will be similar to what you just provided..

    Thanks
     
  4. logicsupport

    logicsupport Well-Known Member

    Joined:
    Jun 5, 2007
    Messages:
    138
    Likes Received:
    0
    Trophy Points:
    16
    Hi,

    The above script will check for all files with the content iframe and list those file names in the file " result".

    Please note that there are genuine iframes also, so please be carefule while removing them.
     
  5. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    Logicsupport and gariben, scanning for just "iframe" is a bad idea as you'll probably get a huge number of hits to sort through which have nothing to do with the attacks!

    I wrote a basic cron script for this posted in one of my other posts somewhere on here if anyone wants to go back through my posts and post the link.

    Basically in a nutshell though, you should be searching for ":8080" or ".ru" as those are the things that seem to be pretty consistent in the hacked iframe insertions calling to a remote proxy out of several Russian based URLs.

    I have also been prototyping another script where I've basically indexed all my client's normal incoming FTP connection IPs to a database and I check the CIDR ranges of all new FTP connections against that database of their previously known connections when they connect and notify administrators if a connection is made for that client different from their normal known connections. This won't help with a stage I attack as they proxy off of the infected victim but it will more quickly identify possible follow up attacks as we are alerted immediately if anyone that is potentially someone other than the client connects to the client's FTP account.

    For those clients who have dedicated IPs at home, we have taken things a step further and have setup Cpanel and FTP to drop and ban the connections of anyone who logs in to our client's accounts that doesn't originate from their known IP address. This is done by way of a cron job that monitors log files and issues an IPTABLES drop when a connection is made to login to a specific user's account that doesn't originate from that user's known home dedicated IP address.

    These are a few ideas that you could do as well which might help this situation.
     
    #5 Spiral, Jul 25, 2009
    Last edited: Jul 25, 2009
  6. tekbomb

    tekbomb Registered

    Joined:
    Jun 25, 2010
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Are these scripts you mentioned available?

    I wanted to know if you have these scripts available? I am transfering a site that I believe was compromised and would like to know exactly what is going on with it.
     
Loading...

Share This Page