The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

grep taking load on server

Discussion in 'General Discussion' started by its_joe, Feb 22, 2007.

  1. its_joe

    its_joe Well-Known Member

    Joined:
    Feb 15, 2007
    Messages:
    134
    Likes Received:
    0
    Trophy Points:
    0
    Hello,

    I am finding the file on the server which contain the work r57shell. I am using the following command to find it:

    grep r57shell /home/*/public_html/ -r > /backup/r57.txt

    But it is taking too much load on the server. So I decided to go alphabetical search. So I tried the following

    grep r57shell /home/a*/public_html/ -r > /backup/r57.txt
    grep r57shell /home/b*/public_html/ -r > /backup/r57.txt

    But the above commands are also taking load on the server and server performance decreases. So please suggest me how to search without taking load on the server.

    Thank You for your suggestion.

    its_joe
     
  2. Daniel15

    Daniel15 Well-Known Member

    Joined:
    Oct 7, 2006
    Messages:
    84
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    Does this command work any better?:
    Code:
    find /home/*/public_html -name r57shell > /backup/r57.txt
    
     
  3. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    That last one doesn't do the same thing because it only looks for a file name of r57shell and doesn't search within the file for that string, which is what the OP is doing.

    There's probably little that you can do about the overheads - searching the contents of all the files in a partition will consume huge amounts of IO, the bottleneck being your disk subsystem speed.
     
  4. its_joe

    its_joe Well-Known Member

    Joined:
    Feb 15, 2007
    Messages:
    134
    Likes Received:
    0
    Trophy Points:
    0
    Hello,

    Find command is not getting me any help. Can you please suggest me any other command so that i can get the result instead of using grep command.


    Thank You.
     
  5. picoleto

    picoleto Member

    Joined:
    Aug 8, 2006
    Messages:
    21
    Likes Received:
    0
    Trophy Points:
    1
    Try using the locate command. If your updatedb is up to date you might have better results.

    Code:
    locate r57.txt
     
  6. its_joe

    its_joe Well-Known Member

    Joined:
    Feb 15, 2007
    Messages:
    134
    Likes Received:
    0
    Trophy Points:
    0
    I want to search the word "r57shell" within the file. locate command will not work as it just search for the file name or the directory name.

    Is there any other command then grep which will search within the file fort the work r57shell and will not take load on the server.

    Thanks for your replies.

    its_joe
     
  7. yapluka

    yapluka Well-Known Member

    Joined:
    Dec 24, 2003
    Messages:
    301
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    France
    cPanel Access Level:
    Root Administrator
    You may want to try this one :

    Code:
    find /home/ \( -name "*.cgi" -o -name "*.php" \) -print | xargs egrep -l 'c99shell|r57shell|WebShell|phpshell' >> /root/report.txt
    It's searching for php and cgi files containing the words c99shell, r57shell, webshell and phpshell.
    Run it as a cronjob during weak hours and the load shouldn't be a problem :)
     
  8. bmcpanel

    bmcpanel Well-Known Member

    Joined:
    Jun 1, 2002
    Messages:
    546
    Likes Received:
    0
    Trophy Points:
    16
    Good suggestion yapluka. I also have a need to read the contents of all files in my server's home directory in order to identify common hacker script keywords.

    to achieve this, I do the following.

    1. Create the script that will check files on the server to see if they contain certain keywords such as "c99shell", r57shell, etc....

    cd /bin
    vi shellsearch.php
    (or whatever you wish to name it)

    Now, insert the following code into the file you just opened with vi

    Now, save the file
    :wq

    This will leave you with the following file named
    /bin/shellsearch.pl

    Now, give it execute permissions...
    chmod 755 shellsearch.pl

    NOTE: you may edit the keywords to search for c99shell|r57shell|webshell|phpshell to whatever you wish. The search is case InSensItiVe so it will find C99SHELL and c99shell. You may also edit the directory to search through. The script above will search every .php file in the /home directory.

    NOTE2: A file will be saved in the web directory you specify in the script. The file will be named "results.txt". You can then view the file in a web browser by going to http://www.yoursite.com/results.txt. An option is to point the file to another directory such as /home/yoursite/www/search/results.txt so you can password protect it. Regardless, by making the file able to be viewed in a web browser, I can check the results quickly and easily anytime I wish.

    NOW, MAKE IT EXECUTE VIA CRON
    Because the load average goes up during the running of this file (load goes to about 4.00 on average), I choose to run it 3 times per day (once every 8 hours)...

    crontab -e

    40 */8 * * * cd /bin; ./shellsearch.pl


    This means it will run every 8 hours at the 40 minute mark.

    Test it for yourself. Create a dummy file anywhere on your server that is within the path you have specified and place one of the keywords in the dummy file (such as "c99shell"). Make sure you save the dummy file with the .php extension unless you have chosen to search files with a different extension. Run the file and see if it finds your dummy file. If you have set it up correctly, it should find it everytime!

    The file "results.txt" should look like this when viewed if it finds something...

    ---------------------------------------------
    Sat Mar 17 21:59:38 EDT 2007
    ---- Scanning for c99shell and r57shell -----
    ---------------------------------------------
    /home/whatever/public_html/testitc.php
    /home/somethingelse/public_html/calendar.php
    ... end check.


    Or it will look like this if it finds nothing...

    ---------------------------------------------
    Sun Mar 18 00:59:38 EDT 2007
    ---- Scanning for c99shell and r57shell -----
    ---------------------------------------------
    ... end check.


    Disclaimer: Use the above info at your own risk. I make no guarantee that the code above will work on your server without harming your server. With that said, I have been running via cron for sometime now without incident on multiple servers. My load average does spike to about 4.00 with a single cpu when the script runs, for about 6-8 minutes.
     
    #8 bmcpanel, Mar 18, 2007
    Last edited: Mar 18, 2007
  9. yapluka

    yapluka Well-Known Member

    Joined:
    Dec 24, 2003
    Messages:
    301
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    France
    cPanel Access Level:
    Root Administrator
  10. bmcpanel

    bmcpanel Well-Known Member

    Joined:
    Jun 1, 2002
    Messages:
    546
    Likes Received:
    0
    Trophy Points:
    16
    Good tip, yapluka.

    To search .php and .cgi files at the same time, use this code....

     
  11. bmcpanel

    bmcpanel Well-Known Member

    Joined:
    Jun 1, 2002
    Messages:
    546
    Likes Received:
    0
    Trophy Points:
    16
    yapluka, I'm not versed in email from a bash script. Can you edit the script above to send email results to someone@theirdomain.com ? That might be helpful.
     
  12. yapluka

    yapluka Well-Known Member

    Joined:
    Dec 24, 2003
    Messages:
    301
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    France
    cPanel Access Level:
    Root Administrator
    You would do that :

    Code:
    #!/bin/sh
    date=`date`
    
    ######## Search server files for hacker keywords ############
    ######## Searches only files with .php extension ############
    echo "---------------------------------------------" >> /home/yoursite/www/results.txt
    echo " $date " >> /home/yoursite/www/results.txt
    echo "---- Scanning for c99shell and r57shell -----" >> /home/yoursite/www/results.txt
    echo "---------------------------------------------" >> /home/yoursite/www/results.txt
    
    ### NOTE: There should be a trailing slash "/" after the directory name below.
    find /home/ \( -name "*.cgi" -o -name "*.php" \) -print | xargs egrep -l 'c99shell|r57shell|webshell|phpshell' >> /home/yoursite/www/results.txt
    
    finishtime=`date`
    echo "... $finishtime -- end check. " >> /home/yoursite/www/results.txt
    cat /home/yoursite/www/results.txt | mail -s "Search Result from `hostname`" someone@theirdomain.com  
    This will email the content of your /home/yoursite/www/results.txt to someone@theirdomain.com with the subject "Search Result from <<your server hostname>>"
     
  13. bmcpanel

    bmcpanel Well-Known Member

    Joined:
    Jun 1, 2002
    Messages:
    546
    Likes Received:
    0
    Trophy Points:
    16
    Thank you, yapluka. That works perfectly.
     
  14. yapluka

    yapluka Well-Known Member

    Joined:
    Dec 24, 2003
    Messages:
    301
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    France
    cPanel Access Level:
    Root Administrator
    You're very welcome :)
     
  15. nxds

    nxds Well-Known Member

    Joined:
    Jan 6, 2006
    Messages:
    53
    Likes Received:
    0
    Trophy Points:
    6
  16. its_joe

    its_joe Well-Known Member

    Joined:
    Feb 15, 2007
    Messages:
    134
    Likes Received:
    0
    Trophy Points:
    0
    Thanks a lot for your suggestion and help.

    I am getting result using the find command you provided.


    Thanks again

    its_joe
     
Loading...

Share This Page