In 95% of the cases a hacker would deface the index.htm, index.php or index.html file in public_html and also "brag" about that by adding "Hacked by" somewhere.
You can run the following script via cron on daily base to find out whether a index file in any user public_html directory was hacked or not.
Simply copy this code into a file, save it somewhere as hackers.sh, chmod 755 and run via cron daily.
Script originally supplied by the good guys at webhostingtalk.com but I tweaked the final output to be more suitable for my needs.
You can run the following script via cron on daily base to find out whether a index file in any user public_html directory was hacked or not.
Simply copy this code into a file, save it somewhere as hackers.sh, chmod 755 and run via cron daily.
Code:
#!/bin/sh
for i in `cat /etc/trueuserdomains| awk {'print $2'}`;
do grep -rl "Hacked" /home/$i/public_html/index.htm;
done | mail -s "Infected Files" [email protected]
for i in `cat /etc/trueuserdomains| awk {'print $2'}`;
do grep -rl "Hacked" /home/$i/public_html/index.html;
done | mail -s "Infected Files" [email protected]
for i in `cat /etc/trueuserdomains| awk {'print $2'}`;
do grep -rl "Hacked" /home/$i/public_html/index.php;
done | mail -s "Infected Files" [email protected]