The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Search for files & directories

Discussion in 'Security' started by crazyaboutlinux, Mar 5, 2011.

  1. crazyaboutlinux

    crazyaboutlinux Well-Known Member

    Joined:
    Nov 3, 2007
    Messages:
    938
    Likes Received:
    0
    Trophy Points:
    16
    Hi,

    How do i search for particular pattern files & directories in entire server

    an account is compromised, here is the details

    Code:
    /home/example/public_html/mailers/1.php
    /home/example/public_html/mailers/2.php
    /home/example/public_html/mailers/3.php
    /home/example/public_html/mailers/4.php
    /home/example/public_html/mailers/Mailer2.php
    /home/example/public_html/mailers/Mailer3.php
    /home/example/public_html/mailers/mailer4.php
    /home/example/public_html/mailers/mailerinbox.php
    So i ran below commands to search for directory "mailers" for other existing accounts & entire server & i got result as below
    Code:
    root@server [~]# find /home -name mailers
    /home/example/public_html/mailers
    root@server [~]# find /home -name mailer
    root@sever [~]#
    root@server [~]# find / -name 'mailers' -type d
    /home/example/public_html/mailers
    
    i didn't find "mailers" directory in other accounts now i want to search for files
    1.php, 2.php, 3.php, 4.php, Mailer2.php, Mailer3.php, mailer4.php, mailerinbox.php

    in entire server or other in other accounts

    how can i do this ???
     
  2. crazyaboutlinux

    crazyaboutlinux Well-Known Member

    Joined:
    Nov 3, 2007
    Messages:
    938
    Likes Received:
    0
    Trophy Points:
    16
    Is there any update on this ??
     
  3. k-planethost

    k-planethost Well-Known Member

    Joined:
    Sep 22, 2009
    Messages:
    199
    Likes Received:
    4
    Trophy Points:
    18
    Location:
    Athens Greece
    use maldet and clamav to see if it gets any results if there are viruses on this domain.
    maldet is an excellent free choise you can set it t monitor users as well

    also chirpys exploit scanner is a good solution.
    try also the grep command did you receive any email from the DC that your server is spamming or ddos another box?
     
  4. crazyaboutlinux

    crazyaboutlinux Well-Known Member

    Joined:
    Nov 3, 2007
    Messages:
    938
    Likes Received:
    0
    Trophy Points:
    16
    yes, i know maldet and clamav these are very good tool, i have already scanned entire system by these tools, but nothing is there. i just visited the website & came to know that it is hacked & then i checked manually pages & found mailers pages, we have not received any email from DC regarding spamming or ddos another box? actually it is not doing spamming.
     
  5. k-planethost

    k-planethost Well-Known Member

    Joined:
    Sep 22, 2009
    Messages:
    199
    Likes Received:
    4
    Trophy Points:
    18
    Location:
    Athens Greece
    use the grep command
    grep -i -r 1.php /home
    or
    grep -i -r 4.php /home etc
     
  6. JeffP.

    JeffP. Well-Known Member

    Joined:
    Sep 28, 2010
    Messages:
    164
    Likes Received:
    9
    Trophy Points:
    18
    If your slocate/mlocate database is up to date, another method would be to use the "locate" utility.

    Here's an example:

    Code:
    [user@host ~]$ touch mailer
    [user@host ~]$ ls mailer
    mailer
    
    [root@host ~]# locate -i mailer | grep ^/home
    [root@host ~]#
    
    [root@host ~]# updatedb
    [root@host ~]# locate -i mailer | grep ^/home
    /home/user/mailer
    
    A few things to note:

    1. Running "updatedb" can take a while. The more files that exist on your machine, the longer it'll take
    2. You may already have a cron job that updates the mlocate database already. This is the cron job:

    Code:
    [root@host ~]# ls -l /etc/cron.daily/mlocate.cron
    -rw-r--r-- 1 root root 137 Sep  3  2009 /etc/cron.daily/mlocate.cron
    
    This is the mlocate db that contains the list of files and directories on your machine:

    Code:
    [root@host ~]# ls -l /var/lib/mlocate/mlocate.db 
    -rw-r----- 1 root slocate 5602047 Mar 19 09:50 /var/lib/mlocate/mlocate.db
    
    When "updatedb" is run, that's the file that gets updated. Again, you may already have a cron job in place which does this every day anyway.

    You may also find the "locate" utility to be a bit quicker than running "find" when dealing with large amounts of data.
     
Loading...

Share This Page