Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Search for files & directories

Discussion in 'Security' started by crazyaboutlinux, Mar 5, 2011.

  1. crazyaboutlinux

    crazyaboutlinux Well-Known Member

    Joined:
    Nov 3, 2007
    Messages:
    941
    Likes Received:
    0
    Trophy Points:
    66
    Hi,

    How do i search for particular pattern files & directories in entire server

    an account is compromised, here is the details

    Code:
    /home/example/public_html/mailers/1.php
    /home/example/public_html/mailers/2.php
    /home/example/public_html/mailers/3.php
    /home/example/public_html/mailers/4.php
    /home/example/public_html/mailers/Mailer2.php
    /home/example/public_html/mailers/Mailer3.php
    /home/example/public_html/mailers/mailer4.php
    /home/example/public_html/mailers/mailerinbox.php
    So i ran below commands to search for directory "mailers" for other existing accounts & entire server & i got result as below
    Code:
    root@server [~]# find /home -name mailers
    /home/example/public_html/mailers
    root@server [~]# find /home -name mailer
    root@sever [~]#
    root@server [~]# find / -name 'mailers' -type d
    /home/example/public_html/mailers
    
    i didn't find "mailers" directory in other accounts now i want to search for files
    1.php, 2.php, 3.php, 4.php, Mailer2.php, Mailer3.php, mailer4.php, mailerinbox.php

    in entire server or other in other accounts

    how can i do this ???
     
  2. crazyaboutlinux

    crazyaboutlinux Well-Known Member

    Joined:
    Nov 3, 2007
    Messages:
    941
    Likes Received:
    0
    Trophy Points:
    66
    Is there any update on this ??
     
  3. k-planethost

    k-planethost Well-Known Member

    Joined:
    Sep 22, 2009
    Messages:
    199
    Likes Received:
    8
    Trophy Points:
    68
    Location:
    Athens Greece
    use maldet and clamav to see if it gets any results if there are viruses on this domain.
    maldet is an excellent free choise you can set it t monitor users as well

    also chirpys exploit scanner is a good solution.
    try also the grep command did you receive any email from the DC that your server is spamming or ddos another box?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. crazyaboutlinux

    crazyaboutlinux Well-Known Member

    Joined:
    Nov 3, 2007
    Messages:
    941
    Likes Received:
    0
    Trophy Points:
    66
    yes, i know maldet and clamav these are very good tool, i have already scanned entire system by these tools, but nothing is there. i just visited the website & came to know that it is hacked & then i checked manually pages & found mailers pages, we have not received any email from DC regarding spamming or ddos another box? actually it is not doing spamming.
     
  5. k-planethost

    k-planethost Well-Known Member

    Joined:
    Sep 22, 2009
    Messages:
    199
    Likes Received:
    8
    Trophy Points:
    68
    Location:
    Athens Greece
    use the grep command
    grep -i -r 1.php /home
    or
    grep -i -r 4.php /home etc
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. JeffP.

    JeffP. Well-Known Member

    Joined:
    Sep 28, 2010
    Messages:
    164
    Likes Received:
    14
    Trophy Points:
    68
    If your slocate/mlocate database is up to date, another method would be to use the "locate" utility.

    Here's an example:

    Code:
    [user@host ~]$ touch mailer
    [user@host ~]$ ls mailer
    mailer
    
    [root@host ~]# locate -i mailer | grep ^/home
    [root@host ~]#
    
    [root@host ~]# updatedb
    [root@host ~]# locate -i mailer | grep ^/home
    /home/user/mailer
    
    A few things to note:

    1. Running "updatedb" can take a while. The more files that exist on your machine, the longer it'll take
    2. You may already have a cron job that updates the mlocate database already. This is the cron job:

    Code:
    [root@host ~]# ls -l /etc/cron.daily/mlocate.cron
    -rw-r--r-- 1 root root 137 Sep  3  2009 /etc/cron.daily/mlocate.cron
    
    This is the mlocate db that contains the list of files and directories on your machine:

    Code:
    [root@host ~]# ls -l /var/lib/mlocate/mlocate.db 
    -rw-r----- 1 root slocate 5602047 Mar 19 09:50 /var/lib/mlocate/mlocate.db
    
    When "updatedb" is run, that's the file that gets updated. Again, you may already have a cron job in place which does this every day anyway.

    You may also find the "locate" utility to be a bit quicker than running "find" when dealing with large amounts of data.
     
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice