I am facing a problem on my web server. Someone infected him with a leaked dictionary. The problem is this: there is some malicious phpscript in the file. A malicious script puts an iframe inside each file on the web server (/ home) But the thing is, I donβt know where the script is located, and I have thousands of web files in / home, it can be anywhere. I know how to erase all frames, but the idea is to remove the trigger. So I wandered how I could fix it, and I may have a solution, but I need your advice
I noticed that the script is executed from time to time, but completely randomly (about once a week) Now suppose I removed all the malicious iframes with the following shell command (which I run every 30 minutes now)
find /home -type f | xargs sed -i 's$<iframe src="[^"]*" width="2" height="2" frameborder="0"></iframe>$ $g'
Now that my entire php file does not have an iframe, the idea would be to warn me when the iframe appears again. Similarly, if I have an approximate time at which the iframe appears, I could look in the apache log to see which web script is being called.
So, I created another bash shell, and I would like your advice to know if everything will be alright. I will run it every 30 minutes on the server until I receive mail.
Then I would look in the apache log to check the log in the last 30 minutes.
So here is the bash I was thinking about:
#!/bin/bash find /home -type f | xargs grep -q '<iframe src="[^"]*" width="2" height="2" frameborder="0"></iframe>' #Find the string in all file on my all directory if [ $? -eq 0 ] #if the result is not equal to zero then echo "At the following time : " $(date +%H-%M-%S) | mail -s "[Serveur Leaked] Bad iframe has been found " me@mymail #we send a mail with the date find /home -type f | xargs sed -i 's$<iframe src="[^"]*" width="2" height="2" frameborder="0"></iframe>$ $g' #we replace the iframe with a whitespace else exit 1 fi exit 0
I really need to find a solution because I know, as I said, that I run the find and replace shell command every 30 minutes, and that takes a lot of process.
But I could not afford to overlay iframes on my server for too long, that my sites would be blacklisted by Google, and I could not allow it.
Thanks so much for your future tips.
Anselm