4

I'm encountering an issue on my webserver. Someone infected it with a leaked wordpress . The problem is the following, there is some malicious phpscript somewhere within a file. The malicious script is putting an iframe inside every files on the webserver (/home) But the thing is that I don't know where is the script and I have thousands of web files in /home, it could be anywhere. I know how to erase all the iframes but the idea is to delete the trigger. So I was wandering how i could fix it and i have maybe a solution, but i would need your advices

I noticed that the script is executed from time to time but completely randomly (approxmatively once time a week) Now let's assume that I erased all the malicious iframe with the following shell command (which I run every 30 minutes currently)

find /home -type f | xargs sed -i 's$<iframe src="[^"]*" width="2" height="2" frameborder="0"></iframe>$ $g'

Now that all my php file don't have a iframe, the idea would be to alert me when the iframe appears again. Like this, if I have the approximative time where the iframe appears, then I could have a look on the apache log to see which webscript is called.

So I created another bash shell and I would like to have your advices to know if it would be allright. I would run it every 30 min on the server until I received a mail.

Then I would look in the apache log to check the log on the last 30 minutes.

So here is the bash I was thinking about :

#!/bin/bash     
find /home -type f | xargs grep -q '<iframe src="[^"]*" width="2" height="2" frameborder="0"></iframe>'     #Find the string in all file on my all directory
if [ $? -eq 0 ] #if the result is not equal to zero
then
        echo "At the following time : " $(date +%H-%M-%S) | mail -s "[Serveur Leaked] Bad iframe has been found " me@mymail #we send a mail with the date
        find /home -type f | xargs sed -i 's$<iframe src="[^"]*" width="2" height="2" frameborder="0"></iframe>$ $g' #we replace the iframe with a whitespace
else    
        exit 1  
fi

exit 0

I really need to find a solution because right know as I said Im running the find and replace shell command every 30 minutes and it's taking a lot of process.

But i could not afford to let iframes too long on my server, that my websites would be blacklisted by google and i could not afford this.

Thanks a lot for your future advice.

Anselme

Anselme
  • 479
  • 2
  • 9
  • 32
  • I found something that can help you: http://unix.stackexchange.com/a/13462/40596 – fedorqui Jul 16 '13 at 10:35
  • Perhaps post this question to [security.stackexchange.com](http://security.stackexchange.com/) as well. – gtrig Jul 22 '13 at 06:17
  • if you are the only one that is supposed to modify these files then you could perhaps make use of filemtime() to test the lastmodified time of the files against the last time your script ran. – John Faulkner Jul 22 '13 at 09:00

3 Answers3

3

You could use inotify to get informed when your html files are changed and only run your script in that case.

When you know that your files get modified (e.g. by above inotify) you can use the proc system of the processes (or something like lsof) to find out which process has opened the modified file.

flolo
  • 15,148
  • 4
  • 32
  • 57
  • thank you for your answer. But the problem is that as the server is used by several people there is often some poeple changing their files on the server... – Anselme Jul 15 '13 at 20:03
3

Once you have found an iframe file you wish to monitor, perhaps the shell scriptable version of inotify, inotifywait, would be the simplest solution. Use it in your script something like this:

#!/bin/sh
while inotifywait -e modify /var/log/messages; do
    if tail -n1 /var/log/messages | grep httpd; then
        kdialog --msgbox "Apache needs love!"
    fi
done

In general, there are better file monitoring tools, such as auditd which includes prebuilt utilities and is specifically designed for security and auditing.

Also, there is the fanotify that provides user information and can monitor entire volumes efficiently. Check out the excellent sample tool: fatrace.

inotify suffers from several significant problems: it can't reliably monitor newly created folders, and can't identify the source (PID) of file changes. Neither of these is here, but using inotify directly would require some coding.

Community
  • 1
  • 1
Peter Krnjevic
  • 1,070
  • 15
  • 20
  • 1
    The idea of the inotify suggestion was to have a hook to run his script when the files are changed, and not in 30 min intervalls. – flolo Jul 17 '13 at 07:10
  • Good point, in which case the command line utilities built around inotify will likely do the job fine. I've edited my answer accordingly. – Peter Krnjevic Jul 17 '13 at 18:40
  • thank you very much for your two answers. floflo, even if inotify seem to be very interesting, I dont't think my skills with coding are good enough to use it.. but I will try. Anyway your answers gave me new tracks for my research. thanks again and I'll keep you in touch when i suceed. – Anselme Jul 18 '13 at 11:09
3

It may not be a PHP script that is causing this, hackers may have obtained passwords to your server. This site gives several resources that will guide you on what to check

http://wordpress.org/support/topic/new-malware-code-injection-attack

Here's Wordpress documentation on how to harden the installation

http://codex.wordpress.org/Hardening_WordPress

Changing the root password of your system would be a good place to start.

And to give you an idea of the level of malicious sophistication you may be up against

http://blog.sucuri.net/2013/05/auto-generated-iframes-to-blackhole-exploit-kit-following-the-cookie-trail.html

My sympathy.

amdn
  • 11,314
  • 33
  • 45
  • thank you for all your useful links.. However I still believe it's a web injection because I have allready changed all my password and check the logs.. (root ssh account and all ftp account) and it's still on.. But i'm pretty sur I will find some new trakc with your links.. – Anselme Jul 18 '13 at 11:01