Command Line Love: Searching cPanel for Malicious Code


December 18, 2014 / Updated: May 7, 2015 / Lena Shore
Filed under:

Terminal-iconIf you don’t run servers, you will most likely think this article is boring and can skip it. However, if you DO run servers, you will encounter times where you think something fishy is going on and will want to know what.

Here I have compiled some useful commands that will help you find problems. Variations on these commands can be used as simple server maintenance. You can see if any malicious scripts are being accessed via POST to send spam emails, you can see if any files have been uploaded or modified in the last xx days without authorization, and if you find one suspect script, you can view that script, find a phrase within it, and see if any other files on your server contain the same phrase and then inspect those other files for validity.

Find all files from current location and all sub-directories,
that have been created or altered in last 5 days

find . -ctime -5

Get all lines in access_log that contain the word POST.

In cPanel the access_log is located in /www/logs/. In order to “cat” any file, you need to either be in the same directory as the file, or specify the full directory with the file name

cat access_log | grep POST

Find all files from current location and all sub-directories, that contain the phrase “@error_reporting”.

The space and period are required. Basically it says for the command to run on all files.

grep -HREln "(@error_reporting)" .

View the contents of a file.

- strings

See who is logged in with SHELL:

grep ssh /var/log/secure|grep Accepted

See last 20 people who have logged in:

last -n 20

Try to find out which user is sending the mails through scripts.

grep cwd /var/log/exim_mainlog | awk '/public_html/ {print $3}' | sort | uniq -c

Dump spammy emails from server

When you are done cleaning out the malicious code, you may need to empty the mail que. If there is a ton of stuff stuck out there, you might want to do this from the command line:

exim -bpru|awk {'print $3'}|xargs exim -Mrm

To give the server a chance to process legitimate emails, you can have it remove emails that are older, than say 5 minutes:

exiqgrep -o 300 -i | xargs exim -Mrm

This will remove mails older than 5 mins (300 seconds). Adjust your time accordingly.

Find malicious code inside image files. Yeah. That can happen. Surprise!

find -name '*.gif' -o -name '*.jpg' -o -name '*.png' -exec file {} \; \
| grep -v 'GIF image data' \
| grep -v 'PNG image data' \
| grep -v 'JPEG image data' \
| grep -v _vti_cnf