Need advice to mitigate malware

roboticpuppies

New member
Registered
Joined
Apr 25, 2018
Messages
11
Points
3
Hello,

I need some advices to mitigate and remove malwares from my server. Mostly I found encoded scripts using base_64. But recently, it's really hard to find the files. I'm using cPanel and Clamav Plugin. I've updated the clamav signature, but still the malware is still there. I've tried to run scheduled scan, but it made the server load high. I read that adding some apache module like mod_clamav will help, but does anyone try that? Thank you.
 

VirtuBox

Well-known member
Registered
Joined
May 3, 2016
Messages
1,622
Points
83
Hello,

here some usefull commands to find infected files :

Bash:
# If the hack was recent, check lastly modified files
$ find . -mtime 0

# Some hacks are nice enough to include a comment for when a block starts/ends  (ex: //istart)
$ find . -type f -name "*.php" | xargs grep -H "istart"

# Normally files with hacks use base64 encoded data in an attempt to hide code
$ find . -type f -name "*.php" | xargs grep -H "base64_decode"

# Eval-ing of code is usually a sign of something naughty (allthough lots of plugins etc use this)
$ find . -type f -name "*.php" | xargs grep -H "eval("

# Sometimes php files are "hidden" inside the javascript assets folder
$ find wp-includes/js -type f -name "*.php"
 

roboticpuppies

New member
Registered
Joined
Apr 25, 2018
Messages
11
Points
3
Hello,

Thank you for the info. I'll try it out. I want to automate it, and minimizing using commands. Do you have any advice sir? Like using antivirus and other? I heard that Imunify360 will help a lot. But I have not really know about it yet. And by using commands, I'm afraid that this will cause false positive since I want to automate it :)
 

mobin

Well-known member
Registered
Joined
Jun 22, 2017
Messages
234
Points
28
What do you mean by malware is still there? You mean you found some bad files, cleaned them up but its re-appearing? if so, you should really look into the app running under those accounts. generally with some CMS [ like Wordpress, Joomla, Drupal, etc ] If you really cannot find the bad files under each accounts, then you need a better scanner. if you want some free solution, try MalDet with Malware.Experts rule set..it can help you. Do not forget to schedule scan based on your demand.
 

roboticpuppies

New member
Registered
Joined
Apr 25, 2018
Messages
11
Points
3
roboticpuppies
Hello,
Yes, I tought the malware is still there. But now I think after I cleaned the malware, the attacker can re-upload the malware via website vulnerability again.
I think you're right, maybe the CMS or the plugins are outdated.
Thanks for the info about malware.expert though :)
 
Latest Threads

Latest Hosting OffersNew Reviews

Sponsors

Tag Cloud

You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.

Top