On to some meat! Today I'll cover some of the basics. I use these commands EVERY SINGLE DAY.
I use the standard commands to move around the filesystem. Very quickly, these are ls (list), cd (change directory), pwd (print working directory). Use the man command to find out more uses of these and flesh them out a bit.
I rely on find and grep to turn up most malware on the server. Using find, you have a large number of options. You can search for files created, modified, or accessed at a certain time, owned by certain users, with certain permissions, etc. Find is great for getting an initial file list to check further for malware. One of my most useful find tricks is:
===============================
find . -newer datefile -type f
===============================
This finds all files (-type f) newer than datefile (-newer datefile). On it's own, this command is quite useful. I combine it with:
============================================
touch -d "HH:MM:SS Day Month Year" datefile
============================================
I fill in the date using information I've gotten from the client who's site I'm investigating or from files already on the system. Usually this finds the majority of bad things on the account, but not all. Many times malware or phish sites will come zipped and tarred, and the attackers will extract them and preserve their timestamps. This makes using atime|mtime|ctime|newer difficult. For these cases (and several others) I use grep. If you're in this business and you don't know grep, you've got some learning to do. This tool is invaluable. Grep uses very powerful math (Regular Expressions http://en.wikipedia.org/wiki/Regular_expressions) to search files for patterns. Since this I work for a web hosting business, I'm usually looking for iframe injections (
<iframe src=
), evil eval statements (eval\(
), encoded scripts (base64_decode\(|function\(p,a,c,k,e,(r|d)
), javascript that shouldn't be there in general (<script src =|<script langauge=\"JavaScript\"
). The strings in the parentheses in the last sentence are regular expressions grep will search for in the path I specify. See man grep for more info on the neat tricks you can do as far as specifying patterns and paths in alternate ways and output formatting, because this command is VERY versatile. Here's an example (the blog wrapped it):======================================================
grep -i -H -R -E "<iframe src=|<script src =|<script langauge=\"JavaScript\"|eval\(base64_decode\(|function\(p,a,c,k,e,(r|d)" ./
======================================================
Don't freak, I'll explain :). We'll start with the switches:
======================================================
-i: This tells grep to treat the patterns as case-insensitive.
-H: This tells grep to output the filename the match was found in. Useful if you need to actually track down the abuse instead of just seeing it.
-R: This one's important, it tells grep to look recursively. If the path you choose is a directory grep will normally just search the files in that directory. this option makes grep search subdirectories as well.
-E: This one enables egrep-style regular expressions. It's basically a different way to describe the patterns than the standard way grep does. It's no less or more powerful, it's mostly here for versatility and compatibility. There are other switches like this, check the man page (PLEASE don't get tired of hearing me say this....).
"<sub-pattern>|<sub-pattern>|<sub-pattern>|<sub-pattern>|<sub-pattern>": This is the pattern to search for. The "|" (pipe) characters represent directives grep interprets, not actual characters to search for. Read the man to find out when and what you have to escape when sending grep directives like this, it can be confusing. The "|" directive means "or", so grep will look for any of those sub-patterns connected by the pipe. The last pattern has a pipe inside parentheses. This only applies to this sub-pattern, so it will find function(p,a,c,k,e,r or function(p,a,c,k,e,d.
./: This is the path to search. I choose the current directory via it's alias "./". This is true on most unix systems.
======================================================
Wow, what a lot to digest at once! I hope you aren't sweating yet, there's even more to learn in the man pages. We have barely scratched the surface of the uses of these two commands. The find command can run commands on every file it finds, so it can be used with grep directly! That will have to be left for another post though. Enjoy your MLKJ day!
ich1 out.