开发者

Help needed to nab the malware viral activity using awk

I am facing issues with my server as sometimes the malwares are adding their code at the end or start of the files. I have fixed the security loopholes to the extent of my knowledge. My hosting provider has informed that the security is adequate now, but I have become paranoid with the viral/malware activity on my site. I have a plan, but I am not well versed with Linux editors like sed or awk or gawk so help needed from your side. I can do this using my PHP knowledge but that would be very resource intensive.

Since malwares/virus add code at the start or end of the file (so that the website does not show any error), can you please let me know how to write a command which would recursively look into all .php files (I will use the help to make changes in other type of files) in parent and all sub-directories and add a particular tag at the start and end of the file, say, XXXXXX_START, and YYYYYY_END.

Then I need a script which would read all the .php files and check if the first line of the code is XXXXX_START and last line is YYYYYYY_END and create a report if any file is found to be different.

I will setup a cron to check all the files and email the report to me if any discrepancy found.

I know this is not 100% foolproof as virus may add the data after the commented lines, but this is the best option I could think of.


I have tried the following commands to add data at the start -

sed -i -r  '1i add here' *.txt

but this isn't recursive and it adds line to only the parent directory files.

Then I found this - BEGIN and END are special patterns. They are not used to match input records. Rather, they are used for supplying start-up or clean-up information to your awk script. A BEGIN rule is executed, once, before the first input record has been read. An END rule is executed, once, after all the input has been read. For example:

awk 'BEGIN { print "Analysis of `foo'" }
     /foo/ { ++foobar }
     开发者_StackOverflow社区END   { print "`foo' appears " foobar " times." }' BBS-list

But unfortunately, I could not decipher anything.

Any help on above mentioned details is highly appreciated. Any other suggestions are welcomed.

Regards,

Nitin


You can use the following to modify the files (also creates backup files called .bak):

find . -name "*.php" | xargs sed -i.bak '1iSTART_XXXX
$aEND_YYYY'

You could use the following shell script for checking the files:

for f in `find . -name "*.php" -print`
do
    START_LINE=`head -1 $f`
    END_LINE=`tail -1 $f`

    if [[ $START_LINE != "START_XXXX" ]]
    then
        echo "$f: Mismatched header!"
    fi

    if [[ $END_LINE != "END_YYYY" ]]
    then
        echo "$f: Mismatched footer!"
    fi
done


Use version control and/or backups; in the event of suspicious activity, zap the live site and reinstall from backups or your version control source.


$ find . -type f | grep "txt$" | xargs sed -i -r  '1i add here'

Will apply that command to all files in or under the current directory. You could probably fold the grep logic into find, but I like simple incantations.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜