Check if there are files with non-standard extensions

Connect Asia Data learn, and optimize business database management.
Post Reply
Mimaktsa10
Posts: 124
Joined: Tue Dec 24, 2024 2:58 am

Check if there are files with non-standard extensions

Post by Mimaktsa10 »

Let's assume that you are using WordPress. It does not have extensions like .py, .pl, .cgi, .so, .c, .phtml, .php3. If you find such files, there is a high probability that this is the work of hackers. Of course, this may be a false discovery, but most often such files contain malicious code.


Analyze files for strange attributes or suspicious creation dates

Pay attention to files with romania email list attributes that are not typical for this server. For example, all .php scripts were imported via ftp/sftp, the user is user, and only a few files were uploaded by www-data. Such files should be rechecked. Also, suspicions should be raised by scripts whose creation date is older than the creation date of the web resource itself. To find suspicious files faster, use the unix command "find".


Identify a doorway by a huge number of .html or .php files

The presence of a doorway may be indicated by a large number (up to several thousand) of .php or .html files in the directory.


Use logs

You can find malicious code and infected scripts using web server, FTP and mail service logs. Look in the mail server log or in the email header from the mailing list for the date and time the spam was sent. Compare them with the requests from access_log. This will help you determine how the mailing was carried out and find its script.

To understand which files were imported at the time of the hack and which were modified, you need to analyze the FTP xferlog transfer log. You can also determine where these actions were performed from. If the mail server log was configured correctly, it will contain the name of the script that makes the spam mailing, or the path to it will be indicated. The same information can be found in the service header of the letter from the mailing, if the PHP settings were correct.

If you check the proactive protection logs of the CMS and plugins, you will be able to see what attacks on the web resource were made and which of them were successful. By analyzing the access_log and error_log, you will see the actions of the attacker if you know the names of the scripts they used, the UserAgent or the IP address. At worst, study the POST requests that were made on the day of the attack on the site. Thanks to such analysis, it is sometimes possible to find other malicious scripts that were already placed on the server before the latest hack.


Integrity control

If you take preventive measures, it will be easy to detect a program containing malicious code on the site later. This is the main task of the integrity control procedure, which allows you to determine in time that the web resource has been hacked. The most effective method is to put the Internet site under the version control system (git, cvs, svn). With the correct configuration of .gitignore, you can track any changes using the gitstatus command, and find infected scripts and corrected files using gitdiff.

In addition, you will have a backup copy of the site, so it can be quickly restored. To monitor access to directories and files and changes to the file system, experienced webmasters and administrators can use auditd, inotify, tripwire and other monitoring mechanisms.

It is not always possible to install an integrity control system and third-party services on a server. If it is a shared hosting, it is impossible to configure system services and a version control system. Fortunately, there are many good tools for web resource management systems.

One option is to install a plugin or script on the site to monitor changes in files. Some CMS, such as Bitrix, DLE, already have a change control functionality and an integrity check mechanism. If you have ssh on your hosting, you can create a sample file system using the command`
Top
Post Reply

Return to “Asia Data”