All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Remove Malware from PHP Scripts
Hi all,
I was approached by an old friend yesterday and he wants me to migrate his 5 sites to my servers. The problem is, his shared server had been hacked 5 times in last 6 months and every time there is some code injection in his PHP scripts.
I'm afraid if I just migrate his sites to my server, any injected malware may "open" backdoors and compromise the whole server.
I know the solutions to clean Wordpress sites, but I seek guidance in cleaning static HTML & Core PHP Scripts which (May) have been injected with malware. One of the site is a a full suite with front-end & Backend coded in Core PHP (6-7 years back), with around 90-95 .php files, is there are practical solution to get these scanned & cleaned?
I've done Clamscan which reported nothing, but I can't rely on it alone.
I found this on a quick search http://sourceforge.net/projects/smscanner/
can you point me to some more Reliable and Trusted ones please ?
Thanks alot...
Comments
A backdoor can be simple as this:
And it can be like this
Can those scanner detect those code? If not then you must have to check the code manually.
From another point of view, if you have your server properly configured then you don't have to care much about backdoor.
Care to explain the steps I can checkthough to define if my server is properly configured or not?
I don't agree with this. It could be used to send spam or dos another server.
It's custom PHP code, right? Hire somebody who knows PHP to go through the code line by line. There is no other way.
If it was an opensource project you could simply do a diff with a fresh copy of the script from the project's site.
Normaly when a file is injected the code stand in the bottom or head.
diff and sha1sum is going to be your friend.
Best approach.
If you use CSF Firewall, you can include /path/to/your/friend's/script in the filesystem integrity check - which is done automatically.
@Abdussamad
ofcourse the last and absolute resort would be to get all files checked by a PHP Dev... but I was trying to see as a sysadmin, what best preliminary steps I can perform for the same.
@black
diff and sha1sum could be a good option, unfortunately I don't have the values from the original files against which I can compare
@Blanoz
I use debian... don't think CSF is there on Debian ? or I can install ?
Didn't knew CSF can do integrity checks too... can you point me to some good guide ?
However, to compare and evaluate a file's integrity, you need to have a differential analysis, which is not possible in my case. Valuable pointer though, I can ask him to get me some old backups if he has... to check against (very skeptical)
Oh...
For checking against malicious eval codes
check this out.
Shouldn't the infected files with injected code have a different modified date than the rest of the files of the website?
That could be a start to narrow down the possibly injected files.
I would also search for those in all the files... And then check if anything is suspicious.
And grep -R "eval(" .
And grep -R "mail(" .
If he has the original files on a offline/localhost... you can then compare them with the original files...
Easiest way:
apt-get purge php5
…no need to thank me.
Maybe try scanning with maldet daily? You can set maldet to detect certain lengths of code