Nov 18, 2013

Detecting And Removing Malicious Scripts

We all have or will face getting our site hacked, it may come of non sanitized input, cms or even hosting bugs.
The biggest problem is that we have to check if the attacker has injected something into our site.
Most common are iframe attacks, they show an iframe injection who has no width and height and allows malicious files to be included, ex <iframe src="site/a.jar"></iframe>
In the example above a jar file is included, it can be a java drive or even a java 0day.
How to detect them
We can use a simple grep command if running on linux

Searching in a single file
grep ".jar" filename

Searching in multiple files
grep "string" FILE_PATTERN

Case insensitive search
grep -i "string" FILE

What else to check for:
system, eval, passthru, popen, base64_decode, mail(used for sending data)
It is recommended checking php.ini, it keeps a log of all the actions made on the server(note! they can be modified)
There are also other type of injection using Get/Post handling but a simple grep search for dangerous functions can do

some useful resources on the web

No comments:

Post a Comment