How to primary check on the hacked site to find the suspicious file

From PheonixSolutions
Jump to navigation Jump to search

Primary check on the hacked site to find the suspicious file

[edit]

1. Maldet scan

2. Nikto scan

3. Rkhunter scan

4. Chkrootkit scan

5. Verify the site in https://sitecheck.sucuri.net/

https://transparencyreport.google.com/safe-browsing/search?hl=en

6. TO identify the hacked files inside the server

7. Google webmaster tools check
8. Imunify scan (after approval)
9. Clamscan

(i) Identify the POST logs using the below command. This may not be accurate command and we may need to change the log path 


  grep POST /etc/httpd/logs/access_log* |awk '{print $7}' |sort |uniq -c |sort -n


(ii) Review large requests and find the file location 

 find <path> -iname filename.php


(iii) Review the file content and if its base64 or encoded file, confirm with the client and remove

  1. Identify the origin of the file

 stat filname.php

[edit]

  1. Review the logs for the infected time and try to track the file. Identify the IP address and block them if its suspicious

 grep "

[edit]

  1. Ddentify the IP address and block them in firewall

(iv) Review /tmp file and run clamscan, maldet scan

Note:

For SSH attack
grep -i "Failed password" /var/log/auth.log | awk -F "from" '{print $2}'|awk '{print $1}' |sort |uniq -c |sort -n

grep -i "Accepted password" /var/log/auth.log | awk -F "from" '{print $2}'|awk '{print $1}' |sort |uniq -c |sort -n

Safety measures we need to perform after client approval

[edit]

1. DDOS deflate

2. Mod Security

3. Mod evasive

4. Malware scan

5. Rootkit scan

Note client needs to verify the fiuctioanlity of the site after this setup

Retrieved from "https://wiki.pheonixsolutions.com/index.php?title=How_to_primary_check_on_the_hacked_site_to_find_the_suspicious_file&oldid=2188"