How to uncover malicious malware files tfdusr1 - Tue, 03/22/2016 - 06:35

An unfortunate side-effect of being online is the fact that you are continually being probed for weaknesses by ne’er do wells. Be it your computer, your internet provider, or your website, someone is almost always trying to find a way in to further their illicit goals, and give you a pretty massive headache as a result. While this article will not be able to teach you everything, it will serve to give you a solid base of skills to use when troubleshooting your own sites.

Find, Grep & Stat These three commands can easily uncover most kinds of malicious code and can often help point you towards the source of the attack, if they’re used properly. I will break down how to use each command separately, and then later how they can be used in concert.

Find The Linux manual defines this command as a utility that “recursively descends the directory tree for each path listed, evaluating an expression in terms of each file in the tree.” Simply put, the Find utility lets you search an area to look for files or folders as defined by a number of variables, such as by name, by owner, by time modified, etc. For example, to search the directory “/home/mywebsite” for a file called foobar.txt, you can run the following command:

find /home/mywebsite -type f -name "foobar.txt"

This should return the following:

/home/mywebsite/folder/another-folder/foobar.txt

If you want to find a list of files in that same “/home/mywebsite” directory that have been changed in the last 7 days, you can run the following command:

find /home/mywebsite -type f -ctime -7

The (-7) after ctime means files changed within 7 days or less. if that was changed to a plus (+) symbol, it would mean any files changed a minimum or 7 days or longer. Here is a more complex example: To find a list of all files inside “/home/mywebsite” with the extension .php that have been changed within 30 days, you can run the following command:

find /home/mywebsite -type f -name "*.php" -ctime -30

There are more commands that ‘find’ can handle. If you want to know more, see the manual page by typing “man find” in SSH.

Grep The Linux manual defines this command as a utility that “searches the named input FILEs (or standard input if no files are named, or the file name - is given) for lines containing a match to the given PATTERN. By default, grep prints the matching lines.” Essentially, the grep utility lets you search files for a matching text pattern. ‘Grep’ is one of the greatest commands for finding malicious files, but it can also turn up a lot of false-positives. The following are the very basics of the command. These examples will be searching in the “/home/mywebsite” directory. For example, to find the phrase “hello world”, located in a file somewhere inside that directory, you can run the following command:

grep -r "hello world" /home/mywebsite

If there was a file that contains that phrase, ‘grep’ will post the path to the file, and the line containing the matching text:

/home/mywebsite/foo/bar/hello.txt: hello world!

Please note that grep searches are case-sensitive. To ignore case-sensitivity, use the ‘-i’ flag For more information, see the manual page for grep by typing ‘man grep’ in SSH.

Stat The Linux manual defines this command as a utility that is used to “display file or filesystem status.” To expand on this, the stat utility is used to display permissions, ownership and various timestamps of a file. To see an example of the ‘stat’ command output, let’s take a look at that file we found earlier via the ‘find’ command, “/home/mywebsite/folder/another-folder/foobar.txt”:

stat /home/mywebsite/folder/another-folder/foobar.txt File: `home/mywebsite/folder/another-folder/foobar.txt’ Size: 19043 Blocks: 39 IO Block: 32768 regular file Device: 17h/23d Inode: 140209072 Links: 1 Access: (0644/-rw-r–r–) Uid: (841608/mywebsite-user) Gid: (88432/mywebsite- user)Access: 2011-10-22 21:10:09.106667057 -0700 Modify: 2011-11-14 15:14:19.493663971 -0800 Change: 2011-11-14 15:14:19.494043373 -0800

The line with “Access/Uid/Gid” simply lays out the read/write/execute permissions of the file, and who owns it in user and group. The last three lines deal with the time-stamp of the file. “Access” normally refers to when it was first created, or last written to. “Modify” refers to the last time the file changed permissions, or was renamed (among other things). “Change” refers to the last time the actual contents of the file were modified. Many malicious scripts are able to keep the access and modify time-stamps unchanged, but the change time-stamp will always reflect that someone has been inside the file. If a file has been modified via FTP, all three time-stamps will be changed to the same date.


This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.

Tags:

maliciuscode linux malware