Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Remove Malware from PHP Scripts
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Remove Malware from PHP Scripts

mehargagsmehargags Member
edited March 2015 in Help

Hi all,

I was approached by an old friend yesterday and he wants me to migrate his 5 sites to my servers. The problem is, his shared server had been hacked 5 times in last 6 months and every time there is some code injection in his PHP scripts.

I'm afraid if I just migrate his sites to my server, any injected malware may "open" backdoors and compromise the whole server.

I know the solutions to clean Wordpress sites, but I seek guidance in cleaning static HTML & Core PHP Scripts which (May) have been injected with malware. One of the site is a a full suite with front-end & Backend coded in Core PHP (6-7 years back), with around 90-95 .php files, is there are practical solution to get these scanned & cleaned?

I've done Clamscan which reported nothing, but I can't rely on it alone.

I found this on a quick search http://sourceforge.net/projects/smscanner/

can you point me to some more Reliable and Trusted ones please ?

Thanks alot...

Comments

  • edited March 2015

    A backdoor can be simple as this:

    eval(@$_POST['abc']);

    And it can be like this

    eval(base64_decode('ZXZhbChAJF9QT1NUWydhYmMnXSk7'));

    Can those scanner detect those code? If not then you must have to check the code manually.

    From another point of view, if you have your server properly configured then you don't have to care much about backdoor.

    Thanked by 1Mark_R
  • @khuongcomputer said:
    if you have your server properly configured then you don't have to care much about backdoor.

    Care to explain the steps I can checkthough to define if my server is properly configured or not?

  • AbdussamadAbdussamad Member
    edited March 2015

    khuongcomputer said: From another point of view, if you have your server properly configured then you don't have to care much about backdoor.

    I don't agree with this. It could be used to send spam or dos another server.

    mehargags said: Care to explain the steps I can checkthough to define if my server is properly configured or not?

    It's custom PHP code, right? Hire somebody who knows PHP to go through the code line by line. There is no other way.

    If it was an opensource project you could simply do a diff with a fresh copy of the script from the project's site.

    Thanked by 1mehargags
  • Normaly when a file is injected the code stand in the bottom or head.

  • blackblack Member

    diff and sha1sum is going to be your friend.

    Thanked by 1Blanoz
  • @black said:
    diff and sha1sum is going to be your friend.

    Best approach.

    If you use CSF Firewall, you can include /path/to/your/friend's/script in the filesystem integrity check - which is done automatically.

  • @Abdussamad
    ofcourse the last and absolute resort would be to get all files checked by a PHP Dev... but I was trying to see as a sysadmin, what best preliminary steps I can perform for the same.

    @black
    diff and sha1sum could be a good option, unfortunately I don't have the values from the original files against which I can compare :(

    @Blanoz
    I use debian... don't think CSF is there on Debian ? or I can install ?
    Didn't knew CSF can do integrity checks too... can you point me to some good guide ?

    However, to compare and evaluate a file's integrity, you need to have a differential analysis, which is not possible in my case. Valuable pointer though, I can ask him to get me some old backups if he has... to check against (very skeptical)

  • blackblack Member
    edited March 2015

    Oh...

  • NomadNomad Member

    For checking against malicious eval codes
    check this out.

  • Shouldn't the infected files with injected code have a different modified date than the rest of the files of the website?

    That could be a start to narrow down the possibly injected files.

    I would also search for those in all the files... And then check if anything is suspicious.

    And grep -R "eval(" .

    And grep -R "mail(" .

    If he has the original files on a offline/localhost... you can then compare them with the original files...

  • Easiest way:

    apt-get purge php5

    …no need to thank me.

  • sinsin Member
    edited March 2015

    Maybe try scanning with maldet daily? You can set maldet to detect certain lengths of code

    Thanked by 2mehargags Cipriano
Sign In or Register to comment.