Yesterday, a WordPress server that I look after for a friend had been broken into. Instead of trashing the site, the script-kiddy hooked the server into a spam bot-net, and proceeded to send thousands of emails from the host. In addition, the script-kiddy added in some extra ‘hidden’ content onto the server, and then got Google to scan for that content. In essence, the server was still serving `working’ but was also being used for other purposes.
One of the things that my first UNIX instructor, Harry Eleftheriou, showed me was the power of ‘pipes’. Pipelining commands together was THE way to use simple yet finely crafted programs to make life easier. Today, that came to the fore.
I wanted to find all successful requests (HTTP Response 200) from the logs. From that I wanted to extract the script names (the 7th field in the log entry) that were being executed, and find which scripts were being called most regularly. The command that I came up with looked like the following:
That command quickly highlighted what scripts were being run. And a few of them didn’t look right; a quick look at those files told me that two of them were infected/fake files and could be removed. After running that on all the logfiles, I had found all the infected files. Now, off to install Tripwire