Difference between revisions of "Get status of MalDet hits"

From James Dooley's Wiki
Jump to: navigation, search
(Chmod 000)
 
(22 intermediate revisions by the same user not shown)
Line 1: Line 1:
 +
[[Category:One Liners]]
 
==Overview==
 
==Overview==
 
Get the status of files found in maldet scans. There are several different functions that can then be run.
 
Get the status of files found in maldet scans. There are several different functions that can then be run.
Line 10: Line 11:
  
 
===Last Scan Version===
 
===Last Scan Version===
<code>[bash,n]for i in $(cat /usr/local/maldetect/sess/session.`cat /usr/local/maldetect/sess/session.last` | grep "{HEX}\|{MD5}" | awk '{print $3}'); do ls -lah $i 2>/dev/null; done</code>
+
<source lang='bash'>
 +
cat /usr/local/maldetect/sess/session.`cat /usr/local/maldetect/sess/session.last` | grep "{HEX}\|{MD5}" | awk '{print $3}' | xargs ls -lah $i 2>/dev/null
 +
</source>
  
 
===All Scans Version===
 
===All Scans Version===
<code>[bash,n]for i in $(grep "malware hit" /usr/local/maldetect/event_log | grep "{hexstring}\|{md5hash}" | awk '{print $11}'); do ls -lah $i 2>/dev/null; done</code>
+
<source lang='bash'>
 +
grep "malware hit" /usr/local/maldetect/event_log | grep "{hexstring}\|{md5hash}" | awk '{print $11}' | xargs ls -lah $i 2>/dev/null
 +
</source>
  
 
==What to change==
 
==What to change==
Line 19: Line 24:
  
 
===Read Files===
 
===Read Files===
<code>[bash,n]vim $i;</code>
+
<source lang='bash'>
 +
cat /usr/local/maldetect/sess/session.`cat /usr/local/maldetect/sess/session.last` | grep "{HEX}\|{MD5}" | awk '{print $3}' | xargs vim 2>/dev/null
 +
</source>
  
 
===Chmod 000===
 
===Chmod 000===
<code>[bash,n]
+
<source lang='bash'>
for i in $(cat /usr/local/maldetect/sess/session.`cat /usr/local/maldetect/sess/session.last` | grep "{HEX}\|{MD5}" | awk '{print $3}'); do chmod 000 $i 2>/dev/null; done
+
cat /usr/local/maldetect/sess/session.`cat /usr/local/maldetect/sess/session.last` | grep "{HEX}\|{MD5}" | awk '{print $3}' | xargs chmod 000 2>/dev/null
</code>
+
</source>
  
 
===Remove===
 
===Remove===
<code>[bash,n]rm -f $i;</code>
+
<source lang='bash'>
 +
cat /usr/local/maldetect/sess/session.`cat /usr/local/maldetect/sess/session.last` | grep "{HEX}\|{MD5}" | awk '{print $3}' | xargs rm -f 2>/dev/null
 +
</source>
  
 
==Other uses==
 
==Other uses==
 
===Check Directory Permissions===
 
===Check Directory Permissions===
<code>[bash,n]for i in $(cat /usr/local/maldetect/sess/session.`cat /usr/local/maldetect/sess/session.last` | grep "{HEX}\|{MD5}" | awk '{print $3}' | rev | cut -d "/" -f2- | rev | uniq); do ls -ldh $i 2>/dev/null; done</code>
+
<source lang='bash'>
 +
cat /usr/local/maldetect/sess/session.`cat /usr/local/maldetect/sess/session.last` | grep "{HEX}\|{MD5}" | awk '{print $3}' | rev | cut -d "/" -f2- | rev | uniq | xargs ls -ldh 2>/dev/null
 +
</source>
  
 
===Chmod 644 (images)===
 
===Chmod 644 (images)===
<code>[bash,n]for i in $(cat /usr/local/maldetect/sess/session.`cat /usr/local/maldetect/sess/session.last` | grep "{HEX}\|{MD5}" | awk '{print $3}' | rev | cut -d "/" -f2- | rev | uniq | grep "image"); do chmod 0744 $i; done</code>
+
<source lang='bash'>
 +
cat /usr/local/maldetect/sess/session.`cat /usr/local/maldetect/sess/session.last` | grep "{HEX}\|{MD5}" | awk '{print $3}' | rev | cut -d "/" -f2- | rev | uniq | grep "image" | xargs chmod 0644
 +
</source>
  
 
===Chmod 755 (other)===
 
===Chmod 755 (other)===
<code>[bash,n]for i in $(cat /usr/local/maldetect/sess/session.`cat /usr/local/maldetect/sess/session.last` | grep "{HEX}\|{MD5}" | awk '{print $3}' | rev | cut -d "/" -f2- | rev | uniq | grep -v "image"); do chmod 0755 $i; done</code>
+
<source lang='bash'>
 +
cat /usr/local/maldetect/sess/session.`cat /usr/local/maldetect/sess/session.last` | grep "{HEX}\|{MD5}" | awk '{print $3}' | rev | cut -d "/" -f2- | rev | uniq | grep -v "image" | xargs chmod 0755
 +
</source>
 +
 
 +
===Stop Script Execution (images)===
 +
Careful with this one, they may have legitimate scripts in these directories =_=
 +
<source lang='bash'>
 +
for i in $(cat /usr/local/maldetect/sess/session.`cat /usr/local/maldetect/sess/session.last` | grep "{HEX}\|{MD5}" | awk '{print $3}' | rev | cut -d "/" -f2- | rev | uniq | grep -v "image"); \
 +
do if [ ! -e $i/.htaccess] then; echo -e "Options None\nAddType text/plain .html .htm .shtml .php .php3 .phtml .phtm .pl .py .cgi\n" > $i/.htaccess; else; echo "$i already has .htaccess"; fi; done
 +
</source>
 +
 
 +
==Scan Types==
 +
===Scan All Users Full Home Directories===
 +
<source lang='bash'>
 +
maldet --update-ver; maldet --update; maldet -a /home?/?/
 +
</source>
 +
===Scan All Users Public_HTML Directories===
 +
<source lang='bash'>
 +
maldet --update-ver; maldet --update; maldet -a /home?/?/public_html
 +
</source>

Latest revision as of 14:27, 25 March 2014

Overview

Get the status of files found in maldet scans. There are several different functions that can then be run.

Script

There are two main versions:

1) Look at only the last scan

2) Look at the entire log

Last Scan Version

cat /usr/local/maldetect/sess/session.`cat /usr/local/maldetect/sess/session.last` | grep "{HEX}\|{MD5}" | awk '{print $3}' | xargs ls -lah $i 2>/dev/null

All Scans Version

grep "malware hit" /usr/local/maldetect/event_log | grep "{hexstring}\|{md5hash}" | awk '{print $11}' | xargs ls -lah $i 2>/dev/null

What to change

Remove everything between the do and done

Read Files

cat /usr/local/maldetect/sess/session.`cat /usr/local/maldetect/sess/session.last` | grep "{HEX}\|{MD5}" | awk '{print $3}' | xargs vim 2>/dev/null

Chmod 000

cat /usr/local/maldetect/sess/session.`cat /usr/local/maldetect/sess/session.last` | grep "{HEX}\|{MD5}" | awk '{print $3}' | xargs chmod 000 2>/dev/null

Remove

cat /usr/local/maldetect/sess/session.`cat /usr/local/maldetect/sess/session.last` | grep "{HEX}\|{MD5}" | awk '{print $3}' | xargs rm -f 2>/dev/null

Other uses

Check Directory Permissions

cat /usr/local/maldetect/sess/session.`cat /usr/local/maldetect/sess/session.last` | grep "{HEX}\|{MD5}" | awk '{print $3}' | rev | cut -d "/" -f2- | rev | uniq | xargs ls -ldh 2>/dev/null

Chmod 644 (images)

cat /usr/local/maldetect/sess/session.`cat /usr/local/maldetect/sess/session.last` | grep "{HEX}\|{MD5}" | awk '{print $3}' | rev | cut -d "/" -f2- | rev | uniq | grep "image" | xargs chmod 0644

Chmod 755 (other)

cat /usr/local/maldetect/sess/session.`cat /usr/local/maldetect/sess/session.last` | grep "{HEX}\|{MD5}" | awk '{print $3}' | rev | cut -d "/" -f2- | rev | uniq | grep -v "image" | xargs chmod 0755

Stop Script Execution (images)

Careful with this one, they may have legitimate scripts in these directories =_= 

for i in $(cat /usr/local/maldetect/sess/session.`cat /usr/local/maldetect/sess/session.last` | grep "{HEX}\|{MD5}" | awk '{print $3}' | rev | cut -d "/" -f2- | rev | uniq | grep -v "image"); \
do if [ ! -e $i/.htaccess] then; echo -e "Options None\nAddType text/plain .html .htm .shtml .php .php3 .phtml .phtm .pl .py .cgi\n" > $i/.htaccess; else; echo "$i already has .htaccess"; fi; done

Scan Types

Scan All Users Full Home Directories

maldet --update-ver; maldet --update; maldet -a /home?/?/

Scan All Users Public_HTML Directories

maldet --update-ver; maldet --update; maldet -a /home?/?/public_html
Retrieved from "http://wiki.jamesdooley.us/index.php?title=Get_status_of_MalDet_hits&oldid=566"