Difference between revisions of "Get status of MalDet hits"

From James Dooley's Wiki
Jump to: navigation, search
 
Line 11: Line 11:
  
 
===Last Scan Version===
 
===Last Scan Version===
<code>[bash,n]
+
<source lang='bash'>
 
cat /usr/local/maldetect/sess/session.`cat /usr/local/maldetect/sess/session.last` | grep "{HEX}\|{MD5}" | awk '{print $3}' | xargs ls -lah $i 2>/dev/null
 
cat /usr/local/maldetect/sess/session.`cat /usr/local/maldetect/sess/session.last` | grep "{HEX}\|{MD5}" | awk '{print $3}' | xargs ls -lah $i 2>/dev/null
</code>
+
</source>
  
 
===All Scans Version===
 
===All Scans Version===
<code>[bash,n]
+
<source lang='bash'>
 
grep "malware hit" /usr/local/maldetect/event_log | grep "{hexstring}\|{md5hash}" | awk '{print $11}' | xargs ls -lah $i 2>/dev/null
 
grep "malware hit" /usr/local/maldetect/event_log | grep "{hexstring}\|{md5hash}" | awk '{print $11}' | xargs ls -lah $i 2>/dev/null
</code>
+
</source>
  
 
==What to change==
 
==What to change==
Line 24: Line 24:
  
 
===Read Files===
 
===Read Files===
<code>[bash,n]
+
<source lang='bash'>
 
cat /usr/local/maldetect/sess/session.`cat /usr/local/maldetect/sess/session.last` | grep "{HEX}\|{MD5}" | awk '{print $3}' | xargs vim 2>/dev/null
 
cat /usr/local/maldetect/sess/session.`cat /usr/local/maldetect/sess/session.last` | grep "{HEX}\|{MD5}" | awk '{print $3}' | xargs vim 2>/dev/null
</code>
+
</source>
  
 
===Chmod 000===
 
===Chmod 000===
<code>[bash,n]
+
<source lang='bash'>
 
cat /usr/local/maldetect/sess/session.`cat /usr/local/maldetect/sess/session.last` | grep "{HEX}\|{MD5}" | awk '{print $3}' | xargs chmod 000 2>/dev/null
 
cat /usr/local/maldetect/sess/session.`cat /usr/local/maldetect/sess/session.last` | grep "{HEX}\|{MD5}" | awk '{print $3}' | xargs chmod 000 2>/dev/null
</code>
+
</source>
  
 
===Remove===
 
===Remove===
<code>[bash,n]
+
<source lang='bash'>
 
cat /usr/local/maldetect/sess/session.`cat /usr/local/maldetect/sess/session.last` | grep "{HEX}\|{MD5}" | awk '{print $3}' | xargs rm -f 2>/dev/null
 
cat /usr/local/maldetect/sess/session.`cat /usr/local/maldetect/sess/session.last` | grep "{HEX}\|{MD5}" | awk '{print $3}' | xargs rm -f 2>/dev/null
</code>
+
</source>
  
 
==Other uses==
 
==Other uses==
 
===Check Directory Permissions===
 
===Check Directory Permissions===
<code>[bash,n]
+
<source lang='bash'>
 
cat /usr/local/maldetect/sess/session.`cat /usr/local/maldetect/sess/session.last` | grep "{HEX}\|{MD5}" | awk '{print $3}' | rev | cut -d "/" -f2- | rev | uniq | xargs ls -ldh 2>/dev/null
 
cat /usr/local/maldetect/sess/session.`cat /usr/local/maldetect/sess/session.last` | grep "{HEX}\|{MD5}" | awk '{print $3}' | rev | cut -d "/" -f2- | rev | uniq | xargs ls -ldh 2>/dev/null
</code>
+
</source>
  
 
===Chmod 644 (images)===
 
===Chmod 644 (images)===
<code>[bash,n]
+
<source lang='bash'>
 
cat /usr/local/maldetect/sess/session.`cat /usr/local/maldetect/sess/session.last` | grep "{HEX}\|{MD5}" | awk '{print $3}' | rev | cut -d "/" -f2- | rev | uniq | grep "image" | xargs chmod 0644
 
cat /usr/local/maldetect/sess/session.`cat /usr/local/maldetect/sess/session.last` | grep "{HEX}\|{MD5}" | awk '{print $3}' | rev | cut -d "/" -f2- | rev | uniq | grep "image" | xargs chmod 0644
</code>
+
</source>
  
 
===Chmod 755 (other)===
 
===Chmod 755 (other)===
<code>[bash,n]
+
<source lang='bash'>
 
cat /usr/local/maldetect/sess/session.`cat /usr/local/maldetect/sess/session.last` | grep "{HEX}\|{MD5}" | awk '{print $3}' | rev | cut -d "/" -f2- | rev | uniq | grep -v "image" | xargs chmod 0755
 
cat /usr/local/maldetect/sess/session.`cat /usr/local/maldetect/sess/session.last` | grep "{HEX}\|{MD5}" | awk '{print $3}' | rev | cut -d "/" -f2- | rev | uniq | grep -v "image" | xargs chmod 0755
</code>
+
</source>
  
 
===Stop Script Execution (images)===
 
===Stop Script Execution (images)===
 
Careful with this one, they may have legitimate scripts in these directories =_=
 
Careful with this one, they may have legitimate scripts in these directories =_=
<code>[bash,n]
+
<source lang='bash'>
 
for i in $(cat /usr/local/maldetect/sess/session.`cat /usr/local/maldetect/sess/session.last` | grep "{HEX}\|{MD5}" | awk '{print $3}' | rev | cut -d "/" -f2- | rev | uniq | grep -v "image"); \
 
for i in $(cat /usr/local/maldetect/sess/session.`cat /usr/local/maldetect/sess/session.last` | grep "{HEX}\|{MD5}" | awk '{print $3}' | rev | cut -d "/" -f2- | rev | uniq | grep -v "image"); \
 
do if [ ! -e $i/.htaccess] then; echo -e "Options None\nAddType text/plain .html .htm .shtml .php .php3 .phtml .phtm .pl .py .cgi\n" > $i/.htaccess; else; echo "$i already has .htaccess"; fi; done
 
do if [ ! -e $i/.htaccess] then; echo -e "Options None\nAddType text/plain .html .htm .shtml .php .php3 .phtml .phtm .pl .py .cgi\n" > $i/.htaccess; else; echo "$i already has .htaccess"; fi; done
</code>
+
</source>
  
 
==Scan Types==
 
==Scan Types==
 
===Scan All Users Full Home Directories===
 
===Scan All Users Full Home Directories===
<code>[bash,n]
+
<source lang='bash'>
 
maldet --update-ver; maldet --update; maldet -a /home?/?/
 
maldet --update-ver; maldet --update; maldet -a /home?/?/
</code>
+
</source>
 
===Scan All Users Public_HTML Directories===
 
===Scan All Users Public_HTML Directories===
<code>[bash,n]
+
<source lang='bash'>
 
maldet --update-ver; maldet --update; maldet -a /home?/?/public_html
 
maldet --update-ver; maldet --update; maldet -a /home?/?/public_html
</code>
+
</source>

Latest revision as of 14:27, 25 March 2014

Overview

Get the status of files found in maldet scans. There are several different functions that can then be run.

Script

There are two main versions:

1) Look at only the last scan

2) Look at the entire log

Last Scan Version

cat /usr/local/maldetect/sess/session.`cat /usr/local/maldetect/sess/session.last` | grep "{HEX}\|{MD5}" | awk '{print $3}' | xargs ls -lah $i 2>/dev/null

All Scans Version

grep "malware hit" /usr/local/maldetect/event_log | grep "{hexstring}\|{md5hash}" | awk '{print $11}' | xargs ls -lah $i 2>/dev/null

What to change

Remove everything between the do and done

Read Files

cat /usr/local/maldetect/sess/session.`cat /usr/local/maldetect/sess/session.last` | grep "{HEX}\|{MD5}" | awk '{print $3}' | xargs vim 2>/dev/null

Chmod 000

cat /usr/local/maldetect/sess/session.`cat /usr/local/maldetect/sess/session.last` | grep "{HEX}\|{MD5}" | awk '{print $3}' | xargs chmod 000 2>/dev/null

Remove

cat /usr/local/maldetect/sess/session.`cat /usr/local/maldetect/sess/session.last` | grep "{HEX}\|{MD5}" | awk '{print $3}' | xargs rm -f 2>/dev/null

Other uses

Check Directory Permissions

cat /usr/local/maldetect/sess/session.`cat /usr/local/maldetect/sess/session.last` | grep "{HEX}\|{MD5}" | awk '{print $3}' | rev | cut -d "/" -f2- | rev | uniq | xargs ls -ldh 2>/dev/null

Chmod 644 (images)

cat /usr/local/maldetect/sess/session.`cat /usr/local/maldetect/sess/session.last` | grep "{HEX}\|{MD5}" | awk '{print $3}' | rev | cut -d "/" -f2- | rev | uniq | grep "image" | xargs chmod 0644

Chmod 755 (other)

cat /usr/local/maldetect/sess/session.`cat /usr/local/maldetect/sess/session.last` | grep "{HEX}\|{MD5}" | awk '{print $3}' | rev | cut -d "/" -f2- | rev | uniq | grep -v "image" | xargs chmod 0755

Stop Script Execution (images)

Careful with this one, they may have legitimate scripts in these directories =_= 

for i in $(cat /usr/local/maldetect/sess/session.`cat /usr/local/maldetect/sess/session.last` | grep "{HEX}\|{MD5}" | awk '{print $3}' | rev | cut -d "/" -f2- | rev | uniq | grep -v "image"); \
do if [ ! -e $i/.htaccess] then; echo -e "Options None\nAddType text/plain .html .htm .shtml .php .php3 .phtml .phtm .pl .py .cgi\n" > $i/.htaccess; else; echo "$i already has .htaccess"; fi; done

Scan Types

Scan All Users Full Home Directories

maldet --update-ver; maldet --update; maldet -a /home?/?/

Scan All Users Public_HTML Directories

maldet --update-ver; maldet --update; maldet -a /home?/?/public_html
Retrieved from "http://wiki.jamesdooley.us/index.php?title=Get_status_of_MalDet_hits&oldid=566"