Difference between revisions of "Get status of MalDet hits"

From James Dooley's Wiki
Jump to: navigation, search
(All Scans Version)
(Check Directory Permissions)
Line 39: Line 39:
 
==Other uses==
 
==Other uses==
 
===Check Directory Permissions===
 
===Check Directory Permissions===
<code>[bash,n]for i in $(cat /usr/local/maldetect/sess/session.`cat /usr/local/maldetect/sess/session.last` | grep "{HEX}\|{MD5}" | awk '{print $3}' | rev | cut -d "/" -f2- | rev | uniq); do ls -ldh $i 2>/dev/null; done</code>
+
<code>[bash,n]
 +
cat /usr/local/maldetect/sess/session.`cat /usr/local/maldetect/sess/session.last` | grep "{HEX}\|{MD5}" | awk '{print $3}' | rev | cut -d "/" -f2- | rev | uniq | xargs ls -ldh $i 2>/dev/null
 +
</code>
  
 
===Chmod 644 (images)===
 
===Chmod 644 (images)===

Revision as of 12:37, 29 June 2011

Overview

Get the status of files found in maldet scans. There are several different functions that can then be run.

Script

There are two main versions:

1) Look at only the last scan

2) Look at the entire log

Last Scan Version

[bash,n] cat /usr/local/maldetect/sess/session.`cat /usr/local/maldetect/sess/session.last` | grep "{HEX}\|{MD5}" | awk '{print $3}') | xargs ls -lah $i 2>/dev/null

All Scans Version

[bash,n] grep "malware hit" /usr/local/maldetect/event_log | grep "{hexstring}\|{md5hash}" | awk '{print $11}') | xargs ls -lah $i 2>/dev/null

What to change

Remove everything between the do and done

Read Files

[bash,n] cat /usr/local/maldetect/sess/session.`cat /usr/local/maldetect/sess/session.last` | grep "{HEX}\|{MD5}" | awk '{print $3}') | xargs vim $i 2>/dev/null

Chmod 000

[bash,n] cat /usr/local/maldetect/sess/session.`cat /usr/local/maldetect/sess/session.last` | grep "{HEX}\|{MD5}" | awk '{print $3}') | xargs chmod 000 $i 2>/dev/null

Remove

[bash,n] cat /usr/local/maldetect/sess/session.`cat /usr/local/maldetect/sess/session.last` | grep "{HEX}\|{MD5}" | awk '{print $3}') | xargs rm -f $i 2>/dev/null

Other uses

Check Directory Permissions

[bash,n] cat /usr/local/maldetect/sess/session.`cat /usr/local/maldetect/sess/session.last` | grep "{HEX}\|{MD5}" | awk '{print $3}' | rev | cut -d "/" -f2- | rev | uniq | xargs ls -ldh $i 2>/dev/null

Chmod 644 (images)

[bash,n]for i in $(cat /usr/local/maldetect/sess/session.`cat /usr/local/maldetect/sess/session.last` | grep "{HEX}\|{MD5}" | awk '{print $3}' | rev | cut -d "/" -f2- | rev | uniq | grep "image"); do chmod 0744 $i; done

Chmod 755 (other)

[bash,n]for i in $(cat /usr/local/maldetect/sess/session.`cat /usr/local/maldetect/sess/session.last` | grep "{HEX}\|{MD5}" | awk '{print $3}' | rev | cut -d "/" -f2- | rev | uniq | grep -v "image"); do chmod 0755 $i; done

Retrieved from "http://wiki.jamesdooley.us/index.php?title=Get_status_of_MalDet_hits&oldid=142"