Difference between revisions of "Get status of MalDet hits"
(→Other uses) |
|||
| Line 1: | Line 1: | ||
| + | [[Category:One Liners]] | ||
==Overview== | ==Overview== | ||
Get the status of files found in maldet scans. There are several different functions that can then be run. | Get the status of files found in maldet scans. There are several different functions that can then be run. | ||
Revision as of 17:39, 17 February 2012
Overview
Get the status of files found in maldet scans. There are several different functions that can then be run.
Script
There are two main versions:
1) Look at only the last scan
2) Look at the entire log
Last Scan Version
[bash,n]
cat /usr/local/maldetect/sess/session.`cat /usr/local/maldetect/sess/session.last` | grep "{HEX}\|{MD5}" | awk '{print $3}' | xargs ls -lah $i 2>/dev/null
All Scans Version
[bash,n]
grep "malware hit" /usr/local/maldetect/event_log | grep "{hexstring}\|{md5hash}" | awk '{print $11}' | xargs ls -lah $i 2>/dev/null
What to change
Remove everything between the do and done
Read Files
[bash,n]
cat /usr/local/maldetect/sess/session.`cat /usr/local/maldetect/sess/session.last` | grep "{HEX}\|{MD5}" | awk '{print $3}' | xargs vim 2>/dev/null
Chmod 000
[bash,n]
cat /usr/local/maldetect/sess/session.`cat /usr/local/maldetect/sess/session.last` | grep "{HEX}\|{MD5}" | awk '{print $3}' | xargs chmod 000 2>/dev/null
Remove
[bash,n]
cat /usr/local/maldetect/sess/session.`cat /usr/local/maldetect/sess/session.last` | grep "{HEX}\|{MD5}" | awk '{print $3}' | xargs rm -f 2>/dev/null
Other uses
Check Directory Permissions
[bash,n]
cat /usr/local/maldetect/sess/session.`cat /usr/local/maldetect/sess/session.last` | grep "{HEX}\|{MD5}" | awk '{print $3}' | rev | cut -d "/" -f2- | rev | uniq | xargs ls -ldh 2>/dev/null
Chmod 644 (images)
[bash,n]
cat /usr/local/maldetect/sess/session.`cat /usr/local/maldetect/sess/session.last` | grep "{HEX}\|{MD5}" | awk '{print $3}' | rev | cut -d "/" -f2- | rev | uniq | grep "image" | xargs chmod 0644
Chmod 755 (other)
[bash,n]
cat /usr/local/maldetect/sess/session.`cat /usr/local/maldetect/sess/session.last` | grep "{HEX}\|{MD5}" | awk '{print $3}' | rev | cut -d "/" -f2- | rev | uniq | grep -v "image" | xargs chmod 0755
Stop Script Execution (images)
Careful with this one, they may have legitimate scripts in these directories =_=
[bash,n]
for i in $(cat /usr/local/maldetect/sess/session.`cat /usr/local/maldetect/sess/session.last` | grep "{HEX}\|{MD5}" | awk '{print $3}' | rev | cut -d "/" -f2- | rev | uniq | grep -v "image"); \
do if [ ! -e $i/.htaccess] then; echo -e "Options None\nAddType text/plain .html .htm .shtml .php .php3 .phtml .phtm .pl .py .cgi\n" > $i/.htaccess; else; echo "$i already has .htaccess"; fi; done
Scan Types
Scan All Users Full Home Directories
[bash,n]
maldet --update-ver; maldet --update; maldet -a /home?/?/
Scan All Users Public_HTML Directories
[bash,n]
maldet --update-ver; maldet --update; maldet -a /home?/?/public_html
