Get status of MalDet hits

From James Dooley's Wiki
Revision as of 19:33, 8 April 2011 by Smsldoo (talk | contribs) (Created page with "==Overview== Get the status of files found in maldet scans. There are several different functions that can then be run. ==Script== There are two main versions: 1) Look at only...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Overview

Get the status of files found in maldet scans. There are several different functions that can then be run.

Script

There are two main versions:

1) Look at only the last scan

2) Look at the entire log

Last Scan Version

[bash,n]for i in $(cat /usr/local/maldetect/sess/session.`cat /usr/local/maldetect/sess/session.last` | grep "{HEX}\|{MD5}" | awk '{print $3}'); do ls -lah $i 2>/dev/null; done

All Scans Version

[bash,n]for i in $(grep "malware hit" /usr/local/maldetect/event_log | grep "{hexstring}\|{md5hash}" | awk '{print $11}'); do ls -lah $i 2>/dev/null; done

What to change

Remove everything between the do and done

Read Files

[bash,n]vim $i;

Chmod 000

[bash,n]chmod 000 $i;

Remove

[bash,n]rm -f $i;

Other uses

Check Directory Permissions

[bash,n]for i in $(grep "malware hit" /usr/local/maldetect/event_log | grep "{hexstring}\|{md5hash}" | awk '{print $11}' | rev | cut -d "/" -f2- | rev | uniq); do ls -ldh $i ; done

Retrieved from "http://wiki.jamesdooley.us/index.php?title=Get_status_of_MalDet_hits&oldid=22"