Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Script to delete specified files 2

Status
Not open for further replies.
nerbonne

nerbonne

Technical User
Dec 11, 2006
99
US
Hi all. After getting hit with phishing attacks left and right, we need to implement some kind of script to search the servers for specific files and notify admin via email of their existence.

I'm sure that someone must have done this already, and I don't want to re-invent the wheel.

If it hasn't been done, can anyone point me in the right direction.

I thought of using the find command, and then outputting the results to a text file which would then get emailed. The only problem is that I would need to exclude certain directories and I'm not sure how to do that.
 
Sort by date Sort by votes
If you suspect your system of being infected by "foreign" elements, shouldn't you be searching every folder on your system(s)?

Anyway, I don't think you can exclude certain folders from the find command. If you don't have many folders to exclude, the best you can hope for is to pipe the results from find through multiple grep -v [exclude_pattern] commands.

--== Anything can go wrong. It's just a matter of how far wrong it will go till people think its right. ==--
 
Upvote 0 Downvote
If you think your machines are infected, they should be taken off of the Internet/network. Then you use professional forensics tools like chkrootkit to figure out how bad the damage is. Then you look for scripts and unused services to further identify your risk of going back online. THEN you evaluate whether you are safe to proceed or whether you're taking on too much risk to return to the network.

Unless I've really missed the point of your post, I think our collective advice would be to take more progressive steps in stopping the infection... If you run the risk of re-infection worthy of scripting then it would seem fixing the holes is more important?!

We're here to help.

D.E.R. Management - IT Project Management Consulting
 
Upvote 0 Downvote
They aren't infected. I want an automated script that will notify me of an infection. The problem I am having is that when someone gets a phishing site onto a server, the NOC shuts our server down if we don't respond quick enough. I need to know about the sites before the NOC finds out.
 
Upvote 0 Downvote
Assuming that you want to find the file called phishing.html and that you want to exclude the directory /var/spool/mail

find / -name phishing.html > results.txt
sed -i '/\/var\/spool\/mail/d' results.txt
mail -s "Phishing Check" youremail@yourco.com < results.txt

That should do it. You can add in multiple sed lines to exclude more directories where need be. There is also a way to use a different delimiter in sed, but I can never remember it, so I always use the \ in front of any / that are meant to be literal.

Haven't tested this, but should get you going in the right direction.
 
Upvote 0 Downvote
No need to reach for sed or grep when find has a -prune command.
 
Upvote 0 Downvote
Ok, thank you for that tip on -prune. That got me headed in the right direction as I was reading the man page and I saw -user which gave me the idea to search for files saved by the web server user. Which, if you think about it, makes sense. Most viruses/phishing scripts are uploaded by insecure php scripts which would save them using the apache username.

So, this command output the desired result:

find /var/ \( -name '*.exe' -user apache -fprintf /root/suid.txt '%#m %u %p\n' \)

of:

0644 apache /var/0644 apache /var/

Great!, but, I want to search for other files at the same time. Following the directions in the man page, I tried this command:

find /var/ \( -name '*.exe' -user apache -fprintf /root/suid.txt '%#m %u %p\n' \) , \( -name 'test_virus.php' -user apache -fprintf /root/suid.txt '%#m %u %p\n' \)

Which produced the same output in my suid.txt file as before...

So how can I search for multiple strings or filenames at the same time?

Also, since I have your attention, can anyone tell me the command to email the file if the file size is greater than 0?

Thanks!
 
Upvote 0 Downvote
Use[tt] -o [/tt]to perform multiple alternate actions in a find command; replace the comma with[tt] -o [/tt] in the command you tried above. And the parentheses are probably unnecessary, but won't hurt.

Use[tt] ! -empty [/tt]to find non-empty files.

Use[tt] -exec <command> [/tt]to execute a command. The string[tt] {} [/tt]in the command will be replaced by the name of the file found; the string[tt] ; [/tt](which will need to be backslash-escaped) will signify the end of the command.

[tt]sh -c "mail <address> -s<subject> < <file>" [/tt]should be sufficient to mail the file if your system is set up properly for mail.

Also, be sure to Read The Find Manual. That's the manual for GNU find, which you're probably using if you're using Linux; it's a bit more readable than the man page.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

grazinggoat2
  • Locked
  • Question
Old PIDS after script runs
Replies
0
Views
122
grazinggoat2
grazinggoat2
donald lepariku
  • Locked
  • Question
Error: 694, Severity: 24, State: 10 An attempt was made to read logical page '153', virtpage '616' f 1
Replies
3
Views
233
spamjim
spamjim
spamjim
  • Locked
  • Question
Sorting out NTFS filesystem issues
Replies
0
Views
147
spamjim
spamjim
kasperelectronics
  • Locked
  • Question
Desktop streaming from a server to low power front end device e.g. RasPi
Replies
0
Views
96
kasperelectronics
kasperelectronics
Edwin Reyes
  • Locked
  • Question
High CPU utilization Linux Server due to mysql
Replies
1
Views
140
spamjim
spamjim

Part and Inventory Search

Sponsor

Back
Top