Iframe tracking
One day, I was bored with customer complaints, like “I’ve got a virus on my site, do something!”. Explaining to people about the danger of saving passwords from FTP on an unsafe machine is also fed up. The ingenious turned out to be near - usually the index. * And default. * Files are affected - so why not track changes to these files. No sooner said than done.
UPD : code rewritten - now no SQL and PHP, stupid parsing xferlog bash
Options:
XFERLOG - the path to the xferlog file (in vsftpd - you need to enable generation of it in the config, in proftpd it is the TransferLog configuration parameter) on your system
MATCH_FILES - the list of investigated file names (without extensions)
EXCLUDE_LIST - list of ignored files
Save the script, set permissions for execution, add to cron.
')
Thank you all for your attention, I hope someone will be useful.
UPD : code rewritten - now no SQL and PHP, stupid parsing xferlog bash
#! / bin / bash
#### CONFIG ####
XFERLOG = "/ opt / psa / var / log / xferlog"
MATCH_FILES = "index default defaults"
EXCLUDE_LIST = ""
awk '($ 12 ~ / ^ i $ / && $ NF ~ / ^ c $ /) {print $ 9, $ 8, $ 14, $ 7, $ 1, $ 2, $ 3, $ 4, $ 5}' $ XFERLOG | while read logLine
do
lineArr = ( $ logLine )
fileNameWithPath = $ {lineArr [0]}
fileName = $ ( basename $ fileNameWithPath )
extension = $ {fileName ## *.}
fileName = $ {fileName%. *}
fileSize = $ {lineArr [1]}
userName = $ {lineArr [2]}
ip = $ {lineArr [3]}
date = " $ {lineArr [4]} $ {lineArr [5]} $ {lineArr [6]} $ {lineArr [7]} $ {lineArr [8]} "
matched = 0
for match in $ MATCH_FILES
do
if [ " $ match " = " $ fileName " ]
then
matched = 1
break
fi
done
if [ $ matched = 0 ]
then
continue
fi
exclude = 0
for match in $ EXCLUDE_LIST
do
if [ " $ match " = " $ fileNameWithPath " ]
then
exclude = 1
break
fi
done
if [ $ exclude = 1 ]
then
continue
fi
fgrep -qi '<iframe' $ fileNameWithPath 2 > / dev / null || \
( fgrep -vi '"+ gaJsHost +" google-analytics.com/ga.js' $ fileNameWithPath 2 > / dev / null | \
fgrep -qi 'document.write' )
if [ "$?" = "0" ]
then
echo File $ fileNameWithPath , uploaded by $ userName "(ip: $ ip )" @ $ date - potentially infected
fi
done
Options:
XFERLOG - the path to the xferlog file (in vsftpd - you need to enable generation of it in the config, in proftpd it is the TransferLog configuration parameter) on your system
MATCH_FILES - the list of investigated file names (without extensions)
EXCLUDE_LIST - list of ignored files
Save the script, set permissions for execution, add to cron.
')
Thank you all for your attention, I hope someone will be useful.
Source: https://habr.com/ru/post/69883/
All Articles