201601.23
Désactivé
0

Virus pirate cleaning

Fine files changes on date

ls -alR | grep '2013-06-22'

find -iname "index_backup*.php"

Bolt down all file rights

find . -type d -exec chmod 505 {} \;

find . -type f -exec chmod 404 {} \;

Checking mail viruses etc :

Find all eval files :
* ispConfig : grep -lr --include=*.php "eval(base64_decode" /var/www
* ispConfig : grep -lr --include=*.php "base64_decode" /var/www

* web1 : grep -lr --include=*.php "eval(base64_decode" /home/Datas/Webs
* grep -lr --include=*.php "eval(strip" /home/Datas/Webs/
* find /var/www/clients/client10/web24 -type f -mtime -3
Find all eval files (Joomla) :
* Text to find in mail "Originating-Script" (next time should try : cd /var/spool/postfix/deferred PUIS grep -lr "Originating-Script" . >/home/thomas/temp1.txt A NOTER phpmailer is good.)
* grep -lr --include=*.php "eval (" /var/www/joomla3.procarist.com/web --- Avec espace
* grep -lr --include=*.php "eval(" /var/www/joomla3.procarist.com/web
* grep -lr "aude-parisladefense.org" . >/home/thomas/temp1.txt
* chown thomas:thomas /home/thomas/*
* cd /var/spool/postfix/deferred
* grep -lr "procarist.com" . >/home/thomas/temp1.txt
Clean mail queue :

postsuper -d ALL

http://www.cyberciti.biz/tips/howto-postfix-flush-mail-queue.html

* To see mail queue, enter: # mailq
* To remove all mail from the queue, enter: # postsuper -d ALL
* To remove all mails in the deferred queue, enter:# postsuper -d ALL deferred

Find culprit in mail queue :

* List all deferred mail : /var/spool/postfix/deferred/0
*
* Look for "Originating-Script", example : X-PHP-Originating-Script: 5040:option.php(238)

Clean mail queue - find all mails with text :

* grep -rnw . -e "f.cordier@fondationface.org" > /home/thomas/face2.txt
* chown thomas:thomas /home/thomas/*
* rm -fr nomfich

Check for cron jobs

for user in $(cut -f1 -d: /etc/passwd); do crontab -u $user -l; done