Monthly Archives: July 2018

Scan your server for PHP malware with findcrack0r.pl

The tool that we will present here is a regex-based PHP malware scanner (written in Perl). It will scan your server for PHP malicious files. In addition to cxs and maldet (links at the end of this post), this tool is very useful for ensuring your server security.

1. So, first of all, download the latest script version from https://repo.coydogsoftware.net/coydog/rxtools/blob/master/findcrack0r.pl and save it to your server.

2. Now, that you saved the script to your server, just run it with:

perl findcrack0r.pl -po /home -t $(date +%Y-%m-%d)

The command we use will scan the /home directory (including all subdirectories) only for *.php file. The script will create a directory with the current date in /home/root/support/ (like /home/root/support/2018-07-18). In this directory, the script will create two files – one for suspicious malware PHP files, the other one for the symlinks founded:

root@www [~/support/2018-07-18]# ls
./  ../  scan-20180718234534.txt  symlinks-20180718234534.txt
root@www [~/support/2018-07-18]#

 

You should adjust the command line per your needs. See below the script’s input options. You might also need to enter the full Perl path.

 

root@www [/]# perl findcrack0r.pl -h
Usage:
  -t    ticket number for output dir
  -a  account list, comma-delimited. Will search only public_html
  -b     Number of bytes per file to scan. Default is 500000
  -p    restrict searches to *.php (faster but may miss stuff)
  -S    Skip checking symlinks
  -d    grep for defacements
  -o    other directories to search, independently of -a docroots. May be needed for addon/subdomains
  -u    user homedir prefix (default /home)
  -D    Debug mode. Output a more detailed log which identifies signature matches.
  -N    Show files which do NOT match on stderr (debug feature only)
  -e       exclude files wth names ending in . Workaround if scan hangs on js
  -r    regex debugging
  -c    use cache
  -q    quiet
  -h    print this help message and quit
root@www [/]#
Please notice that the script will report many ionCube PHP encrypted files. Double-check them (and all other files) before taking any action, as they might be legit files. Make backups before deleting any files!
 
 
The script file as of July 19, 2018 – just for information –  findcrack0r.txt – download the latest version from the developer site!
 

Other security tools for your server:
https://configserver.com/cp/cxs.html
https://www.rfxn.com/projects/linux-malware-detect/

Related post: Disable dangerous PHP functions on your web hosting server

Share this post:

Where to find forwarders/autoresponders on a cPanel server

Many times while troubleshooting clients’ mail issues you will need to find out the forwarders/autoresponders they have. 

On a cPanel server, this information is kept in separate files for each domain(and subdomain) in the /etc/valiases/ directory – like /etc/valiases/domain123.com; /etc/valiases/homedomain.net etc.

After root login, look for the interested domain as:

root@www [~]# cd /etc/valiases/
root@www [/etc/valiases]# cat phdomain123.com
contact@plothost123.com: "|/home/phdomain123/pipe.php"
autoresponder@phdomain123.com: "|/usr/local/cpanel/bin/autorespond autoresponder@phdomain123.com /home/phdomain123/.autorespond"
postmaster@phdomain123.com: admin@phdomain123.com
*: ":fail: No such person at this address"
root@web [/etc/valiases]#

In our example:
– the first line is a forwarder to a file (a PHP script)
– the second line is an autoresponder for the email autoresponder@phdomain123.com
– the third line is a forwarder to an email address
– the fourth line is the default action for unrouted emails. In this case, the “No such person at this address” message will be sent back.

If you don’t like the command line, you can use a plugin for WHM called ConfigServer Mail Manage. After installation, access it from WHM->Plugins->ConfigServer Mail Manage; choose the domain from the list and click the Manage Mail Forwarders button. You will see something like:

cfs mail manage

You can also check forwarders/autoresponders by accessing the client’s cPanel account.

Related post: How to setup an Email Forwarder in cPanel

Share this post: