The tool that we will present here is a regex-based PHP malware scanner (written in Perl). It will scan your server for PHP malicious files. In addition to cxs and maldet (links at the end of this post), this tool is very useful for ensuring your server security.
1. So, first of all, download the latest script version from https://repo.coydogsoftware.net/coydog/rxtools/blob/master/findcrack0r.pl and save it to your server.
2. Now, that you saved the script to your server, just run it with:
perl findcrack0r.pl -po /home -t $(date +%Y-%m-%d)
The command we use will scan the /home directory (including all subdirectories) only for *.php file. The script will create a directory with the current date in /home/root/support/ (like /home/root/support/2018-07-18). In this directory, the script will create two files – one for suspicious malware PHP files, the other one for the symlinks founded:
root@www [~/support/2018-07-18]# ls ./ ../ scan-20180718234534.txt symlinks-20180718234534.txt root@www [~/support/2018-07-18]#
You should adjust the command line per your needs. See below the script’s input options. You might also need to enter the full Perl path.
root@www [/]# perl findcrack0r.pl -h Usage: -t ticket number for output dir -a account list, comma-delimited. Will search only public_html -b Number of bytes per file to scan. Default is 500000 -p restrict searches to *.php (faster but may miss stuff) -S Skip checking symlinks -d grep for defacements -o other directories to search, independently of -a docroots. May be needed for addon/subdomains -u user homedir prefix (default /home) -D Debug mode. Output a more detailed log which identifies signature matches. -N Show files which do NOT match on stderr (debug feature only) -e exclude files wth names ending in . Workaround if scan hangs on js -r regex debugging -c use cache -q quiet -h print this help message and quit root@www [/]#
Please notice that the script will report many ionCube PHP encrypted files. Double-check them (and all other files) before taking any action, as they might be legit files. Make backups before deleting any files!
The script file as of July 19, 2018 – just for information – findcrack0r.txt – download the latest version from the developer site!
Other security tools for your server: