DEV Community

maximilian feldthusen
maximilian feldthusen

Posted on • Edited on

How to uncover malicious malware files

An unfortunate side-effect of being online is the fact that you are continually being probed for weaknesses by ne'er do wells. Be it your computer, your internet provider, or your website,
someone is almost always trying to find a way in to further their illicit goals, and give you a pretty massive headache as a result. While this article will not be able to teach you everything, it will serve to give you some hints to use when troubleshooting your own sites.

Find, Grep & Stat
These three commands can easily uncover some kinds of malicious code and can often help point you towards the source of the attack, if they're used properly. I will break down how to use each command separately, and then later how they can be used in concert.

Find
The Linux manual defines this command as a utility that "recursively descends the directory tree for each path listed, evaluating an expression in terms of each file in the tree."
Simply put, the Find utility lets you search an area to look for files or folders as defined by a number of variables, such as by name, by owner, by time modified, etc.
For example, to search the directory "/home/mywebsite" for a file called foobar.txt, you can run the following command:

find /home/mywebsite -type f -name "foobar.txt" 
Enter fullscreen mode Exit fullscreen mode

This should return the following:

/home/mywebsite/folder/another-folder/foobar.txt
Enter fullscreen mode Exit fullscreen mode

If you want to find a list of files in that same "/home/mywebsite" directory that have been changed in the last 7 days, you can run the following command:

find /home/mywebsite -type f -ctime -7  
Enter fullscreen mode Exit fullscreen mode

The (-7) after ctime means files changed within 7 days or less. if that was changed to a plus (+) symbol, it would mean any files changed a minimum or 7 days or longer.
Here is a more complex example: To find a list of all files inside "/home/mywebsite" with the extension .php that have been changed within 30 days, you can run the following command:

find /home/mywebsite -type f -name "*.php" -ctime -30  
Enter fullscreen mode Exit fullscreen mode

There are more commands that 'find' can handle. If you want to know more, see the manual page by
typing "man find" in SSH.

Grep
The Linux manual defines this command as a utility that "searches the named input FILEs (or standard input if no files are named, or the file name - is given) for lines containing a match to the
given PATTERN. By default, grep prints the matching lines."
Essentially, the grep utility lets you search files for a matching text pattern.
'Grep' is one of the greatest commands for finding malicious files, but it can also turn up a lot of false-positives. The following are the very basics of the command. These examples will be searching in the "/home/mywebsite" directory.
For example, to find the phrase "hello world", located in a file somewhere inside that directory, you can run the following command:

grep -r "hello world" /home/mywebsite  
Enter fullscreen mode Exit fullscreen mode

If there was a file that contains that phrase, 'grep' will post the path to the file, and the line containing the matching text:

/home/mywebsite/foo/bar/hello.txt: hello world!  
Enter fullscreen mode Exit fullscreen mode

Please note that grep searches are case-sensitive. To ignore case-sensitivity, use the '-i' flag
For more information, see the manual page for grep by typing 'man grep' in SSH.

Stat
The Linux manual defines this command as a utility that is used to "display file or filesystem status."
To expand on this, the stat utility is used to display permissions, ownership and various timestamps of a file.
To see an example of the 'stat' command output, let's take a look at that file we found earlier via the 'find' command, "/home/mywebsite/folder/another-folder/foobar.txt":

stat /home/mywebsite/folder/another-folder/foobar.txt 
Enter fullscreen mode Exit fullscreen mode

File: `home/mywebsite/folder/another-folder/foobar.txt'
Size: 19043
Blocks: 39
IO Block: 32768 regular file
Device: 17h/23d Inode: 140209072
Links: 1
Access: (0644/-rw-r--r--) Uid: (841608/mywebsite-user)
Gid: (88432/mywebsite-
user)Access: 2011-10-22 21:10:09.106667057 -0700
Modify: 2011-11-14 15:14:19.493663971 -0800
Change: 2011-11-14 15:14:19.494043373 -0800

The line with "Access/Uid/Gid" simply lays out the read/write/execute permissions of the file, and who owns it in user and group. The last three lines deal with the time-stamp of the file. "Access" normally refers to when it was first created, or last written to. "Modify" refers to the last time the file changed permissions, or was renamed (among other things). "Change" refers to the last time the actual contents of the file were modified.
Many malicious scripts are able to keep the access and modify time-stamps unchanged, but the change time-stamp will always reflect that someone has been inside the file. If a file has been
modified via FTP, all three time-stamps will be changed to the same date.

Top comments (0)