使用 awk 捕获恶意软件病毒活动所需的帮助
我的服务器面临问题,因为有时恶意软件会在文件的末尾或开头添加代码。我已在我所知的范围内修复了安全漏洞。我的托管提供商已告知现在安全性足够,但我对网站上的病毒/恶意软件活动变得偏执。我有一个计划,但我不太熟悉 sed 或 awk 或 gawk 等 Linux 编辑器,因此需要您的帮助。我可以使用我的 PHP 知识来完成此操作,但这将非常耗费资源。
由于恶意软件/病毒在文件的开头或结尾添加代码(以便网站不会显示任何错误),您能否让我知道如何编写一个命令来递归地查看所有 .php 文件(我将使用帮助对父目录和所有子目录中的其他类型的文件进行更改,并在文件的开头和结尾添加特定标记,例如 XXXXXX_START 和 YYYYYY_END。
然后我需要一个脚本来读取所有 .php 文件并检查代码的第一行是否为 XXXXX_START,最后一行是否为 YYYYYYY_END,并在发现任何文件不同时创建报告。
我将设置一个 cron 来检查所有文件,并在发现任何差异时通过电子邮件将报告发送给我。
我知道这并不是 100% 万无一失,因为病毒可能会在注释行后添加数据,但这是我能想到的最佳选择。
我已尝试使用以下命令在开始时添加数据 -
sed -i -r '1i add here' *.txt
但这不是递归的,它仅向父目录文件添加行。
然后我发现了这个—— BEGIN 和 END 是特殊模式。它们不用于匹配输入记录。相反,它们用于向 awk 脚本提供启动或清理信息。 BEGIN 规则在读取第一个输入记录之前执行一次。读取所有输入后,执行一次 END 规则。例如:
awk 'BEGIN { print "Analysis of `foo'" }
/foo/ { ++foobar }
END { print "`foo' appears " foobar " times." }' BBS-list
但不幸的是,我无法破译任何东西。
非常感谢对上述细节的任何帮助。欢迎任何其他建议。
问候,
尼丁
I am facing issues with my server as sometimes the malwares are adding their code at the end or start of the files. I have fixed the security loopholes to the extent of my knowledge. My hosting provider has informed that the security is adequate now, but I have become paranoid with the viral/malware activity on my site. I have a plan, but I am not well versed with Linux editors like sed or awk or gawk so help needed from your side. I can do this using my PHP knowledge but that would be very resource intensive.
Since malwares/virus add code at the start or end of the file (so that the website does not show any error), can you please let me know how to write a command which would recursively look into all .php files (I will use the help to make changes in other type of files) in parent and all sub-directories and add a particular tag at the start and end of the file, say, XXXXXX_START, and YYYYYY_END.
Then I need a script which would read all the .php files and check if the first line of the code is XXXXX_START and last line is YYYYYYY_END and create a report if any file is found to be different.
I will setup a cron to check all the files and email the report to me if any discrepancy found.
I know this is not 100% foolproof as virus may add the data after the commented lines, but this is the best option I could think of.
I have tried the following commands to add data at the start -
sed -i -r '1i add here' *.txt
but this isn't recursive and it adds line to only the parent directory files.
Then I found this -
BEGIN and END are special patterns. They are not used to match input records. Rather, they are used for supplying start-up or clean-up information to your awk script. A BEGIN rule is executed, once, before the first input record has been read. An END rule is executed, once, after all the input has been read. For example:
awk 'BEGIN { print "Analysis of `foo'" }
/foo/ { ++foobar }
END { print "`foo' appears " foobar " times." }' BBS-list
But unfortunately, I could not decipher anything.
Any help on above mentioned details is highly appreciated. Any other suggestions are welcomed.
Regards,
Nitin
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
您可以使用以下命令来修改文件(还创建名为 .bak 的备份文件):
您可以使用以下 shell 脚本来检查文件:
You can use the following to modify the files (also creates backup files called .bak):
You could use the following shell script for checking the files:
使用版本控制和/或备份;如果出现可疑活动,请关闭实时站点并从备份或版本控制源重新安装。
Use version control and/or backups; in the event of suspicious activity, zap the live site and reinstall from backups or your version control source.
将该命令应用于当前目录中或当前目录下的所有文件。您可能可以将 grep 逻辑折叠到 find 中,但我喜欢简单的咒语。
Will apply that command to all files in or under the current directory. You could probably fold the grep logic into find, but I like simple incantations.