Scan for Any Malware or PHP Shell

Here I give you a simple command that you can use it to scan any malwares or PHP shell script uploaded by the unknown attacker.

$ grep ‘((eval.*(base64_decode|gzinflate))|\$[0O]{4,}|(\\x[0-9a-fA-F]{2}){8,}|cgitelnet|webadmin|PHPShell|tryag|r57shell|c99shell|noexecshell|revengans|myshellexec|FilesMan|JGF1dGhfc|document\.write\(“\\u00|sh(3(ll|11)))’ . -roE –include=*.php*

That command above will scan all files in current directory and its subdirectories recursively, especially for any suspicious .php files.

If the scan results many files that are considered to be “safe” because of it contains part like \x0 .. etc, you can tune the command, like this:

$ grep ‘((eval.*(base64_decode|gzinflate))|cgitelnet|webadmin|ircd|PHPShell|tryag|r57shell|c99shell|noexecshell|revengans|myshellexec|FilesMan|JGF1dGhfc)’ . -roE –include=*.php*

That command above will only focus scanning for parameters usually used in PHP shell script.

what does wordpres wp-cron do?

WordPress
———-
– Scheduled publishing of posts
– Scheduled auto-draft cleanup
– Scheduled trash collection

wp-includes
————
ms-functions.php
– wp_schedule_update_network_counts()

update.php
– wp_schedule_update_checks()

Plugins
——-
admin-menu-editor-pro
– check for updates

live-blogging
– live_blogging_check_twitter

wp-super-cache
– schedule_wp_gc
– wp_cache_gc_watcher

By default, WP runs the cron jobs twice a day as per the documentation.
These could be increased by other programs.

HowTo: Nginx Block User Agent

How do I block a http user agent or a software agent using Nginx web server under Linux or Unix like operating systems?

You can block any http user agents with GET / POST requests that scrape your content or try to exploit software vulnerability. Use the following syntax. Edit /usr/local/nginx/conf/nginx.conf file, enter:
# vi /usr/local/nginx/conf/nginx.conf
In this example, block http user agent called wget:

## Block http user agent – wget ##
if ($http_user_agent ~* (Wget) ) {
return 403;
}

 

from : http://www.cyberciti.biz/faq/unix-linux-appleosx-bsd-nginx-block-user-agent/

## Block Software download user agents ##
if ($http_user_agent ~* LWP::Simple|BBBike|wget) {
return 403;
}

Save and close the file. Reload nginx web server, enter:
# service nginx reload
OR
# /usr/local/nginx/sbin/nginx -s reload
How do I block multiple http user agents?

Use the following syntax:

if ($http_user_agent ~ (agent1|agent2|Foo|Wget|Catall Spider|AcoiRobot) ) {
return 403;
}

Case insensitive blocking: ~* vs ~

Please note the ~* makes it case insensitive as opposed to just a ~:

### case sensitive http user agent blocking  ###
if ($http_user_agent ~ (Catall Spider|AcoiRobot) ) {
return 403;
}
### case insensitive http user agent blocking  ###
if ($http_user_agent ~* (foo|bar) ) {
return 403;
}