This is a lesson to clarify how to search and find the clues located inside the server, through the SSH shell. In order to search for malicious files or hacker’s shells links inside the server and check the server. Continue the steps as described in detail to scan the server from the hacker. First you should know that there are a lot of encrypted codes in the files and that may work on the server without the knowledge of the server. We’ll start looking for them step by step.
Steps to check the server
Type this command
find /home/*/public_html -name “*.php” -print | xargs egrep -l ‘ base64_’ >> /root/shell-result.txt
When you type this command, the results will be added to the encrypted chunks in the shell-result.txt file
Now that you have collected the files that are potentially encrypted, open this file to view the encrypted files.
Second, the detection of the hacker’s shells through the ‘Functions’ used by hackers to hack and create backdoors in the web sites and use it as files penetration
find / home / * / public_html -name ‘error_log’ -print | xargs grep -i -l ‘has been disabled for security reasons’
Search for Perl files
find / home / * / public_html -name “* .pl”
The Perl files will appear to be the most common hacker files to hack servers.
Now, we’ll go for files that might potentially have files in. For this we will now look for folders that have a 777 authorization
Type this command
find / home / * / -type d -perm 0777
You will see a list of the 777 files, check it out for yourself and see if you have files with php extension
It is recommended that you change the permissions to 744, or 755. If you have to make the statement 777, you need to modify the .htaccess file in order to prevent any malicious file or shell from being uploaded.
Now look for php.ini files that are working to bypass server protection.
Type this command and you will see the files that are named php.ini. You must make sure that there is hacker or hacker who used it. In this step, you might have a web site has been hacked in the server.
Note: not all the php.ini are from hackers, they might be by the server users to run their web applications. However, you can know that it is for hackers, when there is suspicious files in the same folder of “php.ini”.
find / home / * / public_html -name “php.ini”
These are some steps to check the server, there are a lot of tools and different ways to check the server. Now as a server owner what you need to do to avoid hacking your server and protecting the sites or system on your server. You should check your server weekly or at least once a month. This ensures that there is lesser risk.