Skip to content

Instantly share code, notes, and snippets.

@andrey-yantsen
Created April 9, 2013 13:56
Show Gist options
  • Save andrey-yantsen/5345868 to your computer and use it in GitHub Desktop.
Save andrey-yantsen/5345868 to your computer and use it in GitHub Desktop.
#!/bin/bash
#### CONFIG ####
XFERLOG="/opt/psa/var/log/xferlog"
MATCH_FILES="index default defaults"
EXCLUDE_LIST=""
awk '($12 ~ /^i$/ && $NF ~ /^c$/){print $9, $8, $14, $7, $1, $2, $3, $4, $5}' $XFERLOG | while read logLine
do
lineArr=($logLine)
fileNameWithPath=${lineArr[0]}
fileName=$(basename $fileNameWithPath)
extension=${fileName##*.}
fileName=${fileName%.*}
fileSize=${lineArr[1]}
userName=${lineArr[2]}
ip=${lineArr[3]}
date="${lineArr[4]} ${lineArr[5]} ${lineArr[6]} ${lineArr[7]} ${lineArr[8]}"
matched=0
for match in $MATCH_FILES
do
if [ "$match" = "$fileName" ]
then
matched=1
break
fi
done
if [ $matched = 0 ]
then
continue
fi
exclude=0
for match in $EXCLUDE_LIST
do
if [ "$match" = "$fileNameWithPath" ]
then
exclude=1
break
fi
done
if [ $exclude = 1 ]
then
continue
fi
fgrep -qi '<iframe ' $fileNameWithPath 2>/dev/null || \
(fgrep -vi '" + gaJsHost + "google-analytics.com/ga.js' $fileNameWithPath 2>/dev/null | \
fgrep -qi 'document.write')
if [ "$?" = "0" ]
then
echo File $fileNameWithPath, uploaded by $userName "(ip: $ip)" @ $date - potentially infected
fi
done
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment