# cd /usr/local/src
# wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
# tar -zxvf maldetect-current.tar.gz
# cd maldetect-1.4.1
# ./install.sh

Ayrıntılı inceleyebilirsin.

http://forum.directadmin.com/showthread.php?t=42393

http://www.rootkit.nl/projects/rootkit_hunter.html

rkhunter'ıda kur.

--R10.NET; Flood Engellendi -->-> Yeni yazılan mesaj 16:28:22 -->-> Daha önceki mesaj 16:26:49 --

Ayrıca ,

#!/usr/bin/perl -w
# findshell v1.0 == code taken/modified from traps.darkmindz.com
#usage: ./findshell.pl <sensitivity 1-50> <directory to scan>
use strict;
use File::Find;
my $sens = shift  || 10;
my $folder = shift || './';
find(\&backdoor, "$folder");
sub backdoor {
    if ((/\.(php|txt)/)){
       open (my $IN,"<$_") || die "can not open datei $File::Find::name: $!";
       my @file =  <$IN>;
       #maybe evil stuffs
       my $score = grep (/function_exists\(|phpinfo\(|safe_?mode|shell_exec\(|popen\(|passthru\(|system\(|myshellexec\(|exec\(|getpwuid\(|getgrgid  \(|fileperms\(/i,@file);
       #probably evil stuffs
       my $tempscore = grep(/\`\$\_(post|request|get).{0,20}\`|(include|require|eval|system|passthru|shell_exec).{0,10}\$\_(post|request|get)|eval.{0,10}base64_decode|back_connect|backdoor|r57|PHPJackal|PhpSpy|GiX|Fx29SheLL|w4ck1ng|milw0rm|PhpShell|k1r4|FeeLCoMz|FaTaLisTiCz|Ve_cENxShell|UnixOn|C99madShell|Spamfordz|Locus7s|c100|c99|x2300|cgitelnet|webadmin|cybershell|STUNSHELL|Pr!v8|PHPShell|KaMeLeOn|S4T|oRb|tryag|sniper|noexecshell|\/etc\/passwd|revengans/i, @file);
       $score +=  50 *  $tempscore;
       print "$score - Possible backdoor : $File::Find::name\n" if ($score > $sens-1 );
       close $IN;
  }elsif((/\.(jpg|jpeg|gif|png|tar|zip|gz|rar|pdf)/)){
       open (my $IN,"<$_") || (print "can not open datei $File::Find::name: $!" && next);
       print "5000 - Possible backdoor (php in non-php file): $File::Find::name\n" if grep /(\<\?php|include(\ |\())/i, <$IN>;
       close $IN;
  }
}

Usage

perl findshell.pl 10 /srv/www/htdocs > scanout.txt
sort scanout.txt

GOT MEMORY LIMIT USE FOLLOWING

for i in /srv/www/htdocs/ ; do perl findshell.pl 10 $i >> scanout.txt ; done

da deneyebilirsin.

Hariçlerinde

The ClamAV de etkilidir.

ekstra

echo -e "Please check \n" "`locate SnIpEr_SA sniper_sa c99shell r57shell crazy.pl tryag myshell msshell phpshell vbspy JaheeM mpownz ManTiLa indoirc.net NOGROD Bhlynx rfiScan x2300 g00nshell Bigdoz Indoserv Faskalis Indohacker pLuR HacKed AnakDompu cHApoenk Shellbot r3v3ng4ns MaXiMiZeR milw0rm n3oom3 rohitab w4ck1ng PHP-Proxy Locus7s cgitelnet.pl ccteam UNITX_TEAM soqor SpIdEr dark.cgi`" | mail -s "scaning shell hack at `hostname -s` date `date`" yourmail@domain.tld

pratiktir