Finding a malicious script on my webserver with bash


Staff member
I'm encountering an issue on my webserver.
Someone infected it with a leaked wordpress .
The problem is the following, there is some malicious phpscript somewhere within a file.
The malicious script is putting an iframe inside every files on the webserver (/home)
But the thing is that I don't know where is the script and I have thousands of web files in /home, it could be anywhere.
I know how to erase all the iframes but the idea is to delete the trigger.
So I was wandering how i could fix it and i have maybe a solution, but i would need your advices

I noticed that the script is executed from time to time but completely randomly (approxmatively once time a week)
Now let's assume that I erased all the malicious iframe with the following shell command (which I run every 30 minutes currently)

find /home -type f | xargs sed -i 's$<iframe src="[^"]*" width="2" height="2" frameborder="0"></iframe>$ $g'

Now that all my php file don't have a iframe, the idea would be to alert me when the iframe appears again.
Like this, if I have the approximative time where the iframe appears, then I could have a look on the apache log to see which webscript is called.

So I created another bash shell and I would like to have your advices to know if it would be allright.
I would run it every 30 min on the server until I received a mail.

Then I would look in the apache log to check the log on the last 30 minutes.

So here is the bash I was thinking about :

find /home -type f | xargs grep -q '<iframe src="[^"]*" width="2" height="2" frameborder="0"></iframe>'     #Find the string in all file on my all directory
if [ $? -eq 0 ] #if the result is not equal to zero
        echo "At the following time : " $(date +%H-%M-%S) | mail -s "[Serveur Leaked] Bad iframe has been found " [email protected] #we send a mail with the date
        find /home -type f | xargs sed -i 's$<iframe src="[^"]*" width="2" height="2" frameborder="0"></iframe>$ $g' #we replace the iframe with a whitespace
        exit 1  

exit 0

I really need to find a solution because right know as I said Im running the find and replace shell command every 30 minutes and it's taking a lot of process.

But i could not afford to let iframes too long on my server, that my websites would be blacklisted by google and i could not afford this.

Thanks a lot for your future advice.