May 14, 2025

How to Find Malicious Script in File (Linux Command) - Slot Gacor

 grep -r -i "thailand" /var/www/html

 grep -r -i "gacor" /var/www/html

grep -r -i --exclude-dir=mysql --exclude-dir=db "thailand" /var/www

grep "?" /var/log/nginx/access.log

grep -Ei "cmd=|exec=|bash|sh" /var/log/nginx/access.log

awk '{print $1}' /var/log/apache2/access.log | sort | uniq -c | sort -nr

_______________________

Check malicious shell commad

grep -r "eval(base64_decode" /var/www/html/

grep -r --exclude=*.log "eval(base64_decode" /var/www/html/

find /home -perm 0777 -exec ls -ld {} \;

lsof -p 217 | grep -E '\.php|\.sh|/tmp|/dev/shm'

crontab -l

---------------------------
Check Malicious user
awk -F: '$7 ~ /(bash|sh|zsh)/ {print $1}' /etc/passwd
cut -d: -f1 /etc/passwd
getent group sudo
getent group admin  # jika sistem lama
grep 'ALL' /etc/sudoers /etc/sudoers.d/* 2>/dev/null
awk -F: '($3==0){print}' /etc/passwd
awk -F: '$7 ~ /(bash|sh|zsh)/ {print $1 "::" $7}' /etc/passwd



---------------
# Look for common malware patterns
grep -r "eval(" /var/www --include="*.php" | head -5
grep -r "base64_decode" /var/www --include="*.php" | head -5

# Check for recently modified files
find /var/www/ -name "*.php" -mtime -30 -ls

_____________________________

Scan Folder and File 0777

find /var -type f -perm 0777 find /var -type d -perm 0777





Jika terjadi spam user yang masuk ke database

SHOW DATABASES;

USE db

SHOW TABLES;

DROP DATABASE xxx;

DELETE FROM users WHERE url LIKE '%slotgacor%';

-- Delete users with suspicious email domains DELETE FROM users WHERE email LIKE '%@yahoo.it%' OR email LIKE '%@yandex.ru%'; -- Delete users from unusual country codes DELETE FROM users WHERE country IN ('HM', 'MP', 'IS');

Verification

SELECT user_id, username, url FROM users WHERE url LIKE '%gacor%';

-- Find other suspicious patterns SELECT user_id, username, email FROM users WHERE email LIKE '%@yahoo.it%' OR email LIKE '%@yandex.ru%';

SELECT user_id, username, country FROM users WHERE country IN ('HM', 'MP', 'IS');

OPTIMIZE TABLE user_settings;

DESCRIBE author_settings;


SELECT * FROM author_settings WHERE setting_value LIKE '%gacor%';

DELETE FROM author_settings 
WHERE setting_value LIKE '%gacor%';

SELECT * FROM author_settings WHERE setting_value LIKE '%gacor%';


Prevent

-- Add indexes for faster spam detection ALTER TABLE users ADD INDEX idx_url (url(255)); ALTER TABLE users ADD INDEX idx_email (email(255));


------------------------










-----------------
Configurasi Apache untuk mengetahui IP yang mengakses ke server yang menggunakan Reverse Proxy

<IfModule mod_remoteip.c>
    RemoteIPHeader X-Forwarded-For
    RemoteIPTrustedProxy 127.0.0.1
</IfModule>

"ganti 127.0.0.1 dengan alamat reverse proxy"
----------------------------

find /var -type f -perm 0777