Backup of index.* files

SimonFrance · June 20, 2013, 10:44am

Sir,

My server is hacked. Server administrator is saying that hacker used 0day CentOS kernal exploit to hack it. Now administrator updated the kernal and rebooted the server. But he is unable to cath the hacker, or how he initiated the process.

So therefore i need your help in following matters,
1) Hacker upload index.html or index.php files to deface websites. To restore these pages we should keep backup of these index pages. So i want to use some bash script to make only index files backup on server somewhere on weekly basis (like backup).

2) How to catch hacker? how he got access? which account he used to exploit?

I will be very thankful to you.

regards,
FHS

Just_Ice · June 20, 2013, 3:35pm

simple. modify funky sample below to your actual environment. run in cron.

#! /bin/ksh

log=/var/backup/log
webhome=/home/web
backupdir=/var/backup

echo "Web index.html backups started $(date)" > $log
for file in $(find $webhome -name "index.html")
do
    ifile=$(basename $file)
    domaindir=$(dirname $file)
    domain=$(basename $domaindir)
    cp -p $file $backupdir/$domain.$ifile
    ls -l $backupdir/$domain.$ifile 
done >> $log
echo "Web index.html backups ended $(date)" >> $log

exit 0

if hacker was an expert, you will only catch him with a whole lot of work and a much,much,much more lot of luck. you would be better off hardening your system and keeping up to date on all patches and upgrades as that would be much easier unless your company just happens to have its own intrusion detection team or you yourself have expert hacker skills.

account used to run exploit does not matter -- all that matters is that the hacker got root access to your server and did some damage. as for how he got access, google the exploit your admin told you and you should get your answer.

franksunnn · June 20, 2013, 4:19pm

just ice:

simple. modify funky sample below to your actual environment. run in cron.
#! /bin/ksh

log=/var/backup/log
webhome=/home/web
backupdir=/var/backup

echo "Web index.html backups started $(date)" > $log
for file in $(find $webhome -name "index.html")
do
   ifile=$(basename $file)
   domaindir=$(dirname $file)
   domain=$(basename $domaindir)
   cp -p $file $backupdir/$domain.$ifile
   ls -l $backupdir/$domain.$ifile 
done >> $log
echo "Web index.html backups ended $(date)" >> $log

exit 0
if hacker was an expert, you will only catch him with a whole lot of work and a much,much,much more lot of luck. you would be better off hardening your system and keeping up to date on all patches and upgrades as that would be much easier unless your company just happens to have its own intrusion detection team or you yourself have expert hacker skills.

account used to run exploit does not matter -- all that matters is that the hacker got root access to your server and did some damage. as for how he got access, google the exploit your admin told you and you should get your answer.

I have one question.
Let me give some example according to your script.
There is one file "index.html" in the directory "/home/web/aaa/bbb"
What the script does is :

assign "index.html" to the variable "ifile". So $ifile=="index.html"
assign "/home/web/aaa/bbb" to the variable "domaindir". So $domaindir=="/home/web/aaa/bbb"
assign "/home/web/aaa" to the variable "domain". So $domain=="/home/web/aaa"
cp the file "/home/web/aaa/bbb/index.html" to the backup dir and change its name like this "/var/backup/home/web/aaa.index.html"

So my question is why the name of backup file "aaa.index.html" is kind of wired? What do you mean by it?
Thanks

Just_Ice · June 20, 2013, 4:27pm

you can setup the backup file name to whatever form you want ... the sample code works but you need to customize it to your environment ...

example:

${domain}-${ifile} would give you aaa-index.html 
${domain}.index would give you aaa.index

franksunnn · June 20, 2013, 4:34pm

just ice:

you can setup the backup file name to whatever form you want ... the sample code works but you need to customize it to your environment ...

example:
${domain}-${ifile} would give you aaa-index.html 
${domain}.index would give you aaa.index

I thought it seemed kind of customary:rolleyes:

Just_Ice · June 20, 2013, 6:26pm

@frank -- i am missing your point somehow.