How to scan for suspicious files after IP.Board security issue?

[Michel_72]

We are one of many IP.Board owners victimised by the latest IP.Board security issue.

Can anyone advise a scanner for finding the sucpicious files that are possibly still located in our webroot?

We are running Linux (Centos) and IPS support was unable to give us any further advise :sad:

Cheers,

Michel

[Gianpiero L.]

filezilla is the first chance:

search for " *.pHp " and set searching case sensitive

This occasion infected file has this file.extension ( pHp with H capital letter )

Date of file is 21 of december or later, in any situation I read about)

http://community.invisionpower.com/topic/375899-suspicious-file-in-cache/

gp

[jackflash]

My hosting company does it for me upon request, or they will eventually catch it and send me a list of where the bad files are at. You might want to also ask your host.

I have find that all of mine were in cache for this last breach. Previous to that, they were in public and cache.

Here's another tool that might help:

http://sitecheck.sucuri.net/scanner/

[Michel_72]

Thanks,

This scan, as well as many other doesn't work in this case. I need something I can run locally.

I do not have a hosting provider, since we host our own site on our own servers.

Anyone else any tips?

Michel

[Gianpiero L.]

the problem is: what are you looking for ?

Why are you searching malicious code ? It's only to prevent ?

When your site is working and you patched in november and 2 days ago you are fine

[Michel_72]

We did get infected just before applying the patch.

I want to make sure all infected files have been removed.

[Gianpiero L.]

have you a local copy of files of forum ? A files backup, not db.

I usually run BEYONDCOMPARE every week to investigate if there are new files or modifications

http://www.scootersoftware.com

Anyway the ticket assistance replied me that the infected files are into cache, probably.

Download them and check them all. They are not too many