Find all possible root symlinks (leftover from attempted exploits) and save them as a list ‘symlinks.txt’. ls /var/cpanel/users | grep -v “\`\|\.\|cpanel\|root\|mysql\|nobody” | \ while read CPUSER; do find /home/$CPUSER -type l -not \( -lname “/home/$CPUSER/*” \ -o -lname “*rvsitebuilder*” -o -lname “[^/]*” -o -lname “/usr/local/apache/domlogs/*” \ -o -lname “/usr/local/urchin/*” \) ; done \ > [...]
If LFD reports a /tmp/.tmp folder on your server you have been hit with the latest timthumb.php hack, which is circulating among wordpress sites which dodged the first mass infection last August for unknown reasons. The /tmp/.tmp folder contains a list of firefox visitor IP’s who have visited your site and were exposed to malicious [...]
Recursively find many PHP shell scripts and PHP exploits with these simple one-liners.
When you’ve got dozens or more CentOS boxes to install Ksplice Uptrack on, this single cut-and-paste method lets you do it in one click. Remember to replace ACTUAL_KEY with your Ksplice access key.