Scan FTP xferlog for virus-like activity

I often see viruses spread through usually-legit sites — see more in my related post about malware one-liners. Finding which files are infected is usually a pain, though Paul hacked me up this script to identify virus-like behavior and pinpoint infected files:

[code lang=”perl”]#!/usr/bin/perl

use strict;
use warnings;

my $file = $ARGV[0];

my @iArray;
my @oArray;

open LOGFILE, “<", $file or die "Can't open my $file: $!"; while () {
my @line = split(/ /);
if ($line[11] eq “o”) {
push(@oArray, $line[8]);
}
if ($line[11] eq “i”) {
push(@iArray, $line[8]);
}
}
foreach (@oArray) {
my $entry = $_;
foreach (@iArray) {
my $entry2 = $_;
if ($entry2 eq $entry) {
print “$entry\n”;
last;
}
}
}[/code]

Usage:

Download virus-parse.pl to server and execute against the xferlog.

[code lang=”bash”]wget http://tech.superhappykittymeow.com/src/virus-parse.pl
chmod +x virus-parse.pl
./virus-parse.pl /var/log/xferlog
[/code]

This will output a list of files suspected of containing malicious iframes or javascript, from which you can clean up.