Scan FTP xferlog for virus-like activity

I often see viruses spread through usually-legit sites — see more in my related post about malware one-liners. Finding which files are infected is usually a pain, though Paul hacked me up this script to identify virus-like behavior and pinpoint infected files:

[code lang=”perl”]#!/usr/bin/perl

use strict;
use warnings;

my $file = $ARGV[0];

my @iArray;
my @oArray;

open LOGFILE, “<", $file or die "Can't open my $file: $!"; while () {
my @line = split(/ /);
if ($line[11] eq “o”) {
push(@oArray, $line[8]);
if ($line[11] eq “i”) {
push(@iArray, $line[8]);
foreach (@oArray) {
my $entry = $_;
foreach (@iArray) {
my $entry2 = $_;
if ($entry2 eq $entry) {
print “$entry\n”;


Download to server and execute against the xferlog.

[code lang=”bash”]wget
chmod +x
./ /var/log/xferlog

This will output a list of files suspected of containing malicious iframes or javascript, from which you can clean up.