Better way to scan for – and clean up – virus activity

**NOTE** The following only works with FTP daemons that log full paths in xferlog — ie, not vsftpd with its default configuration. Works like a charm on Plesk, fails terribly on non-Plesk. For non-Plesk, please scroll to the bottom of this post.

I made an earlier post about this subject, but there are too many holes in the script provided. Rather, I’ve found this simple awk recipe to do the trick quite well.

[code lang=”bash”]awk ‘$12 != prev {print $9; prev=$12}’ xferlog | egrep “\.php|\.htm|\.shtm|\.js” | sort |uniq > ftp_modified.out[/code]

Note that the output it prints is not definitive, but it certainly gives you something to start with. Now, roll a grep:

[code lang=”bash”]cat ftp_modified.out |while read line; do grep -H iframe $line >> iframe.out ; done[/code]

**You will need to review this output to find the actual string and distinguish between legitimate iframes and the baddies.** The following sed will usually take care of about 80% of them:

[code lang=”bash”]cat iframe.out | awk -F\: ‘{print $1}’ | while read line ; do sed -i ‘s/