SoftLink Scan on the servers :

Hacker creates softlinks under one account and makes link with other users. This way he can hack other accounts. So how to find such compromised account under which hacker has created softlinks.

Following is the command which scan on the server and generates result in file:

/root/found_links.txt

1. Login to server as root user.

2. Fire following cmd and hit enter.

  1. screen -A -a -d -m -L -t ‘Beach-Head Finder’ -S ‘bhfinder’ /bin/bash -c “find /home* -type d \( -path ‘/home*/virtfs’ -or -path ‘/home*/.cpan’ -or -path ‘/home*/.cpanm’ -or -path ‘/home*/cpeasyapache’ -or -path ‘/home*/cpapachebuild’ -or -path ‘/home*/cpphpbuild’ -or -path ‘/home*/cpzendinstall’ \) -prune -false -or -type l -not -lname ‘public_html’ -not -lname ‘/usr/local/apache/domlogs/*’ -not -path ‘/home*/*/mail/.*’ -not -lname ‘/home*/*/.rvsitebuilder/projects/*’ -not -lname ‘/var/cpanel/rvglobalsoft/rvsitebuilder/*’ -not -lname ‘/var/netenberg/click_be/*’ -not -lname ‘*/.click_be/database/’ -not -lname ‘*/.click_be/advertisements/’ -not -lname ‘*/.click_be/click_be/’ -not -lname ‘*/.click_be/backup/’ -not -lname ‘/usr/local/urchin/*’ -not \( -path ‘/home*/*/wp-content/advanced-cache.php’ -and -lname ‘/home*/wp-content/plugins/*’ \) -not \( -path ‘/home*/rvadmin/public_html/rvadmin/themeimages/tran’ -and -lname ‘/usr/local/cpanel/base/frontend/*/themeimages/tran’ \) -printf ‘%p => %l\n\c’ -fprintf ‘/dev/stderr’ ‘%p => %l\n\c’ 2>> /root/found_links.txt”

3. This cmd will automatically open a screen session and may take approximately 2/3 hours for complete the scan.

4. Once scan is complete then open the file /root/found_links.txt
(The scan logs are created in this file.)

5. As per the result please delete those directories under which you will see softlinks created by hacker.

6. After deleting those directories, reset that users Cpanel password and send it to that client.