FileScout

Filescout is a utility created to determine the origin of a malicious file based on the modified or change time (whichever is more recent) of a given file. It was developed exclusively for a cPanel environment, running on CentOS/CloudLinux/RHEL 6 and 7.

Filescout solves a number of potential problems, and can save time when investigating the source of a malicious file.

Installation:

Create the /root/bin directory, if it doesn't already exist:

 mkdir -p /root/bin

And grab the script:

wget -O /root/bin/filescout https://mattjung.net/filescout  

And give it execute permissions:

chmod +x /root/bin/filescout  

Usage:

Usage is pretty simple, You just call filescout, and give it a file that you want to to investigate.

filescout somefile.php  
Usage with flags

Filescout also supports a number of flags:

-h Displays the help menu.

-v Displays the version of Filescout

-m Force use of the Modified timestamp.

-c Force use of the Change timestamp.

-b Force use of the file's creation time. (EXT4 filesystems only)

-r [Experimental] Enables recursive searching. Lets you investigate a file that uploaded a file that uploaded a file....and so on.

-t 'STAT TIMESTAMP' USER Allows you to specify a timestamp and user, rather than a file. For example:

filescout -t '2017-08-05 15:48:45.763000000 -0400' mattjung  

What it does:

  • When given an input file, filescout will get a stat of the absolute path of the file.
  • It then searches the apache domlogs (daily and archived) for signs of an HTTP POST request based off either the modified or change time (whichever is more recent) of your input file, which indicates a possible point of entry for your original input file.
  • It then checks for a possible FTP upload, based off the timestamp of the modified or change time.
  • It then converts the timestamp to UTC and searches for a possible cPanel file manager upload from the cPanel user.
  • The last thing it checks is for a SSH/SFTP login from that user on the day of modification or change of the original input file. This last search is very broad, only because uploads via SFTP aren't explicitly logged in /var/log/secure.

What do I do with all of this information?

While filescout can take out much of the brain-numbing thinking required to investigate malware, it is specifically designed so the administrator using it still needs to take action to review its findings and disable anything deemed malicious.

The output of filescout gives a few recommend actions based on its findings. A few things to keep in mind while using it:

  • If running filescout on a number of files, keep a running list on files you need to look over or disable. It can be easy to lose track of what you've done.
  • You can glean a wealth of information from any log entries found. Based on the offending IP address, you can review other logs to see what actions they took. From apache log entries, you can sometimes get clues based on the http referrer, user-agent, etc.

Example output:

============================================
          Stats and timestamps            
============================================

Filescout will be using the change timestamp of malicious_shell.php going forward. If you wish to use the modified time, use the -m flag.


  File: ‘/home/mattjung/public_html/script-test.mattjung.net/malicious_shell.php’
  Size: 25            Blocks: 8          IO Block: 4096   regular file
Device: fd03h/64771d    Inode: 397171      Links: 1  
Access: (0644/-rw-r--r--)  Uid: ( 1003/mattjung)   Gid: ( 1003/mattjung)  
Access: 2017-08-05 15:48:45.763000000 -0400  
Modify: 2017-08-05 15:48:45.763000000 -0400  
Change: 2017-08-05 15:48:45.763000000 -0400

============================================
               Log diving                 
============================================

Found HTTP POST entry when searching when grepping for a 10 second window near the change time in the Apache domlogs for the following domain(s):

/home/mattjung/logs/script-test.mattjung.net-Aug-2017.gz:10.30.4.31 - - [05/Aug/2017:15:48:45 -0400] "POST /upload.php HTTP/1.1" 200 214 "http://script-test.mattjung.net/upload.php" "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0"

The above POST request was directed at this file: /home/mattjung/public_html/script-test.mattjung.net/upload.php  
You should review the above file if you have not already done so.

You can also review the log for any other actions taken by that same IP:  
zgrep 10.30.4.31 /home/mattjung/logs/script-test.mattjung.net-Aug-2017.gz

Don't forget to    chmod 000 /home/mattjung/public_html/script-test.mattjung.net/malicious_shell.php    if it's malicious!