When a website is hacked, one of next actions is to clean up the hacked files.

The hackers may upload new files through the security vulnerability, or they may modify the files to insert some codes (almost on the top or bottom of the files).

 

If you want to check if files are updated manually, you can consider to use md5sum function for comparing the original file and the new file.

 

Prerequisites: Assume that you have a testing website and a production website.

 

Step 1: Generate the list in production website

# cd your_website_path
# find -exec md5sum "{}" \; > chksum_files.chk

In Mac, you may get the following errors

# find: illegal option — e
# -bash: md5sum: command not found

Instead, you have to use the following command instead

# find . -exec md5 "{}" \; > chksum_files.chk

 

Advance usage on md5sum:

The following command can

  • md5sum files only
  • ignore the paths or directories or files which contain “cache” and “tmp”
  • sort the list by name before do the md5sum
# find . -type f \( -not -path "*cache*" -not -path "*tmp*" \) | sort | xargs md5sum > chksum_files.chk

 

Step 2: Upload the md5sum file to the testing website

 

Step 3: Compare the checksum of the original

(Assume that the file chksum_files.chk is uploaded to your_testing_website_path)

# cd your_testing_website_path
# md5sum -c chksum_files.chk

Mostly I would like to check the files which have difference only. I will use the following command.

# md5sum -c chksum_files.chk | grep FAILED

 

In Mac, there is no option “-c” for command md5. 🙁

Maybe you are interested in this article: http://blog.eexit.net/sh-md5sum-c-like-for-mac-osx/

 

There will be mainly 3 types of output:

The file has NO changes

./path/path/path/file.php: OK

 

The file is changed

./path/path/path/file.php: FAILED

 

The file does not exist in the original website

md5sum:./path/path/path/file.php: No such file or directory
./path/path/path/file.php: FAILED open or read

Then you can focus on the files uploaded and modified to see what the hackers did. Maybe you can find out the security vulnerability as well.

 

 

Reference: http://askubuntu.com/questions/318530/generate-md5-checksum-for-all-files-in-a-directory