Regex that matches this list of files?
I had a user on our shared host who let their Wordpress install fall victim of an exploit that allowed for arbitrary file creation as the apache user. The files generated are obviously generated with a random generator, but fall under some sort of pattern. I was also thinking about just matching the group, but a find of that nature hits too many files that are legitimate. How can I match all of these example malicious files?
8twcoasx.php
hjoeksdp.php
nzpsmujc.php
oiczdqkp.php
wpebruwi.php
wuclgsvz.php
tie9txh5.php
vza6pn12.php
nwfthzli.php
1wovcnq6.php
1fwevaol.php
zscy86d8.php
ikz45skj.php
n70x0aul.php
nwk34bs0.php
ugdnncmz.php
wdcq2zzi.php
8f4w3dmt1z.php
uqv4e2cm2a.php
55zf4u1dp7.php
szfc8v129e.php
oihfoe09fposf.php (occured more often)
Jwlsjd_baaqifg.php (occured more often)
I'll obviously be working with the user to update their Wordpress install and plugins, but I would appreciate a regex I can toss into find and quickly verify whether the issue persists afterward, etc.
Patterns I can see:
- Always 8, 10, or 13 characters.
- Always *.php
find regular-expression
edited 5 mins ago
Evan Carroll
5,581114481
asked 2 hours ago
Aaron ChamberlainAaron Chamberlain
114
add a comment |
I had a user on our shared host who let their Wordpress install fall victim of an exploit that allowed for arbitrary file creation as the apache user. The files generated are obviously generated with a random generator, but fall under some sort of pattern. I was also thinking about just matching the group, but a find of that nature hits too many files that are legitimate. How can I match all of these example malicious files?
8twcoasx.php
hjoeksdp.php
nzpsmujc.php
oiczdqkp.php
wpebruwi.php
wuclgsvz.php
tie9txh5.php
vza6pn12.php
nwfthzli.php
1wovcnq6.php
1fwevaol.php
zscy86d8.php
ikz45skj.php
n70x0aul.php
nwk34bs0.php
ugdnncmz.php
wdcq2zzi.php
8f4w3dmt1z.php
uqv4e2cm2a.php
55zf4u1dp7.php
szfc8v129e.php
oihfoe09fposf.php (occured more often)
Jwlsjd_baaqifg.php (occured more often)
I'll obviously be working with the user to update their Wordpress install and plugins, but I would appreciate a regex I can toss into find and quickly verify whether the issue persists afterward, etc.
Patterns I can see:
- Always 8, 10, or 13 characters.
- Always *.php
find regular-expression
edited 5 mins ago
Evan Carroll
5,581114481
asked 2 hours ago
Aaron ChamberlainAaron Chamberlain
114
add a comment |
I had a user on our shared host who let their Wordpress install fall victim of an exploit that allowed for arbitrary file creation as the apache user. The files generated are obviously generated with a random generator, but fall under some sort of pattern. I was also thinking about just matching the group, but a find of that nature hits too many files that are legitimate. How can I match all of these example malicious files?
8twcoasx.php
hjoeksdp.php
nzpsmujc.php
oiczdqkp.php
wpebruwi.php
wuclgsvz.php
tie9txh5.php
vza6pn12.php
nwfthzli.php
1wovcnq6.php
1fwevaol.php
zscy86d8.php
ikz45skj.php
n70x0aul.php
nwk34bs0.php
ugdnncmz.php
wdcq2zzi.php
8f4w3dmt1z.php
uqv4e2cm2a.php
55zf4u1dp7.php
szfc8v129e.php
oihfoe09fposf.php (occured more often)
Jwlsjd_baaqifg.php (occured more often)
I'll obviously be working with the user to update their Wordpress install and plugins, but I would appreciate a regex I can toss into find and quickly verify whether the issue persists afterward, etc.
Patterns I can see:
- Always 8, 10, or 13 characters.
- Always *.php
find regular-expression
edited 5 mins ago
Evan Carroll
5,581114481
asked 2 hours ago
Aaron ChamberlainAaron Chamberlain
114
I had a user on our shared host who let their Wordpress install fall victim of an exploit that allowed for arbitrary file creation as the apache user. The files generated are obviously generated with a random generator, but fall under some sort of pattern. I was also thinking about just matching the group, but a find of that nature hits too many files that are legitimate. How can I match all of these example malicious files?
8twcoasx.php
hjoeksdp.php
nzpsmujc.php
oiczdqkp.php
wpebruwi.php
wuclgsvz.php
tie9txh5.php
vza6pn12.php
nwfthzli.php
1wovcnq6.php
1fwevaol.php
zscy86d8.php
ikz45skj.php
n70x0aul.php
nwk34bs0.php
ugdnncmz.php
wdcq2zzi.php
8f4w3dmt1z.php
uqv4e2cm2a.php
55zf4u1dp7.php
szfc8v129e.php
oihfoe09fposf.php (occured more often)
Jwlsjd_baaqifg.php (occured more often)
I'll obviously be working with the user to update their Wordpress install and plugins, but I would appreciate a regex I can toss into find and quickly verify whether the issue persists afterward, etc.
Patterns I can see:
- Always 8, 10, or 13 characters.
- Always *.php
find regular-expression
find regular-expression
edited 5 mins ago
Evan Carroll
5,581114481
asked 2 hours ago
Aaron ChamberlainAaron Chamberlain
114
edited 5 mins ago
Evan Carroll
5,581114481
asked 2 hours ago
Aaron ChamberlainAaron Chamberlain
114
edited 5 mins ago
Evan Carroll
5,581114481
edited 5 mins ago
Evan Carroll
5,581114481
edited 5 mins ago
Evan Carroll
5,581114481
5,581114481
asked 2 hours ago
Aaron ChamberlainAaron Chamberlain
114
asked 2 hours ago
Aaron ChamberlainAaron Chamberlain
114
asked 2 hours ago
Aaron ChamberlainAaron Chamberlain
114
114
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
You'll have to determine that the "pattern" is precisely first (to create the regex). I can't see anything very clear. It always ends in .php, preceded by 8, 10, or 13 characters, which are upper- or lower-case letters, numbers, or _. Apart from that, it's unclear, e.g. there's not always a number. If you were to match this general "pattern", e.g. with ^[a-zA-Z0-9_]{8}.php$ and for 10 or 13 characters too, then you'd likely get many false positives.
Instead, are the new files created with a current modification date? If so, you could search for newer suspicious files modified after, say, your new config.
find /path/to/directory -newer /path/to/new_config -regextype egrep -regex '.*/([a-zA-Z0-9_]{8}|[a-zA-Z0-9_]{10}|([a-zA-Z0-9_]{13}).php'
One caveat is that it's possible to change the modification date using touch. If your malware does that, it might be possible to filter on access time -anewer, status-change time -cnewer, or -newerXY.
If all the files are owned by a particular user, you could also use that information to filter. i.e. add the option -user apache.
answered 2 hours ago
SparhawkSparhawk
9,62864094
Also, testing apache file ownership might help
– Hagen von Eitzen
1 hour ago
@HagenvonEitzen Good idea. I've added that information in
– Sparhawk
9 mins ago
note this regex doesn't have an underscore, and some of his examples do. This also doesn't match the 8,10,12 limit the autor specifies.
– Evan Carroll
5 mins ago
@EvanCarroll Fixed. The question was edited after I posted my original answer.
– Sparhawk
2 mins ago
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f500064%2fregex-that-matches-this-list-of-files%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
You'll have to determine that the "pattern" is precisely first (to create the regex). I can't see anything very clear. It always ends in .php, preceded by 8, 10, or 13 characters, which are upper- or lower-case letters, numbers, or _. Apart from that, it's unclear, e.g. there's not always a number. If you were to match this general "pattern", e.g. with ^[a-zA-Z0-9_]{8}.php$ and for 10 or 13 characters too, then you'd likely get many false positives.
Instead, are the new files created with a current modification date? If so, you could search for newer suspicious files modified after, say, your new config.
find /path/to/directory -newer /path/to/new_config -regextype egrep -regex '.*/([a-zA-Z0-9_]{8}|[a-zA-Z0-9_]{10}|([a-zA-Z0-9_]{13}).php'
One caveat is that it's possible to change the modification date using touch. If your malware does that, it might be possible to filter on access time -anewer, status-change time -cnewer, or -newerXY.
If all the files are owned by a particular user, you could also use that information to filter. i.e. add the option -user apache.
answered 2 hours ago
SparhawkSparhawk
9,62864094
Also, testing apache file ownership might help
– Hagen von Eitzen
1 hour ago
@HagenvonEitzen Good idea. I've added that information in
– Sparhawk
9 mins ago
note this regex doesn't have an underscore, and some of his examples do. This also doesn't match the 8,10,12 limit the autor specifies.
– Evan Carroll
5 mins ago
@EvanCarroll Fixed. The question was edited after I posted my original answer.
– Sparhawk
2 mins ago
add a comment |
You'll have to determine that the "pattern" is precisely first (to create the regex). I can't see anything very clear. It always ends in .php, preceded by 8, 10, or 13 characters, which are upper- or lower-case letters, numbers, or _. Apart from that, it's unclear, e.g. there's not always a number. If you were to match this general "pattern", e.g. with ^[a-zA-Z0-9_]{8}.php$ and for 10 or 13 characters too, then you'd likely get many false positives.
Instead, are the new files created with a current modification date? If so, you could search for newer suspicious files modified after, say, your new config.
find /path/to/directory -newer /path/to/new_config -regextype egrep -regex '.*/([a-zA-Z0-9_]{8}|[a-zA-Z0-9_]{10}|([a-zA-Z0-9_]{13}).php'
One caveat is that it's possible to change the modification date using touch. If your malware does that, it might be possible to filter on access time -anewer, status-change time -cnewer, or -newerXY.
If all the files are owned by a particular user, you could also use that information to filter. i.e. add the option -user apache.
answered 2 hours ago
SparhawkSparhawk
9,62864094
Also, testing apache file ownership might help
– Hagen von Eitzen
1 hour ago
@HagenvonEitzen Good idea. I've added that information in
– Sparhawk
9 mins ago
note this regex doesn't have an underscore, and some of his examples do. This also doesn't match the 8,10,12 limit the autor specifies.
– Evan Carroll
5 mins ago
@EvanCarroll Fixed. The question was edited after I posted my original answer.
– Sparhawk
2 mins ago
add a comment |
You'll have to determine that the "pattern" is precisely first (to create the regex). I can't see anything very clear. It always ends in .php, preceded by 8, 10, or 13 characters, which are upper- or lower-case letters, numbers, or _. Apart from that, it's unclear, e.g. there's not always a number. If you were to match this general "pattern", e.g. with ^[a-zA-Z0-9_]{8}.php$ and for 10 or 13 characters too, then you'd likely get many false positives.
Instead, are the new files created with a current modification date? If so, you could search for newer suspicious files modified after, say, your new config.
find /path/to/directory -newer /path/to/new_config -regextype egrep -regex '.*/([a-zA-Z0-9_]{8}|[a-zA-Z0-9_]{10}|([a-zA-Z0-9_]{13}).php'
One caveat is that it's possible to change the modification date using touch. If your malware does that, it might be possible to filter on access time -anewer, status-change time -cnewer, or -newerXY.
If all the files are owned by a particular user, you could also use that information to filter. i.e. add the option -user apache.
answered 2 hours ago
SparhawkSparhawk
9,62864094
You'll have to determine that the "pattern" is precisely first (to create the regex). I can't see anything very clear. It always ends in .php, preceded by 8, 10, or 13 characters, which are upper- or lower-case letters, numbers, or _. Apart from that, it's unclear, e.g. there's not always a number. If you were to match this general "pattern", e.g. with ^[a-zA-Z0-9_]{8}.php$ and for 10 or 13 characters too, then you'd likely get many false positives.
Instead, are the new files created with a current modification date? If so, you could search for newer suspicious files modified after, say, your new config.
find /path/to/directory -newer /path/to/new_config -regextype egrep -regex '.*/([a-zA-Z0-9_]{8}|[a-zA-Z0-9_]{10}|([a-zA-Z0-9_]{13}).php'
One caveat is that it's possible to change the modification date using touch. If your malware does that, it might be possible to filter on access time -anewer, status-change time -cnewer, or -newerXY.
If all the files are owned by a particular user, you could also use that information to filter. i.e. add the option -user apache.
answered 2 hours ago
SparhawkSparhawk
9,62864094
edited 2 mins ago
answered 2 hours ago
SparhawkSparhawk
9,62864094
answered 2 hours ago
SparhawkSparhawk
9,62864094
answered 2 hours ago
SparhawkSparhawk
9,62864094
9,62864094
Also, testing apache file ownership might help
– Hagen von Eitzen
1 hour ago
@HagenvonEitzen Good idea. I've added that information in
– Sparhawk
9 mins ago
note this regex doesn't have an underscore, and some of his examples do. This also doesn't match the 8,10,12 limit the autor specifies.
– Evan Carroll
5 mins ago
@EvanCarroll Fixed. The question was edited after I posted my original answer.
– Sparhawk
2 mins ago
add a comment |
Also, testing apache file ownership might help
– Hagen von Eitzen
1 hour ago
@HagenvonEitzen Good idea. I've added that information in
– Sparhawk
9 mins ago
note this regex doesn't have an underscore, and some of his examples do. This also doesn't match the 8,10,12 limit the autor specifies.
– Evan Carroll
5 mins ago
@EvanCarroll Fixed. The question was edited after I posted my original answer.
– Sparhawk
2 mins ago
Also, testing apache file ownership might help
– Hagen von Eitzen
1 hour ago
Also, testing apache file ownership might help
– Hagen von Eitzen
1 hour ago
@HagenvonEitzen Good idea. I've added that information in
– Sparhawk
9 mins ago
@HagenvonEitzen Good idea. I've added that information in
– Sparhawk
9 mins ago
note this regex doesn't have an underscore, and some of his examples do. This also doesn't match the 8,10,12 limit the autor specifies.
– Evan Carroll
5 mins ago
note this regex doesn't have an underscore, and some of his examples do. This also doesn't match the 8,10,12 limit the autor specifies.
– Evan Carroll
5 mins ago
@EvanCarroll Fixed. The question was edited after I posted my original answer.
– Sparhawk
2 mins ago
@EvanCarroll Fixed. The question was edited after I posted my original answer.
– Sparhawk
2 mins ago
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f500064%2fregex-that-matches-this-list-of-files%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
