hacked by tugr

[johncesta]

Is there a way to search for files by checksum? I have a few files that have been copied to my computer by a hack and I would like to see if I can find the source of those files.

Here's the hack:

Has anyone heard fo this one? What they do is to copy:

index.php .cfm .htm .html .asp
default.php .cfm .htm .html .asp

to the root folder of every web site.

I can't find much on it on the web. I thought I had figured it to be an old servu ftp server hack so I upgraded about 3 weeks ago but today upon reboot it happened again.


Thanks

[nikos]

why do you need to search by checksum and not by name? Or perhaps name+size?

[johncesta]

why do you need to search by checksum and not by name? Or perhaps name+size?

Because if they renamed the file I won't be able to search by name but the checksum should still be the same.

Thanks,

John

[nikos]

in such a case you can search for a specific checksum adding a rule that has both min/max values set to the checksum you are after. It may be quicker to search for a given size first and then examine the checksum column though

[johncesta]

in such a case you can search for a specific checksum adding a rule that has both min/max values set to the checksum you are after. It may be quicker to search for a given size first and then examine the checksum column though

I've searched by size. I think that may work.

BTW when I create a rule to search the checksum the min and max values won't allow letters.

My checksum is:  0003c0d8

[nikos]

right, the number rule must be in decimal but the checksum column is formatted as hex

the workaround is to put your hex number in your windows calculator (calc.exe). In "scientific" mode it can convert hex numbers to decimal. For instance 0003c0d8==245976. That's the number you need for the checksum rule