Skip to content

Find and delete fake .ico files

The war against the attempts to hack the sites I host continues.
In the last period I noticed the presence of a lot of .ico files with pattern /^\.[0-9a-z]{8}\.ico$/
So I decided to search & kill these files without waiting the daily passage of anti-malware.
This is an example of Maldet report. Please note the .ico's, target of our script:


malware detect scan report for server01.net:
SCAN ID: 043018-0400.7125
TIME: Apr 30 04:57:55 +0200
PATH: /home/*/public_html
TOTAL FILES: 911469
TOTAL HITS: 5
TOTAL CLEANED: 0

NOTE: quarantine is disabled! set quar_hits=1 in conf.maldet or to quarantine results run: maldet -q 043018-0400.7125
FILE HIT LIST:
{HEX}php.base64.v23au.186 : /home/example1/public_html/pontetresa/wp-includes/customize/.9579976e.ico
{HEX}php.base64.v23au.186 : /home/example2/public_html/the7/wp-content/uploads/layerslider/LayerSlider-5-responsive-demo-slider/ini.php
{HEX}php.base64.v23au.186 : /home/example3/public_html/gallery/albums/Vacanze-2009/ini.php
{HEX}php.base64.v23au.186 : /home/example4/public_html/wp-admin/network/mobileqsv/.c7485b55.ico
{HEX}php.base64.v23au.186 : /home/example5/public_html/wp-includes/SimplePie/Net/.3706a194.ico
===============================================
Linux Malware Detect v1.4.2 < proj@rfxn.com >

And this is the newLISP script, executed via cron: