Grep messages like trash - No such file or directory

Question

my server was hacked, and I am now trying to locate all the "strange" files. I am running:

find . -type f -name '*' | xargs grep -l "Mini Shell"

This command is helping me a lot to find and delete malicious code.

However this is also giving me a lot of errors, and it covers all my shell, and I can't easily locate the found grepped files. This is an example of what I see:

grep: Player: No such file or directory
grep: Quick: No such file or directory
grep: Start: No such file or directory
grep: Guide.pdf: No such file or directory
grep: ./domain1.pl/wp-content/themes/kingsize/images/social/1.: No such file or directory
grep: license.txt: No such file or directory
grep: ./domain1.pl/wp-content/themes/kingsize/documentation/Express: No such file or directory
grep: Install.xml: No such file or directory
grep: ./domain2.net/wp-content/plugins/google-analytics-for-wordpress/assets/dependencies/datatables/images/Sorting: No such file or directory
grep: icons.psd: No such file or directory
./domain3.in/admin/static/radio.php

In the text above, there is only 1 malicious file, what I was looking for. All the other messages are trash. How can I avoid to get such "No such file or directory" messages in the grep query?

It's like it breaks when it finds filenames with a space in it.

Thanks

Gilles Quénot · Accepted Answer · 2020-06-21T14:41:23.803

2

No need to pipe 'find' in 'xargs' like this.

What I would do (-r: recursive):

grep -rl "Mini Shell" .

The errors are due to the fact that you have some files with spaces in file names

If you want to process each files, even with special characters in file names, I recommend (using NULL byte as file separator):

grep -Zrl "Mini Shell" . | xargs -I% -0 mv % /path/to/trash

edited Jun 21 '20 at 14:41

answered Jun 21 '20 at 14:14

Gilles Quénot

1,313
10
17

what there should be instead of ``? – Pikk Jun 21 '20 at 14:36
Post edited with full command to move the weird file in trash bin – Gilles Quénot Jun 21 '20 at 14:41

digijay · Answer 2 · 2020-06-21T14:54:55.100

find only makes sense if the files to check have a specific file extension, like e.g. .php. Then you could use the -exec parameter of find:

find . -name "*.php" -type f -exec grep -l "Mini Shell" {} \;

This will make finding the modified files much faster than grepping all files.

-name='*' alone doesn't make sense. -type f will make the execution of find somewhat faster because directories will be omitted.

General recommendations

If your server was hacked you will first of all have to find the attack vector, otherwise you will get hacked right again. Also it's maybe better to set it up from scratch and restore your web applications from backup because you are not very likely to find all the files that the attackers changed and thus could have an instable or insecure system.

No need find nor pipe at all, check my answer – Gilles Quénot Jun 21 '20 at 14:37 — Gilles Quénot, Jun 21 '20 at 14:37
Yes, but no need find – Gilles Quénot Jun 21 '20 at 14:42 — Gilles Quénot, Jun 21 '20 at 14:42

Grep messages like trash - No such file or directory

2 Answers2