R-Ts NetWorks

Server the Best

SoftLink Scan

SoftLink Scan on the servers :


Hacker creates softlinks under one account and makes link with other users. This way he can hack other accounts. So how to find such compromised account under which hacker has created softlinks.


Following is the command which scan on the server and generates result in file:



1. Login to server as root user.

2. Fire following cmd and hit enter.

  1. screen -A -a -d -m -L -t ‘Beach-Head Finder’ -S ‘bhfinder’ /bin/bash -c “find /home* -type d ( -path ‘/home*/virtfs’ -or -path ‘/home*/.cpan’ -or -path ‘/home*/.cpanm’ -or -path ‘/home*/cpeasyapache’ -or -path ‘/home*/cpapachebuild’ -or -path ‘/home*/cpphpbuild’ -or -path ‘/home*/cpzendinstall’ ) -prune -false -or -type l -not -lname ‘public_html’ -not -lname ‘/usr/local/apache/domlogs/*’ -not -path ‘/home*/*/mail/.*’ -not -lname ‘/home*/*/.rvsitebuilder/projects/*’ -not -lname ‘/var/cpanel/rvglobalsoft/rvsitebuilder/*’ -not -lname ‘/var/netenberg/click_be/*’ -not -lname ‘*/.click_be/database/’ -not -lname ‘*/.click_be/advertisements/’ -not -lname ‘*/.click_be/click_be/’ -not -lname ‘*/.click_be/backup/’ -not -lname ‘/usr/local/urchin/*’ -not ( -path ‘/home*/*/wp-content/advanced-cache.php’ -and -lname ‘/home*/wp-content/plugins/*’ ) -not ( -path ‘/home*/rvadmin/public_html/rvadmin/themeimages/tran’ -and -lname ‘/usr/local/cpanel/base/frontend/*/themeimages/tran’ ) -printf ‘%p => %lnc’ -fprintf ‘/dev/stderr’ ‘%p => %lnc’ 2>> /root/found_links.txt”

3. This cmd will automatically open a screen session and may take approximately 2/3 hours for complete the scan.

4. Once scan is complete then open the file /root/found_links.txt
(The scan logs are created in this file.)

5. As per the result please delete those directories under which you will see softlinks created by hacker.

6. After deleting those directories, reset that users Cpanel password and send it to that client.


April 29, 2012 - Posted by | Security |

No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: