Kabla ya website kushambuliwa kikamilifu, hacker huacha dalili ndogo kama files mpya, code iliyofichwa, au functions hatari ndani ya PHP scripts. Kujua namna ya kutambua files na code za mashaka ni hatua muhimu sana kwenye cybersecurity.
Hapa chini ni mwongozo kamili wa jinsi ya kutambua suspicious files na malicious code kwenye server yako.
🔥 1. Check for Unknown or New Files
Hacker mara nyingi huongeza files zenye majina yasiyo ya kawaida kama:
shell.php
wso.php
b374k.php
xd.php
adminer.php (fake)
mailer.php
▶️ Detect Recently Modified Files (Mafaili yaliyoguswa hivi karibuni)
find /var/www/html -type f -mtime -2
▶️ Tafuta PHP shell files kwa extension au size ndogo
find /var/www/html -name "*.php" -size -5k
🔥 2. Search for Dangerous PHP Functions
Malware nyingi hutumia functions hizi:
eval()
base64_decode()
gzinflate()
str_rot13()
system(), exec(), shell_exec()
preg_replace('/.*/e', ...) (PHP exploit)
▶️ Scan for Dangerous Functions
grep -R "eval(" /var/www/html
grep -R "base64_decode" /var/www/html
grep -R "gzinflate" /var/www/html
▶️ Scan Everything at Once
grep -R "eval\|base64_decode\|shell_exec\|gzinflate" /var/www/html
🔥 3. Look for Obfuscated or Hidden Code
Malware hutumia code iliyofichwa kwa kutumia:
base64 strings
long unreadable characters
variables zisizoeleweka
code blocks zisizo na formatting
Mfano wa malicious code (fake encoded shell)
<?php
eval(base64_decode("aWYoIWZ1bmN0aW9uX2V4aXN0cygi..."));
?>
Example nyingine ya hidden attack
<?php $x="base64_decode"; $y="eval"; $y($x("encoded code hapa")); ?>
Ikiwa unaona code kama hii — 90% ni malware.
🔥 4. Check for Unauthorized File Permissions
Faili za malware mara nyingi huwekwa 777 ili ziweze ku-run bila restriction.
Check for insecure permissions
find /var/www/html -type f -perm 777
Check directories
find /var/www/html -type d -perm 777
Hii ni ishara ya backdoor.
🔥 5. Verify the Integrity of Core Files
Hii ni muhimu sana kwa:
WordPress
Joomla
Laravel
Custom PHP apps
▶️ WordPress Integrity Check
wp core verify-checksums
Ikiwa file limeguzwa, WordPress itakuambia.
🔥 6. Scan Using ClamAV (Malware Scanner)
clamscan -r /var/www/html --detect-pua=yes
Hii inatafuta:
PHP shells
Obfuscated code
Suspicious scripts
Malware signatures
🔥 7. Use Rkhunter to Detect Hidden Files
sudo rkhunter --check
Itakuonyesha files zilizojificha na backdoors.
🔥 8. Compare with Git (Best for Developers)
Ikiwa una Git repository, unaweza kuona mabadiliko yasiyo ruhusiwa.
Check Modified Files
git status
Compare Line-by-Line
git diff
Hii ni njia bora kutambua:
Code iliyoongezwa
Code iliyofutwa
Malicious injections
🧩 Common Signs of Suspicious Code
✔️ Code imeandikwa kwa line moja
<?php eval(base64_decode(".....")); ?>
✔️ Random variables
$kfj39d = "gzinflate";
✔️ Long encoded strings (base64, hex)
$code = "aWYoIWZ1bmN0aW9u...==";
✔️ Hidden iframes
<iframe src="malicious-site.com" style="display:none"></iframe>
✔️ Unexpected redirects
header("Location: http://bad-site.com");
🛡️ Hitimisho
Kutambua suspicious files ni hatua muhimu ya kulinda tovuti yako dhidi ya malware. Ukiwa na utaratibu wa kuangalia new files, dangerous functions, permissions, na file integrity, unaongeza usalama kwa kiwango kikubwa.
📞 Unahitaji Website Malware Cleanup au Security Hardening?
Ninaweza kukusaidia:
Kuscan website
Kuondoa malware
Kublock backdoors
Kuweka server hardening
Ku-secure config files
📞 WhatsApp: https://wa.me/255693118509
🌐 Website: https://www.faulink.com