In 95% of the cases a hacker would deface the index.htm, index.php or index.html file in public_html and also “brag” about that by adding “Hacked by” somewhere. You can run the following script via cron on daily base to find out whether a index file in any user public_html directory was hacked or not.
Simply copy this code into a file, save it somewhere as hackers.sh, chmod 755 and run via cron daily.
code:
#!/bin/sh
for i in `cat /etc/trueuserdomains| awk {‘print $2’}`;
do grep –rl “Hacked” /home/$i/public_html/index.htm;
done | mail –s “Infected Files” your@emailaddress
for i in `cat /etc/trueuserdomains| awk {‘print $2’}`;
do grep –rl “Hacked” /home/$i/public_html/index.html;
done | mail –s “Infected Files” your@emailaddress
for i in `cat /etc/trueuserdomains| awk {‘print $2’}`;
do grep –rl “Hacked” /home/$i/public_html/index.php;
done | mail –s “Infected Files” your@emailaddress
