Scanning

1. If symlink protection isn't compiled in, check for cross-account symlinks.

find /home*/*/public_html -type l -exec ls -l {} \; > /root/symlinks &

2. Start scans in a screen.

3. Check for ModSec.

grep -i modsec /var/log/apache2/error_log | tail

If there are no recent errors, check to see if the rules RPM is installed. If it is installed, check these on cPanel servers:

cat /etc/apache2/conf.d/modsec/modsec2.cpanel.conf

If it's empty, WHM > Security Center > ModSecurity configuration. Change a radio button, then change it back to its original position, then save again to re-populate the file. If it's properly populated, check whitelists:

cat /etc/apache2/conf.d/modsec2/whitelist.conf
find /usr/local/apache/conf/userdata -type f -name "*.conf"

4. Check PHP version and handler for the site in WHM > MultiPHP Manager. 5. Check back on scans.

Symlinks

Since you scanned using the above command, you can check for the potentially hacked account with:

grep HACKEDACCOUNT /root/symlinks

Weed out the symlinks to files that don't exist:

 for i in $(grep HACKEDACCOUNT /root/symlinks | rev | cut -d ' '  -f1 | rev); do ls -1 $i 2>/dev/null; done

This will list what is in the last column and suppress the error output for ls, so you only get the files that actually exist in that account.

Manual bad code search

If the scanners don't find anything, but if you also have a bad code snippet or URL, you can search for it with:

find /home/*/public_html -type f -exec grep -H "horriblehackersite.ru" {} \;

or:

grep -R <badcodesnippet> /home/$user/public_html/* | grep php > /root/badphp

Get a list of files from the results:

cat /root/badphp | cut -d':' -f1 > /root/badphp_$user_filelist

Stat them:

for file in $(cat /root/badphp_$user_filelist); do stat $file >> badphp_$user.stats; done