In preparation for migrating servers after an infiltration, we want to scrub our data and make sure it doesn't contain any malicious hacks or security holes.
To give you an idea of what I mean, here's a list (so far) of tests we'll run:
1) Compare each file against a keywords list of malicious keywords (eval,base64,iframe,viagra,etc) 2) Scan over any file with more than one period (has been a symptom of hacked files in the past) 3) Pinpoint any files with excessively long names (another symptom)
Any ideas of things I should add to this list?
This is an "after the horse has run away" sort of suggestion, but this is an excellent reason to keep as much of your data as possible under some kind of version control -- it makes it trivial to (a) identify changes and (b) roll back to a known good point.
If you're regularly backing up your data (and if it's not too large), you can restore the data from a "known good" point in the past and then diff it against your active data; if your backups are relatively frequently and your legitimate changes are not, this is a good way of figuring out what files, if any, were modified as part of the infiltration.
If you have Windows in your environment, I'd scan the files with the free version of Malwarebytes' Anti-Malware.
I'd suggest running both Clamscan, and Linux Malware Detect (LMD) against it. Between them, you should catch the majority of common malicious code.
Of course, if your attacker custom coded something, nothing short of a manual review of every file is going to catch it.