Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
Guardian2003
Site Admin


Joined: Aug 28, 2003
Posts: 6792
Location: Ha Noi, Viet Nam

PostPosted: Wed Dec 11, 2013 8:09 pm Reply with quote

I have been developing a module which is intended to provide a range of different functions but one in particular, is the ability to scan the website files looking for malicious strings, typical of files infected with malware.

The problem I am having is that some malware strings I'm searching for appear legitimately in a few files and I wanted to garner feedback from the community of what they would prefer to happen in this situation.

I could create a 'whitelist' of these (around a dozen) files and exempt them from being scanned or just leave it so they will always been shown as 'potential malware'.
I know most file names are reasonably unique BUT there are several index.html files marked as potential malware (because they are unencoding obsfucated JS).

The problem is that on the one hand, users might be alarmed at seeing perfectly safe files being noted as 'potential malware' but on the other hand, if they become exempt from the scan, they wouldn't warn the webmaster that there may be a problem if they do become infected with malware (and would those files thn become targets because they are known to be exempt).

Your thoughts, ladies and gents.......
 
View user's profile Send private message Send e-mail
kguske
Site Admin


Joined: Jun 04, 2004
Posts: 6383

PostPosted: Thu Dec 12, 2013 5:27 am Reply with quote

Whitelist is dangerous in this case.

Weren't you working on a way to identify when files are changed?

_________________
I google, therefore I exist...
Only registered users can see links on this board! Get registered or login!
 
View user's profile Send private message
Guardian2003
PostPosted: Thu Dec 12, 2013 7:18 am Reply with quote

Yes, I am currently using 2 seperate routines; one checks for file changes and one checks files for potentially dangerous strings.
I have kept them seperate for a number of reasons; I'm trying to keep the amount of code loaded to a minimum and also make maintenance (in terms of action specific code tweaks) a little easier in the future. Most importantly, I wanted/need to try and keep the malware scan functionality isolated as much as I can because I am aiming to have the ability for the malware scanning to be run via a cron job just in case a site becomes unusable in the conventional sense.

However, now I have actually managed to get the first good nights sleep in weeks, I'm thinking maybe instead of whitelisting the known existing files that are tripping the malware scanner I could change some of my code to lower the threat level.
I'm currently building a 'report' with the following information;
path to file - file name - threat level
At the moment, the threat levels are rated Low, Medium, High but maybe I can add 'Low - Known' and use that against files which are currentl triggering the malware scan.
 
kguske
PostPosted: Thu Dec 12, 2013 7:22 am Reply with quote

Nice!
 
montego
Site Admin


Joined: Aug 29, 2004
Posts: 9449
Location: Arizona

PostPosted: Sun Dec 15, 2013 7:34 am Reply with quote

Probably too much extra code, but you could potentially let the admin mark these as "safe", but not necessarily whitelist them. When they come up again, they could potentially have a different color & text associated with them to highlight their previous "assignment". You could also, on just these exceptions, do a quick file compare check to see if the file has changed... if so, the threat level could be raised really high on it...

_________________
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
Guardian2003
PostPosted: Sun Dec 15, 2013 12:18 pm Reply with quote

At the moment, there is a hard coded array of files that are known to be false positives (there are not too many) and when the scan runs, it compares the file being read to the 'known' array list. I'm using an arbitrary threat level assessment for different malicious strings so in the case where a file is known to contain a string that is deemed harmful, I'm simply changing the threat level to show "Low Threat - known false positive" in green text.
The malware scanner will now also run via CRON directly and send a html email with the results. I'll forward you the last email so you can see how it's working since I'm already running it via a Cronjob.

The file compare utility runs independently of the malware scanner but I can see where it might be useful to do a double check as you suggest by checking a file for changes than are in the 'known' list and raising the treat level back up. I'll definitely look into that and see if it can be achieved without too much extra resource usage.
 
Guardian2003
PostPosted: Sat Dec 28, 2013 5:49 pm Reply with quote

I'm now looking for a small number of volunteers to Alpha test the module and maybe suggest improvements / minor enhancements. I would very much like to make a free public release in January if possible.
Current functionality;
Install module or 'system' tables - specific 'installer' files are required but samples/examples will be provided

Remove module or 'system' tables - as above
Check dependencies of a module or 'system' - current tests include; PHP version, writeable dirs, writeable files and in the case of modules, tests module has been uploaded

Checks for module version update availability - same routine caters for 'system' version updates

Malware scanning - runs within the module and can also be run via Cron

File change scanning - independently tracks any file changes (based on crc32 hash of file). Currently only works within the module as data is stored in the DB.

IP2C converter - converts the license free IP2C (CSV file) data from Maxmind and inserts it into the DB. Further small work required to make it NS compatible but not gone there as I don't know if/what changes are in store for NS, especially with regard to IPv4/IPv6 useage. So the functionality is there, it just isn't accessible from the modules menu.
 
neralex
The Mouse Is Extension Of Arm


Joined: Aug 22, 2007
Posts: 1296
Location: Germany

PostPosted: Sun Dec 29, 2013 1:48 am Reply with quote

Sounds cool, i would test it for you, when you need my help and when i can install it on a local system like WAMP, too.
 
View user's profile Send private message
hicuxunicorniobestbuildpc
Life Cycles Becoming CPU Cycles


Joined: Aug 13, 2009
Posts: 967
Location: Netherland

PostPosted: Sun Dec 29, 2013 8:44 am Reply with quote

Count on me. I am willing to help u. Thanks in advance!!!!
 
View user's profile Send private message Visit poster's website
kguske
PostPosted: Mon Dec 30, 2013 1:52 am Reply with quote

Hopefully the site upgrade goes smoothly and I will have time to test, too. I even saved some malware from previous hacks....
 
Guardian2003
PostPosted: Mon Dec 30, 2013 7:33 pm Reply with quote

kguske wrote:
Hopefully the site upgrade goes smoothly and I will have time to test, too. I even saved some malware from previous hacks....

That would be great! I'm currently only looking for a couple of well known exploits so anything I can add to the sniffer would be great!
 
hicuxunicorniobestbuildpc
PostPosted: Tue Dec 31, 2013 4:11 am Reply with quote

here you can find all kind of exploits for php, phpBB, Wordpress, etc..

Code:
http://www.exploit-db.com/platform/?p=php
 
Guardian2003
PostPosted: Tue Dec 31, 2013 7:45 am Reply with quote

hicuxunicorniobestbuildpc wrote:
here you can find all kind of exploits for php, phpBB, Wordpress, etc..
Code:
http://www.exploit-db.com/platform/?p=php

I think you have misunderstood what the malware scanner does. I'm not looking at arguments passed into a URI string for XSS, CSRF or other attacks/exploits.
In some cases, servers themselves become compromised or an exploit is found on other software running on a server that allows a third party to alter or upload malicious code on YOUR website. Clearly we cannot monitor what is happening on some other users account on a shared server so I'm physically reading every single file for certain code patterns which they like to place into the victims account.
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©