| Author |
Message |
Guardian2003
Site Admin
Joined: Aug 28, 2003
Posts: 6799
Location: Ha Noi, Viet Nam
|
 Posted:
Wed Dec 11, 2013 8:09 pm |
|
I have been developing a module which is intended to provide a range of different functions but one in particular, is the ability to scan the website files looking for malicious strings, typical of files infected with malware.
The problem I am having is that some malware strings I'm searching for appear legitimately in a few files and I wanted to garner feedback from the community of what they would prefer to happen in this situation.
I could create a 'whitelist' of these (around a dozen) files and exempt them from being scanned or just leave it so they will always been shown as 'potential malware'.
I know most file names are reasonably unique BUT there are several index.html files marked as potential malware (because they are unencoding obsfucated JS).
The problem is that on the one hand, users might be alarmed at seeing perfectly safe files being noted as 'potential malware' but on the other hand, if they become exempt from the scan, they wouldn't warn the webmaster that there may be a problem if they do become infected with malware (and would those files thn become targets because they are known to be exempt).
Your thoughts, ladies and gents....... |
| |
|
 
|
|
kguske
Site Admin
Joined: Jun 04, 2004
Posts: 6437
|
| Posted:
Thu Dec 12, 2013 5:27 am |
|
Whitelist is dangerous in this case.
Weren't you working on a way to identify when files are changed? |
_________________
I search, therefore I exist...
Only registered users can see links on this board! Get registered or login! |
|
|
|
|
Guardian2003
|
| Posted:
Thu Dec 12, 2013 7:18 am |
|
Yes, I am currently using 2 seperate routines; one checks for file changes and one checks files for potentially dangerous strings.
I have kept them seperate for a number of reasons; I'm trying to keep the amount of code loaded to a minimum and also make maintenance (in terms of action specific code tweaks) a little easier in the future. Most importantly, I wanted/need to try and keep the malware scan functionality isolated as much as I can because I am aiming to have the ability for the malware scanning to be run via a cron job just in case a site becomes unusable in the conventional sense.
However, now I have actually managed to get the first good nights sleep in weeks, I'm thinking maybe instead of whitelisting the known existing files that are tripping the malware scanner I could change some of my code to lower the threat level.
I'm currently building a 'report' with the following information;
path to file - file name - threat level
At the moment, the threat levels are rated Low, Medium, High but maybe I can add 'Low - Known' and use that against files which are currentl triggering the malware scan. |
| |
|
|
|
|
kguske
|
| Posted:
Thu Dec 12, 2013 7:22 am |
|
|
|
|
|
montego
Site Admin
Joined: Aug 29, 2004
Posts: 9457
Location: Arizona
|
| Posted:
Sun Dec 15, 2013 7:34 am |
|
Probably too much extra code, but you could potentially let the admin mark these as "safe", but not necessarily whitelist them. When they come up again, they could potentially have a different color & text associated with them to highlight their previous "assignment". You could also, on just these exceptions, do a quick file compare check to see if the file has changed... if so, the threat level could be raised really high on it... |
_________________
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login! |
|
|
|
Guardian2003
|
| Posted:
Sun Dec 15, 2013 12:18 pm |
|
At the moment, there is a hard coded array of files that are known to be false positives (there are not too many) and when the scan runs, it compares the file being read to the 'known' array list. I'm using an arbitrary threat level assessment for different malicious strings so in the case where a file is known to contain a string that is deemed harmful, I'm simply changing the threat level to show "Low Threat - known false positive" in green text.
The malware scanner will now also run via CRON directly and send a html email with the results. I'll forward you the last email so you can see how it's working since I'm already running it via a Cronjob.
The file compare utility runs independently of the malware scanner but I can see where it might be useful to do a double check as you suggest by checking a file for changes than are in the 'known' list and raising the treat level back up. I'll definitely look into that and see if it can be achieved without too much extra resource usage. |
| |
|
|
|
|
Guardian2003
|
| Posted:
Sat Dec 28, 2013 5:49 pm |
|
I'm now looking for a small number of volunteers to Alpha test the module and maybe suggest improvements / minor enhancements. I would very much like to make a free public release in January if possible.
Current functionality;
Install module or 'system' tables - specific 'installer' files are required but samples/examples will be provided
Remove module or 'system' tables - as above
Check dependencies of a module or 'system' - current tests include; PHP version, writeable dirs, writeable files and in the case of modules, tests module has been uploaded
Checks for module version update availability - same routine caters for 'system' version updates
Malware scanning - runs within the module and can also be run via Cron
File change scanning - independently tracks any file changes (based on crc32 hash of file). Currently only works within the module as data is stored in the DB.
IP2C converter - converts the license free IP2C (CSV file) data from Maxmind and inserts it into the DB. Further small work required to make it NS compatible but not gone there as I don't know if/what changes are in store for NS, especially with regard to IPv4/IPv6 useage. So the functionality is there, it just isn't accessible from the modules menu. |
| |
|
|
|
|
neralex
Site Admin
Joined: Aug 22, 2007
Posts: 1775
|
| Posted:
Sun Dec 29, 2013 1:48 am |
|
Sounds cool, i would test it for you, when you need my help and when i can install it on a local system like WAMP, too. |
_________________
Only registered users can see links on this board! Get registered or login! |
|
|
|
|
hicuxunicorniobestbuildpc
The Mouse Is Extension Of Arm
Joined: Aug 13, 2009
Posts: 1123
|
| Posted:
Sun Dec 29, 2013 8:44 am |
|
Count on me. I am willing to help u. Thanks in advance!!!! |
| |
|
|
|
|
kguske
|
| Posted:
Mon Dec 30, 2013 1:52 am |
|
Hopefully the site upgrade goes smoothly and I will have time to test, too. I even saved some malware from previous hacks.... |
| |
|
|
|
|
Guardian2003
|
| Posted:
Mon Dec 30, 2013 7:33 pm |
|
| kguske wrote: | | Hopefully the site upgrade goes smoothly and I will have time to test, too. I even saved some malware from previous hacks.... |
That would be great! I'm currently only looking for a couple of well known exploits so anything I can add to the sniffer would be great! |
| |
|
|
|
|
hicuxunicorniobestbuildpc
|
| Posted:
Tue Dec 31, 2013 4:11 am |
|
here you can find all kind of exploits for php, phpBB, Wordpress, etc..
Code:http://www.exploit-db.com/platform/?p=php
|
|
| |
|
|
|
|
Guardian2003
|
| Posted:
Tue Dec 31, 2013 7:45 am |
|
| hicuxunicorniobestbuildpc wrote: | here you can find all kind of exploits for php, phpBB, Wordpress, etc..
Code:http://www.exploit-db.com/platform/?p=php
|
|
I think you have misunderstood what the malware scanner does. I'm not looking at arguments passed into a URI string for XSS, CSRF or other attacks/exploits.
In some cases, servers themselves become compromised or an exploit is found on other software running on a server that allows a third party to alter or upload malicious code on YOUR website. Clearly we cannot monitor what is happening on some other users account on a shared server so I'm physically reading every single file for certain code patterns which they like to place into the victims account. |
| |
|
|
|
|
|
|
![[Valid RSS]](https://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
