Malicious scripts. How to search for malicious code without antiviruses and scanners

Another obvious sign of danger is the "+" symbol inside the tag. There is no such thing in scriptless html. If pluses are found inside the tags, we ruthlessly block the message.

A well-intentioned site user who adds a comment using a visual editor will never resort to encryption with symbolic primitives inside html tags. The use of symbolic primitives in tags does not give any benefits in the form of additional expressive means, it only requires additional writing time. In most cases, one must think, a well-intentioned user does not even know that there are some character primitives in html. Hence the rule: the ampersand inside the tag is proof of an attack on the site. Accordingly, if we see this, then we block the message.

A similar rule should be adopted for the "%" character, which can be used in url encoding. However, percentages are also used in "pure" html - to set the relative sizes of elements. Dangerous combinations are those in which the "%" sign is immediately followed by a letter or number.

Unlike JavaScript interpreters in browsers, the php interpreter on the server does not take liberties when writing program text. Therefore, to neutralize a possible server script, it is enough to make a through replacement in the user's html message of all characters that are essential when writing a php program with their html primitives. First of all, dollar signs and underscore, dot, round, square and curly brackets, plus and minus signs, backslash sign are subject to replacement.

$message is the html message received from the visual editor to the server.

// remember the length of the message $lenmessage = strlen($message); // cut out the comment tag $message = preg_replace("//", "", $message); // cut each tag where the "src" attribute refers to an external resource $message = preg_replace("/]+?src[\w\W]+\/\/[^>]+?>/i", " ", $message); // cut every tag that has any character except: - a-z 0-9 / . : ; " = % # space $message = preg_replace("/]+[^->a-z0-9\/\.\:\;\"\=\%\#\s]+[^>]+?> /i", "", $message); // cut each tag that contains the sequence ". a-z =" $message = preg_replace("/]+?\.+?\=[^>]+?>/i", "", $message); // cut every tag that has the sequence "% a-z" or "% 0-9" $message = preg_replace("/]+?\%+?[^>]+?>/i", "", $ message); // strip each tag that contains the sequence "script" or "js:" $message = preg_replace("/]*?script[^>]*?>/i", "", $message); $message = preg_replace("/]*?js:[^>]*?>/i", "", $message); // strip every tag that starts with a character other than "a-z" or "/" $message = preg_replace("/]*?>/i", "", $message); // check: if the message is shortened, then terminate the program $lenmessage2 = strlen($message); if ($lenmessage != $lenmessage2) ( print "Message could not be added"; exit; ) // end-to-end replacement of dangerous characters with their corresponding primitives $message = str_replace("$", "$", $message); $message = str_replace("_", "_", $message); $message = str_replace(".", ".", $message); $message = str_replace(chr(92), "\", $message); // \ $message = str_replace("(", "(", $message); $message = str_replace(")", ")", $message); $message = str_replace("[", "[", $message); $message = str_replace("]", "]", $message); $message = str_replace("(", "(", $message); $message = str_replace(")", ")", $message); $message = str_replace("?", "?", $message); // now the message has been checked, the scripts in it have been rendered harmless

Note that the filter does not remove paired tags. Let's say we got
click here!
The filter will cut out only , but the paired (closing) tag will remain. If you send messages that have tags without their corresponding pairs to the browser, a nuisance is possible in the form of a "skewed" site. It is not known, after all, to which opening tag the browser will match the closing tag left without a pair. Therefore, and also for security reasons, messages in which something is cut out by the filter should not be sent to the browser at all. It's better to print something like "Message could not be added" and terminate the program.

The message is supposed to be written to a file (not to a database).

I will be grateful for criticism. Write to the support forum, to the section

The truth of life is that the site can be hacked sooner or later. After successfully exploiting the vulnerability, the hacker tries to gain a foothold on the site by placing hacker web shells, loaders in the system directories and injecting backdoors into the script code and the CMS database.

Scanners help detect downloaded web shells, backdoors, phishing pages, spam mailers and other types of malicious scripts - everything that they know and is pre-added to the malware signature database. Some scanners, such as AI-BOLIT, have a set of heuristics that can detect files with suspicious code, which is often used in malicious scripts, or files with suspicious attributes that can be downloaded by hackers. But, unfortunately, even in the case of using several scanners on the hosting, situations are possible when some hacker scripts remain undetected, which actually means that the attacker still has a “back door” and he can hack the site and gain full control over it at any time. moment.

Modern malicious and hacker scripts are significantly different from those that were 4-5 years ago. Malicious code developers are now combining obfuscation, encryption, decomposition, external loading of malicious code, and other tricks to trick antivirus software. Therefore, the probability of missing new “malware” is much higher than before.

What can be done in this case to more effectively detect viruses on the site and hacker scripts on the hosting? It is necessary to use an integrated approach: initial automated scanning and further manual analysis. This article will focus on options for detecting malicious code without scanners.

First, consider what exactly you should look for when hacking.

So, suppose that you have already checked the files on the hosting and the database dump with scanners, but they did not find anything, and the virus is still on the page or the mobile redirect continues to work when the pages are opened. How to search further?

On unix, it's hard to find a more valuable pair of commands for finding files and fragments than find / grep.

find. -name ‘*.ph*’ -mtime -7

will find all files that have been modified in the last week. Sometimes hackers "twist" the modification date of scripts so as not to detect new scripts in this way. Then you can search for php/phtml files that have changed attributes

find. -name ‘*.ph*’ -ctime -7

If you need to find changes in some time interval, you can use the same find

find. -name ‘*.ph*’ -newermt 2015-01-25 ! -newermt 2015-01-30 -ls

grep is indispensable for searching files. It can search recursively through the files for the specified fragment

grep -ril ‘stummann.net/steffen/google-analytics/jquery-1.6.5.min.js’ *

When hacking a server, it's useful to analyze files that have the guid/suid flag set

find / -perm -4000 -o -perm -2000

To determine which scripts are currently running and loading the hosting CPU, you can call

lsof +r 1 -p `ps axww | grep httpd | grep -v grep | awk ‘ ( if(!str) ( str= ) else ( str=str","))END(print str)'` | grep vhosts | grep php

Web server, mail service and FTP logs can be used to detect malicious and hacker scripts.

• Correlation of the date and time when the email was sent (which can be found from the mail server log or the service header of the spam email) with requests from the access_log helps to identify the method of sending spam or find the script of the spam sender.

• Analysis of the FTP xferlog transfer log allows you to understand which files were downloaded at the time of the hack, which ones were changed and by whom.

• In a properly configured mail server log or in the service header of a spam email, if PHP is configured correctly, there will be a name or full path to the sender script, which helps to determine the source of spam.

• Based on the proactive protection logs of modern CMS and plugins, it is possible to determine which attacks were carried out on the site and whether the CMS was able to resist them.

• By access_log and error_log, you can analyze the actions of a hacker if the names of the scripts that he called, the IP address or the User Agent are known. As a last resort, you can view POST requests on the day the site was hacked and infected. Often, the analysis allows you to find other hacker scripts that were downloaded or were already on the server at the time of the hack.

It is much easier to analyze a hack and look for malicious scripts on a site if you take care of its security in advance. The integrity check procedure helps to detect changes in the hosting in a timely manner and determine the fact of hacking. One of the easiest and most effective ways is to put the site under version control (git, svn, cvs). If you correctly configure .gitignore, then the change control process looks like a call to the git status command, and the search for malicious scripts and changed files is git diff.

Also, you will always have a backup copy of the files, to which you can “roll back” the site in a matter of seconds. Server administrators and advanced webmasters can use inotify, tripwire, auditd, and other mechanisms to keep track of file and directory accesses and monitor changes to the file system.

Unfortunately, it is not always possible to set up a version control system or third-party services on the server. In the case of shared hosting, it will not be possible to install a version control system and system services. But it does not matter, there are quite a lot of ready-made solutions for CMS. On the site, you can install a plugin or a separate script that will track changes in files. Some CMS have already implemented effective change monitoring and integrity check mechanism (for example, in Bitrix, DLE). As a last resort, if the hosting has ssh, you can create a reference snapshot of the file system with the command

The promotion is valid until the end of the month.

When you activate the "Site under supervision" service for one site, the second one on the same account is connected free of charge. Subsequent sites on the account - 1500 rubles per month for each site.

Malicious code enters the site through negligence or malicious intent. The purpose of the malicious code is different, but, in essence, it harms or interferes with the normal operation of the site. To remove malicious code on WordPress, you must first find it.

In appearance, most often, malicious code is a set of letters and symbols of the Latin alphabet. In fact, this is an encrypted code by which one or another action is performed. Actions can be very different, for example, your new posts are immediately published on a third-party resource. In essence, this is the theft of your content. Codes also have other “tasks”, for example, placing outgoing links on site pages. Tasks can be the most sophisticated, but one thing is clear that malicious codes need to be hunted down and removed.

There are also many loopholes for getting codes to the site.

I’ll note right away that the fight against such viruses is difficult, and manual removal requires knowledge. There are three solutions to the problem: the first solution is to use antivirus plugins, for example, a plugin called BulletProof Security.

This solution gives good results, but it takes time, albeit a little. There is a more radical solution, getting rid of malicious codes, including complex viruses, is to restore the site from pre-made backup copies of the site.

Since a good webmaster does it periodically, it will be possible to roll back to a non-infected version without any problems. The third solution is for the rich and lazy, just contact a specialized "office" or an individual specialist.

It is important to understand that malicious WordPress code can be in any site file, and not necessarily in the working theme. It can be brought in with a plugin, with a theme, with "home-made" code taken from the Internet. There are several ways to try to find malicious code.

Method 1. Manually. Scroll through all the files of the site and compare them with the files of an uninfected backup. Find someone else's code - delete it.

Method 2: Using WordPress security plugins. For example, . This plugin has a great feature, scanning site files for the presence of someone else's code, and the plugin does a great job with this task.

Method 3. If you have reasonable hosting support, and it seems to you that the site is “foreign”, ask them to scan your site with their antivirus. Their report will list all infected files. Next, open these files in a text editor and remove the malicious code.

Method 4. If you can work with SSH access to the site directory, then go ahead, there is a kitchen.

Important! Regardless of how you look for malicious code, before searching and then deleting the code, block access to site files (enable maintenance mode). Remember about the codes that are themselves restored when they are deleted.

There is an eval function in php. It allows you to execute any code in its line. Moreover, the code can be encoded. It is because of the encoding that the malicious code looks like a set of letters and symbols. There are two popular encodings:

Accordingly, in these encodings, the eval function looks like this:

• eval(base64_decode(...))
• eval (str_rot13 (...)) //in internal quotes, long incomprehensible sets of letters and symbols..

The algorithm for searching for malicious code by the eval function is as follows (we work from the administrative panel):

• go to the site editor (Appearance→Editor).
• copy the functions.php file.
• open it in a text editor (for example, Notepad++) and search for the word: eval .
• if found, do not rush to delete anything. It is necessary to understand what this function “asks” to execute. To understand this, the code needs to be decoded. For decoding there are online tools called decoders.

Decoders work simply. Copy the code to be decrypted, paste it into the decoder field and decode.

At the time of this writing, I have not found any encrypted code found in WordPress. Found the code from the Joomla site. In principle, there is no difference for understanding decoding. We look at the photo.

As you can see in the photo, the eval function, after decoding, did not display a terrible code that threatens the security of the site, but an encrypted link of the copyright, the author of the template. You can delete it too, but it will come back after updating the template if you don't use .

In conclusion, I will note in order not to get a virus on the site:

• Malicious code in WordPress often comes with themes and plugins. Therefore, do not install templates and plugins from “left”, unverified resources, and if you install them, carefully pump them over for the presence of links and php executive functions. After installing plugins and themes from "illegal" resources, check the site with antiviruses.
• Be sure to make periodic backups and perform others.