Evaluation of PHP security tools
Going through https://geekflare.com/php-security-scanner/, primarily using staruser01 and dashboard1 for testing and illustrative purposes. staruser01 is NOT an externally visible webserver - it is just a test system/playground for projects like this and has only trivial web conent, so it's use is primarily for going through installation and basic usage, while dashboard1 IS a production, externally-visible webserver though with relatively little content compared to dean and sun, where use of these tools at anywhere near "full power" is likely to require much more time.
Without further ado...
untar the download and then:
Oops, turns out yara is available as an rpm from EPEL, so instead:
Usage can be as simple as
It is also worth noting that PMF has several whitelists included, such phpmyadmin.yar and drupal.yar, to name a couple of potential relevance to STAR. I have not explored the whitelisting aspect yet, but it is likely to come in handy.
An example execution from dashboard1:
In the output above, the first line warning about ./php.yar(95) comes from YARA, rather than PMF, and I'm not concerned about it. I'll mention here that I removed /var/www/html/racktables-0.20.10/ completely - it was an older racktables installation, replaced with v0.20.14 in /var/www/html/racktables in 2018. (The tarball, /var/www/html/daq/dcs1.tar was also removed.) Which leaves us with interpreting and assessing the seriousness of the remaining lines about "ObfuscatedPhp", "Dodgy Strings", and "DangerousPhp". Some elaboration of those detections can be made with phpmalwarefinder's '-v' option as in the next snippet, looking at /var/www/html/racktables/inc/dictionary.php:
PMF finds the mere presence of the string "system" dangerous, even when it has nothing to do with a system call. /var/www/html/racktables/inc/dictionary.php has many occurrences of "system" within URL paths and strings, so we can ignore that. But then there is also a detection of "function_exists". Unlike the "system" detection, "function_exists" is actually being used as a function in dictionary.php, but it is a legitimate use in this case. So we'll ignore that as well. So all clear for dictionary.php. Can we whitelist this file? Whitelisting works using a sha1sum hash of "safe" files for future reference so that subsequent uses of PMF will ignore files with a matching hash. PMF includes a utility to generate properly formatted .yar whitelist files for entire directories. Here's an example of that inaction for the racktables inc directory:
Much better looking now:
https://www.ripstech.com/
Without further ado...
1) PMF (PHP Malware Finder)
https://github.com/nbs-system/php-malware-finder/ and https://www.nbs-system.com/en/it-security/it-security-tools-open-source/php-malware-finder/1a) Getting and installing:
This tool depends on YARA (YARA: Another Recursive Acronym, or Yet Another Ridiculous Acronym at https://virustotal.github.io/yara/). Yara is a utility for defining malware patterns or families, usually for the purpose of scanning files for matching content. The download for which was not working on 04/02/2020, but checking again on 04/06/2020, YARA download is working.untar the download and then:
[wbetts@staruser01 yara-3.11.0]$ ./build.shThat doesn't install anything in any system directories, but produces two executables, yara and yarac. yara is the main executable, and yarac is a compiler for YARA rules.
Oops, turns out yara is available as an rpm from EPEL, so instead:
yum install yara python2-yarapython2-yara isn't necessary unless one wishes to generate whitelists with PMF's included tool to do exactly that, but more on that below. Now back to PMF proper...
git clone https://github.com/jvoisin/php-malware-finder.git
1b) Usage and sample of findings on dashboard1
It has a bash shell script, php-malware-finder, and php.yar with rules for some well-known malware kits (or tools that can be used as malware). There's no installer per se, just go into the directory that git creates, and voila, everything you need is there.Usage can be as simple as
[wbetts@staruser01 php-malware-finder]$ ./phpmalwarefinder /var/wwwOf course the user executing it needs read access to /var/www (or whatever directory is given to be scanned).
It is also worth noting that PMF has several whitelists included, such phpmyadmin.yar and drupal.yar, to name a couple of potential relevance to STAR. I have not explored the whitelisting aspect yet, but it is likely to come in handy.
An example execution from dashboard1:
[root@dashboard1 php-malware-finder]# ./phpmalwarefinder /var/www/ ./php.yar(95): warning: $pr contains .* or .+, consider using .{,N} or .{1,N} with a reasonable value for N ObfuscatedPhp /var/www/html/racktables/index.php ObfuscatedPhp /var/www/html/racktables-0.20.10/index.php DodgyStrings /var/www/html/racktables/inc/database.php DangerousPhp /var/www/html/racktables/inc/functions.php DangerousPhp /var/www/html/racktables/inc/dictionary.php DangerousPhp /var/www/html/racktables-0.20.10/inc/functions.php DodgyStrings /var/www/html/racktables-0.20.10/inc/database.php DodgyStrings /var/www/html/racktables-0.20.10/inc/interface.php NonPrintableChars /var/www/html/daq/dcs_1.tar ObfuscatedPhp /var/www/html/daq/dcs_1.tar DodgyStrings /var/www/html/daq/dcs_1.tar ================================================= You should take a look at the files listed below: NonPrintableChars /var/www/html/daq/dcs_1.tar [root@dashboard1 php-malware-finder]#
In the output above, the first line warning about ./php.yar(95) comes from YARA, rather than PMF, and I'm not concerned about it. I'll mention here that I removed /var/www/html/racktables-0.20.10/ completely - it was an older racktables installation, replaced with v0.20.14 in /var/www/html/racktables in 2018. (The tarball, /var/www/html/daq/dcs1.tar was also removed.) Which leaves us with interpreting and assessing the seriousness of the remaining lines about "ObfuscatedPhp", "Dodgy Strings", and "DangerousPhp". Some elaboration of those detections can be made with phpmalwarefinder's '-v' option as in the next snippet, looking at /var/www/html/racktables/inc/dictionary.php:
[root@dashboard1 php-malware-finder]# ./phpmalwarefinder -v /var/www/html/racktables/inc/dictionary.php ./php.yar(95): warning: $pr contains .* or .+, consider using .{,N} or .{1,N} with a reasonable value for N DangerousPhp /var/www/html/racktables/inc/dictionary.php 0x3ddcb:$system: system <snip out hundreds of similar "system" lines> 0x6154e:$system: system 0x790:$: function_exists
PMF finds the mere presence of the string "system" dangerous, even when it has nothing to do with a system call. /var/www/html/racktables/inc/dictionary.php has many occurrences of "system" within URL paths and strings, so we can ignore that. But then there is also a detection of "function_exists". Unlike the "system" detection, "function_exists" is actually being used as a function in dictionary.php, but it is a legitimate use in this case. So we'll ignore that as well. So all clear for dictionary.php. Can we whitelist this file? Whitelisting works using a sha1sum hash of "safe" files for future reference so that subsequent uses of PMF will ignore files with a matching hash. PMF includes a utility to generate properly formatted .yar whitelist files for entire directories. Here's an example of that inaction for the racktables inc directory:
[root@dashboard1 php-malware-finder]# /root/Software/PMF/php-malware-finder/utils/generate_whitelist.py racktables_inc /var/www/html/racktables/inc |tee /tmp/racktables_inc.yar import "hash" rule racktables_inc { condition: /* racktables_inc */ hash.sha1(0, filesize) == "ffd592ba72bfd377f6f49ea6564b8d452c0c050f" or // /var/www/html/racktables/inc/functions.php hash.sha1(0, filesize) == "169f8dd9c33b83c7e663ba3696e244b268efe986" or // /var/www/html/racktables/inc/dictionary.php hash.sha1(0, filesize) == "18dd109ba995a0394978d712fd206b3655ba88bf" or // /var/www/html/racktables/inc/database.php false }Note that generate_whitelist.py only works on directories, not individual files. So if I wasn't sure about the safety of one or more of the other files (besides dictionary.php, which I vetted above), then I would have to remove those lines by hand, else PMF will ignore all of them. Now just put the .yar file into the whitelists directory of the PMF installation, update whitelists.yar and the findings disappear from phpmalwarefinder's output. Also, one can add individual files to the whitelist by hand by simply using 'sha1sum' to get a hash of the file and straightforwardly adding the hash to a .yar file in the whitelists directory - this is what I did for /var/www/html/racktables/index.php. (And note that I renamed the whitelist to racktables instead of racktables_inc).
Much better looking now:
[root@dashboard1 php-malware-finder]# ./phpmalwarefinder -v /var/www/html ./php.yar(95): warning: $pr contains .* or .+, consider using .{,N} or .{1,N} with a reasonable value for N [root@dashboard1 php-malware-finder]#
2) RIPS
https://www.ripstech.com/Groups:
- wbetts's blog
- Login or register to post comments