Exploit Scanner v1.00 Released (Updated: 1.01 released)
15 posts by 4 authors in: Forums > CMS Builder: Plugins & Add-ons
Last Post: June 26, 2012 (RSS)
By Dave - April 24, 2012 - edited: May 17, 2012
We've just released a new standalone app called "Exploit Scanner".
Over the last 6 months we've probably had about a dozen clients come to us for consulting help to restore hacked websites. The source of the hack was almost always some unpatched old version of WordPress, FormMail, or other free script, (never CMSB) but the cleanup always took hours.
To help find identify the files that were hacked we wrote a basic scanner that looked for malicious code patterns, and over the months it's evolved into quite an advanced application.
If you've ever been asked to fix a hacked website, if you host sites, or even have an internal dev server, then this is an absolute must have.
When a client discovers their Google traffic is being redirected from Google to some Viagra site, tracking down the cause can easily eat up a day of time. The ability to find those issues in advance is invaluable.
We now run this script on our development server weekly and it's already allowed us to notify multiple developers of hacks and exploits that would have otherwise gone undetected for weeks while more damage was done.
For a full description of this app and to download the latest version:
http://www.interactivetools.com/add-ons/detail.php?Exploit-Scanner-1063
Please feel free to post your feedback and questions! We're always happy to get your feature requests and bug reports. Post in the forum or email me at dave@interactivetools.com.
interactivetools.com
Exploit Scanner v1.01 Released
By Dave - May 17, 2012
We've just release 1.01 of the exploit scanner with more exploits detected, less false positives, and a few other misc features.
It's only been a short time since we've released this but we've already heard from multiple developers and sysadmins who have saved countless hours by having the scanner detect and pinpoint infected files for them.
You can see the changelog here for more details:
http://www.interactivetools.com/add-ons/detail-changelog.php?Exploit-Scanner-1063
Or get the app here:
http://www.interactivetools.com/add-ons/detail.php?Exploit-Scanner-1063
Let me know any questions, thanks!
interactivetools.com
Re: [Dave] Exploit Scanner v1.01 Released
By gkornbluth - May 24, 2012
I ran my first exploit scan from the web and I got this output:
Exploit Scanner v1.01 - Scans filesystem for web exploit patterns
--------------------------------------------------------------------------------
Matched Patterns: php(36), js(7), htaccess(6), filepath(2)
Scan started: Thu, 24 May 2012 12:52:55 -0700
Root dir: /hsphere/local/home/gkornblu/thecmsbcookbook.com
Log file: none
I’m a bit unclear on some of the data returned and in general, I figure that if I mess with something as complex as this, I’ll probably break it.
So I could use some help interpreting even these simple results.
Matched patterns: is this good or bad? What were the patterns that were matched. Do I need to do something about them?
Log file: none - I noticed this on your screenshot as well. Does this mean that there was none necessary, or that there was no path or filename designated. If the latter, how and where would I enter that info (for running from the web).
The only thing that I came across that made sense to me was changing the time zone, so I did that.
What else can/should I do if I’m running from the web.
BTW, it might be nice if the scanner gave some indication of progress. A spinning circle can be a bit disconcerting.
Thanks,
Jerry Kornbluth
Take advantage of a free 3 month trial subscription, only for CMSB users, at: http://www.thecmsbcookbook.com/trial.php
Re: [gkornbluth] Exploit Scanner v1.01 Released
By Dave - May 24, 2012
That's just the output header, was there anything below that? It may have timed out running from the web. How long did it run for before it stopped?
And do you have shell access on any of your website accounts?
interactivetools.com
Re: [Dave] Exploit Scanner v1.01 Released
By gkornbluth - May 24, 2012
I spoke to my web host (IXWebHosting) and they said that I have no shell access on shared hosting, and that any php scripts have up to 90 seconds to complete before timing out (also not under my control).
The CMSB Cookbook site that I was checking probably has a few thousand files, as does another that I checked and they ran for over the 90 seconds and returned just the header.
It seems that, unless you have a better idea, I'll need to run separate scans on separate folders through a series of cron jobs for each one of my clients.
I'm assuming that I would upload the xs.php file to the separate directories and set up a cron job to run each one and then manually review a large number of reports to determine if there are any vulnerabilities. (bit of a pain)
I ran the scanner on a smaller site and got this result, which makes a bit more sense.:
Exploit Scanner v1.01 - Scans filesystem for web exploit patterns
--------------------------------------------------------------------------------
Matched Patterns: php(36), js(7), htaccess(6), filepath(2)
Scan started: Thu, 24 May 2012 16:41:49 -0400
Root dir: /hsphere/local/home/gkornblu/upload-test.com
Log file: none
Scanned: 175 dirs, 1,195 files (0 risks found)
Execute time: 0 minutes, 15 seconds
--------------------------------------------------------------------------------
* Note: Please send any files with false-positives or undetected-exploits to us.
I'd still like to know what the various pieces of information mean, even in the header.
Jerry Kornbluth
Take advantage of a free 3 month trial subscription, only for CMSB users, at: http://www.thecmsbcookbook.com/trial.php
Re: [gkornbluth] Exploit Scanner v1.01 Released
By Dave - May 24, 2012
And how are cronjobs setup? Are they with the URLs to the php scripts or by filepath? I'm wondering if they'd have a different timeout or if we can modify the timeout (the cmsb code does just that with varying success).
In any case, yes, putting the script in multiple directories would be a workaround. And yes you would get a lot of reports. Typically if you have a lot of accounts on one server you'd run it from the command line and have it scan all the websites at once.
I'll add that we have some planned features that would add emailing, so I expect the process of automating the scanning will become easier over time.
>I'd still like to know what the various pieces of information mean, even in the header.
Sure, they are as follows:
>Matched Patterns: php(36), js(7), htaccess(6), filepath(2)
These are the number of patterns being checked for different kinds of files. Note that often a single pattern will match multiple exploits.
>Scan started: Thu, 24 May 2012 16:41:49 -0400
When the scan was started, useful if output is going to an email or log.
>Root dir: /hsphere/local/home/gkornblu/upload-test.com
The path being scanned, also useful for reference when output is going to an email or log.
>Log file: none
If you scan from the command line you can output to a log file by adding -l yourlogfile.log, in which case that would be reflected here.
Let me know any questions, if you want to send me FTP login details I could look into getting it to run longer than 90 seconds or as a background process. I need to some research on that for some other projects anyways.
Hope that helps!
interactivetools.com
Re: [Dave] Exploit Scanner v1.01 Released
By gkornbluth - May 24, 2012
To run this as a cron job, I put this at the top of the xs.php script
#!/hsphere/shared/php5/bin/php -q
And then tried variations of the following in the cron manager command line with no positive result.
/hsphere/local/home/gkornblu/thecmsbcookbook.com/xs.php
/hsphere/local/home/gkornblu/thecmsbcookbook.com/xs.php -l xp.log
/hsphere/local/home/gkornblu/thecmsbcookbook.com/xs.php -p -l xs.log
Once I try to put a path into the mix (or a -p.) the cron job won’t work at all
/hsphere/local/home/gkornblu/thecmsbcookbook.com/xs.php -p /hsphere/local/home/gkornblu/thecmsbcookbook.com/ -l xs.log
or
/hsphere/local/home/gkornblu/thecmsbcookbook.com/xs.php -p . -l xs.log
Thanks for the offer. I’ll email all the login particulars to you later today
Thanks,
Jerry Kornbluth
Take advantage of a free 3 month trial subscription, only for CMSB users, at: http://www.thecmsbcookbook.com/trial.php
Re: [gkornbluth] Exploit Scanner v1.01 Released
By Dave - May 24, 2012
/hsphere/local/home/gkornblu/thecmsbcookbook.com/xs.php -p /hsphere/local/home/gkornblu/thecmsbcookbook.com/
But feel free to email more details. Thanks.
interactivetools.com
Re: [Dave] Exploit Scanner v1.01 Released
By gkornbluth - May 24, 2012
Here's the command line code that worked:
/hsphere/local/home/gkornblu/thecmsbcookbook.com/xs.php -p /hsphere/local/home/gkornblu/thecmsbcookbook.com/ -l xs.log
The xs.log file was created and the script did not time out.
Thanks for sticking with me.
Jerry Kornbluth
Take advantage of a free 3 month trial subscription, only for CMSB users, at: http://www.thecmsbcookbook.com/trial.php
Re: [gkornbluth] Exploit Scanner v1.01 Released
By Dave - May 24, 2012
interactivetools.com