Exploit Scanner v1.00 Released (Updated: 1.01 released)

15 posts by 4 authors in: Forums > CMS Builder: Plugins & Add-ons
Last Post: June 26, 2012   (RSS)

By Dave - April 24, 2012 - edited: May 17, 2012

Hello All,

We've just released a new standalone app called "Exploit Scanner".

Over the last 6 months we've probably had about a dozen clients come to us for consulting help to restore hacked websites. The source of the hack was almost always some unpatched old version of WordPress, FormMail, or other free script, (never CMSB) but the cleanup always took hours.

To help find identify the files that were hacked we wrote a basic scanner that looked for malicious code patterns, and over the months it's evolved into quite an advanced application.

If you've ever been asked to fix a hacked website, if you host sites, or even have an internal dev server, then this is an absolute must have.

When a client discovers their Google traffic is being redirected from Google to some Viagra site, tracking down the cause can easily eat up a day of time. The ability to find those issues in advance is invaluable.

We now run this script on our development server weekly and it's already allowed us to notify multiple developers of hacks and exploits that would have otherwise gone undetected for weeks while more damage was done.

For a full description of this app and to download the latest version:
http://www.interactivetools.com/add-ons/detail.php?Exploit-Scanner-1063

Please feel free to post your feedback and questions! We're always happy to get your feature requests and bug reports. Post in the forum or email me at dave@interactivetools.com.
Dave Edis - Senior Developer
interactivetools.com

Exploit Scanner v1.01 Released

By Dave - May 17, 2012

Hello All,

We've just release 1.01 of the exploit scanner with more exploits detected, less false positives, and a few other misc features.

It's only been a short time since we've released this but we've already heard from multiple developers and sysadmins who have saved countless hours by having the scanner detect and pinpoint infected files for them.

You can see the changelog here for more details:
http://www.interactivetools.com/add-ons/detail-changelog.php?Exploit-Scanner-1063

Or get the app here:
http://www.interactivetools.com/add-ons/detail.php?Exploit-Scanner-1063

Let me know any questions, thanks!
Dave Edis - Senior Developer
interactivetools.com

Re: [Dave] Exploit Scanner v1.01 Released

By gkornbluth - May 24, 2012

Hi Dave,

I ran my first exploit scan from the web and I got this output:

Exploit Scanner v1.01 - Scans filesystem for web exploit patterns
--------------------------------------------------------------------------------
Matched Patterns: php(36), js(7), htaccess(6), filepath(2)
Scan started: Thu, 24 May 2012 12:52:55 -0700
Root dir: /hsphere/local/home/gkornblu/thecmsbcookbook.com
Log file: none

I’m a bit unclear on some of the data returned and in general, I figure that if I mess with something as complex as this, I’ll probably break it.

So I could use some help interpreting even these simple results.

Matched patterns: is this good or bad? What were the patterns that were matched. Do I need to do something about them?

Log file: none - I noticed this on your screenshot as well. Does this mean that there was none necessary, or that there was no path or filename designated. If the latter, how and where would I enter that info (for running from the web).

The only thing that I came across that made sense to me was changing the time zone, so I did that.

What else can/should I do if I’m running from the web.

BTW, it might be nice if the scanner gave some indication of progress. A spinning circle can be a bit disconcerting.

Thanks,

Jerry Kornbluth
The first CMS Builder reference book is now available on-line!







Take advantage of a free 3 month trial subscription, only for CMSB users, at: http://www.thecmsbcookbook.com/trial.php

Re: [gkornbluth] Exploit Scanner v1.01 Released

By Dave - May 24, 2012

Hi Jerry,

That's just the output header, was there anything below that? It may have timed out running from the web. How long did it run for before it stopped?

And do you have shell access on any of your website accounts?
Dave Edis - Senior Developer
interactivetools.com

Re: [Dave] Exploit Scanner v1.01 Released

By gkornbluth - May 24, 2012

OK,

I spoke to my web host (IXWebHosting) and they said that I have no shell access on shared hosting, and that any php scripts have up to 90 seconds to complete before timing out (also not under my control).

The CMSB Cookbook site that I was checking probably has a few thousand files, as does another that I checked and they ran for over the 90 seconds and returned just the header.

It seems that, unless you have a better idea, I'll need to run separate scans on separate folders through a series of cron jobs for each one of my clients.

I'm assuming that I would upload the xs.php file to the separate directories and set up a cron job to run each one and then manually review a large number of reports to determine if there are any vulnerabilities. (bit of a pain)

I ran the scanner on a smaller site and got this result, which makes a bit more sense.:

Exploit Scanner v1.01 - Scans filesystem for web exploit patterns
--------------------------------------------------------------------------------
Matched Patterns: php(36), js(7), htaccess(6), filepath(2)
Scan started: Thu, 24 May 2012 16:41:49 -0400
Root dir: /hsphere/local/home/gkornblu/upload-test.com
Log file: none


Scanned: 175 dirs, 1,195 files (0 risks found)
Execute time: 0 minutes, 15 seconds

--------------------------------------------------------------------------------
* Note: Please send any files with false-positives or undetected-exploits to us.


I'd still like to know what the various pieces of information mean, even in the header.

Jerry Kornbluth
The first CMS Builder reference book is now available on-line!







Take advantage of a free 3 month trial subscription, only for CMSB users, at: http://www.thecmsbcookbook.com/trial.php

Re: [Dave] Exploit Scanner v1.01 Released

By gkornbluth - May 24, 2012

Hi Dave,

To run this as a cron job, I put this at the top of the xs.php script

#!/hsphere/shared/php5/bin/php -q

And then tried variations of the following in the cron manager command line with no positive result.

/hsphere/local/home/gkornblu/thecmsbcookbook.com/xs.php

/hsphere/local/home/gkornblu/thecmsbcookbook.com/xs.php -l xp.log

/hsphere/local/home/gkornblu/thecmsbcookbook.com/xs.php -p -l xs.log

Once I try to put a path into the mix (or a -p.) the cron job won’t work at all

/hsphere/local/home/gkornblu/thecmsbcookbook.com/xs.php -p /hsphere/local/home/gkornblu/thecmsbcookbook.com/ -l xs.log

or

/hsphere/local/home/gkornblu/thecmsbcookbook.com/xs.php -p . -l xs.log

Thanks for the offer. I’ll email all the login particulars to you later today

Thanks,

Jerry Kornbluth
The first CMS Builder reference book is now available on-line!







Take advantage of a free 3 month trial subscription, only for CMSB users, at: http://www.thecmsbcookbook.com/trial.php

Re: [gkornbluth] Exploit Scanner v1.01 Released

By Dave - May 24, 2012

If it just sends you the output then this should work:

/hsphere/local/home/gkornblu/thecmsbcookbook.com/xs.php -p /hsphere/local/home/gkornblu/thecmsbcookbook.com/

But feel free to email more details. Thanks.
Dave Edis - Senior Developer
interactivetools.com

Re: [Dave] Exploit Scanner v1.01 Released

By gkornbluth - May 24, 2012

OK, I just didn't wait for the cron job to run (25 minutes)

Here's the command line code that worked:
/hsphere/local/home/gkornblu/thecmsbcookbook.com/xs.php -p /hsphere/local/home/gkornblu/thecmsbcookbook.com/ -l xs.log

The xs.log file was created and the script did not time out.

Thanks for sticking with me.

Jerry Kornbluth
The first CMS Builder reference book is now available on-line!







Take advantage of a free 3 month trial subscription, only for CMSB users, at: http://www.thecmsbcookbook.com/trial.php

Re: [gkornbluth] Exploit Scanner v1.01 Released

By Dave - May 24, 2012

Glad to hear it's working!
Dave Edis - Senior Developer
interactivetools.com