Exploit Scanner - Threat Alert

By Dave - September 2, 2015

Hi Ragi, 

No, there's no problem.  It's just that both Avast and Exploit Scanner have lists of "snippets" from malicious programs, so it's snippets are matching the list of snippets from Exploit Scanner.  If we scanned their (uncompiled) source code we'd probably get false positives against their code as well.

It actually makes it a little difficult to work on that script, as my virus scanner (Avast as well) always wants to lock down the file.  I had to add an exception for the folder, but it can still cause problems when I zip it because zipping uses the /temp/ folder which automatically gets scanned as well.

Anyways, if you want to have a look, text like this is causing the problem: 


$patterns[] = array(
'message' => 'Code from known exploit: signature for drupal hack',
'regexp' => '|7aY#4EwrU_eC2AbEcuP\?8keYe&ruQuxE\=R46eQ38eHE27aZeFr7W7eSp\=752xen\?|',
'type' => 'php',
'score' => 10,
);

$patterns[] = array(
'message' => 'Code from known exploit: reference to phpspy web backdoor',
'regexp' => '!(/tmp/angel_bc|tmp_angel)!',
'type' => 'php',
'score' => 10,
);

$patterns[] = array(
'message' => 'Code from known exploit: php "create_function" as hex encoded string',
'regexp' => '/(' .preg_quote('\x63\x72\x65\x61\x74\x65\x5f\x66\x75\x6e\x63\x74\x69\x6f\x6e'). ')/',
'type' => 'php',
'score' => 10,
);

One alternative is to not store our patterns in plaintext, instead storing them in an encoded fashion, but that makes it take longer to work on the code.  We'll see what we do with it in future, but anyways that's why you're getting alerts.  If you just disable avast for ten minutes you should be able to download no problem (system tray > avast > right click > shields control > disable for 10 minutes).

Hope that helps, let me know any other questions.

Dave Edis - Senior Developer
interactivetools.com

Thanks for the explanation Dave.  FYI, I use Mac OSX, so the system tray stuff is passé! 

--
northernpenguin
Northern Penguin Technologies

"Any sufficiently advanced technology
is indistinguishable from magic."
........Arthur C. Clarke

By Dave - September 2, 2015

Lol, maybe one day I'll switch!  Or I can just wait for Microsoft to finish copying Apple! ;-)

Dave Edis - Senior Developer
interactivetools.com

May not take too long at this rate! (;

--
northernpenguin
Northern Penguin Technologies

"Any sufficiently advanced technology
is indistinguishable from magic."
........Arthur C. Clarke