Detecting source code infections on your website

Discussion forum for MOD Writers regarding MOD Development.
Locked
julien_santini
Registered User
Posts: 23
Joined: Fri Nov 03, 2006 6:19 am

Detecting source code infections on your website

Post by julien_santini »

Hello all,

Since I got helped several times by you guys, I thought I'd drop by and share one piece of information that might help some of you keep safe :mrgreen:

I developped a php script that basically crawls any given folder on a website and then stores within a text file an "ID" of this folder. Based on this ID and past ones, the script can say:

- which files have changed since last ID was created (based on filesize and/or sha512 signatures of all files)
- which files permissions have been changed since last ID was created

You can also compare various ID's created at different times.

1) This "check" might seem very simplistic (it is) but it allowed me to root out 2 trojan infections in just a few minutes
2) I plan to add various features in the near future (scanning for dangerous strings and functions, auto-detecting variables that were not sanitized / suspicious outbound links, etc ...)

The purpose of such a script is to assist me in detecting malicious additions to my phpbb source code (and other proprietary code developped by myself).

If some of you are interested by such an add-on then I can upload it to one of my websites and share it with the community.

Regards
Julien
julien_santini
Registered User
Posts: 23
Joined: Fri Nov 03, 2006 6:19 am

Re: Detecting source code infections on your website

Post by julien_santini »

I finally put the script online (it's called PHP Security Toolbox, as I plan to have it evolve into a more robust security software over time). Here's a link to the v1.0 of the script:

http://mycomputerforum.com/PHPST/PHP_Se ... olbox.html

Enjoy !
User avatar
4_seven
I've Been Banned!
Posts: 5155
Joined: Wed Apr 30, 2008 1:41 am

Re: Detecting source code infections on your website

Post by 4_seven »

good point and idea. congrats :geek:
Current Mods | Mod Base | php(BB) programming | No help via PM
User avatar
1234homie
Registered User
Posts: 439
Joined: Fri Sep 26, 2008 3:17 pm

Re: Detecting source code infections on your website

Post by 1234homie »

bookmarked ;p
User avatar
imkingdavid
Former Team Member
Posts: 2673
Joined: Sun Jul 26, 2009 7:59 pm
Location: EST
Name: David King

Re: Detecting source code infections on your website

Post by imkingdavid »

Well, it's a nice idea, but as long as you have a secure password and you don't give people you don't trust access to your files, it would be very difficult for anyone to change them.
Don't forget to smile today. :)
Please do NOT contact for support via PM or email.
User avatar
AmigoJack
Registered User
Posts: 5795
Joined: Tue Jun 15, 2010 11:33 am
Location: グリーン ヒル ゾーン
Contact:

Re: Detecting source code infections on your website

Post by AmigoJack »

imkingdavid wrote:as long as you have a secure password and you don't give people you don't trust access to your files, it would be very difficult for anyone to change them
Like when in most cases of reality intruders use software bugs to get access without the need of guessing any password at all? Or when a "secure" password is transferred in plain text and thus easily recorded? Or when admins fall for fake sites to enter their data?

Can't recommend the script either - too improper code, low error handling, low sense for detail versus need, no access handling... Each time I upload modified files I want the script to rule them out instead of indicating changes (so I'd need some kind of reset-switch to ignore all files with an age of 5 minutes or less). Also it should be designed to run as a job, so files could be checked on a daily base automatically and results could be displayed easily by constantly including them on your own phpBB installation (so administrators either see a green or a red blinking icon e.g. on the top of each page). I'm also not sure if your script takes different linebreaks into account (which are mostly converted by FTP clients) when building the hash. Also the script needs a self-protection/-detection: if an intruder modifies all PHP files this script is also affected because you're using the same system (PHP)...

I think a better approach is to design a program which acts like an FTP client: it lists all directories and downloads all PHP and HTACCESS and such files. This way it can hash all those files outside the target system (no server impact, the home system is considered unbroken) and also store/compare every load separately (which might also serve as a minimalistic file history system). Hrm...
  • The worst thing about censorship is ███████████
  • "The problem is probably not my English but you do not want to understand correctly. ... We will not come anybody anyway, nevertheless, it's best to shit this." Affin, 2018-11-20
  • "But this shit is not here for you. You can follow with your. Maybe the question, instead, was for you, who know, so you shoved us how you are." axe70, 2020-10-10
Locked

Return to “[3.0.x] MOD Writers Discussion”