Detecting source code infections on your website

julien_santini · Post by **julien_santini** » Sat May 07, 2011 1:45 pm

Hello all,

Since I got helped several times by you guys, I thought I'd drop by and share one piece of information that might help some of you keep safe

I developped a php script that basically crawls any given folder on a website and then stores within a text file an "ID" of this folder. Based on this ID and past ones, the script can say:

- which files have changed since last ID was created (based on filesize and/or sha512 signatures of all files)
- which files permissions have been changed since last ID was created

You can also compare various ID's created at different times.

1) This "check" might seem very simplistic (it is) but it allowed me to root out 2 trojan infections in just a few minutes
2) I plan to add various features in the near future (scanning for dangerous strings and functions, auto-detecting variables that were not sanitized / suspicious outbound links, etc ...)

The purpose of such a script is to assist me in detecting malicious additions to my phpbb source code (and other proprietary code developped by myself).

If some of you are interested by such an add-on then I can upload it to one of my websites and share it with the community.

Regards
Julien

julien_santini · Post by **julien_santini** » Sun Jun 12, 2011 10:26 am

I finally put the script online (it's called PHP Security Toolbox, as I plan to have it evolve into a more robust security software over time). Here's a link to the v1.0 of the script:

http://mycomputerforum.com/PHPST/PHP_Se ... olbox.html

Enjoy !

4_seven · Post by **4_seven** » Sun Jun 12, 2011 12:27 pm

good point and idea. congrats

1234homie · Post by **1234homie** » Sun Jul 10, 2011 3:37 pm

bookmarked ;p

imkingdavid · Post by **imkingdavid** » Mon Jul 11, 2011 4:12 pm

Well, it's a nice idea, but as long as you have a secure password and you don't give people you don't trust access to your files, it would be very difficult for anyone to change them.

AmigoJack · Post by **AmigoJack** » Tue Jul 12, 2011 9:33 am

imkingdavid wrote:as long as you have a secure password and you don't give people you don't trust access to your files, it would be very difficult for anyone to change them

Like when in most cases of reality intruders use software bugs to get access without the need of guessing any password at all? Or when a "secure" password is transferred in plain text and thus easily recorded? Or when admins fall for fake sites to enter their data?

Can't recommend the script either - too improper code, low error handling, low sense for detail versus need, no access handling... Each time I upload modified files I want the script to rule them out instead of indicating changes (so I'd need some kind of reset-switch to ignore all files with an age of 5 minutes or less). Also it should be designed to run as a job, so files could be checked on a daily base automatically and results could be displayed easily by constantly including them on your own phpBB installation (so administrators either see a green or a red blinking icon e.g. on the top of each page). I'm also not sure if your script takes different linebreaks into account (which are mostly converted by FTP clients) when building the hash. Also the script needs a self-protection/-detection: if an intruder modifies all PHP files this script is also affected because you're using the same system (PHP)...

I think a better approach is to design a program which acts like an FTP client: it lists all directories and downloads all PHP and HTACCESS and such files. This way it can hash all those files outside the target system (no server impact, the home system is considered unbroken) and also store/compare every load separately (which might also serve as a minimalistic file history system). Hrm...

advertisements