The Arcive of Official vBulletin Modifications Site.It is not a VB3 engine, just a parsed copy! |
|
#1
|
|||
|
|||
Hacker detection tool?
I am looking for feedback of an idea I have been playing with but I have not had the time to start working on. If such a tool exists, please let me know as I would be interested in purchasing!
My idea is simply to have a script (php or even something else) that will look at all the folders and files on a server and scan the file for typical things that hackers add. The code would simply need to open the files on the server and scan the file for matches to a configurable list (base 64, hacker, other common things we see in hacker tools). The script would then output the list to a log on the server in a line delineated format including a code for matches, file path/name, file size, date modified (anything else?). Also, I assume hacked files would show a modified date so we could likely only scan files changed since last scan too! A second script would then be used to read the log file and put it into a database where the information can be reviewed by a site admin. The site admin could select actions such as "DELETE" or "IGNORE" after evaluation even if the admin had to go in via FTP and manually do the delete. The next time the process is run, if a file in a path is previously marked IGNORE and the date is the same the code would not log the update so that the Admin only needs to evaluate changes! So, does something like this exist? What would be the best way to code something like this (PHP or some shell script or ???)? Does this seem like too much of a server hog or something that could be done? Oppinions? |
#2
|
|||
|
|||
I believe mod security does some of the above mentioned.
You could do something like this: scan.php Al thou I'm not an experienced PHP programmer you could possibly just fopen all files in a specified directory (Example: public_html/ or forum/) and search for commonly used strings in PHP Shells (Example: "c99") and then fwrite a log of suspicious files and then CHMOD them to deny all. Then set it to run every hour or something. |
#3
|
|||
|
|||
Well, thanks to the hackers I have some pretty slick PHP Code they donated that will scan a directory for files and I can even modify it so that instead of looking for passwords it could be used to scan for other things they seem to like to include in their scripts
Some examples: hack /etc/passwd fgets( opendir( read_dir( closedir( fopen( copy( fwrite( ftp_check( ftp_connect( ftp_login( ftp_quit( mysql_connect( mysql_select_db( base64 phpinfo $_SERVER http-equiv="refresh" cookie $_COOKIE file_exists( dbconn( str_replace( getChmod( mkdir( chmod( I am sure there are other functions we would want to match but finding these would sure help! |
#4
|
||||
|
||||
Errr, plenty of "legit" PHP files use those functions. Take str_replace() for example - I'm willing to bet this is one of the most used PHP functions...
|
#5
|
|||
|
|||
Quote:
Just because you have a tool that sends a notice doen't mean the sky is falling but if you don't have a tool and you don't get a notice doesn't mean the sky isn't falling too The goal is to have a configurable list and match rules could be added or removed. These are just a sample and sure not all of these are necessary to look for to identify a potential hack tool. |
#6
|
|||
|
|||
Suspect Files in the Maintenance menu of the AdminCP would already scan for modified/unknown files.
|
#7
|
|||
|
|||
Quote:
https://vborg.vbsupport.ru/showthread.php?t=192080 https://vborg.vbsupport.ru/showthread.php?t=191383 But I may take a peek at that code for help writing this Otherwise, matching the phrases can be done like we do the two nospam scripts as follow: https://vborg.vbsupport.ru/showthread.php?t=131568 https://vborg.vbsupport.ru/showthread.php?t=155242 Just need to spider the directories, fopen the files, look for matches, and log them. A setting could be added so a site Admin could get an e-mail notice immediately as well so they can check the file and logs so they can change the locks on the door and try to find the cause before the hacker has too much free time on the server. |
Thread Tools | |
Display Modes | |
|
|
X vBulletin 3.8.12 by vBS Debug Information | |
---|---|
|
|
More Information | |
Template Usage:
Phrase Groups Available:
|
Included Files:
Hooks Called:
|