Hacker detection tool?

[Quarterbore]

I am looking for feedback of an idea I have been playing with but I have not had the time to start working on. If such a tool exists, please let me know as I would be interested in purchasing!

My idea is simply to have a script (php or even something else) that will look at all the folders and files on a server and scan the file for typical things that hackers add. The code would simply need to open the files on the server and scan the file for matches to a configurable list (base 64, hacker, other common things we see in hacker tools).

The script would then output the list to a log on the server in a line delineated format including a code for matches, file path/name, file size, date modified (anything else?). Also, I assume hacked files would show a modified date so we could likely only scan files changed since last scan too!

A second script would then be used to read the log file and put it into a database where the information can be reviewed by a site admin. The site admin could select actions such as "DELETE" or "IGNORE" after evaluation even if the admin had to go in via FTP and manually do the delete.

The next time the process is run, if a file in a path is previously marked IGNORE and the date is the same the code would not log the update so that the Admin only needs to evaluate changes!

So, does something like this exist?
What would be the best way to code something like this (PHP or some shell script or ???)?
Does this seem like too much of a server hog or something that could be done?

Oppinions?

[fum1n]

I believe mod security does some of the above mentioned.

You could do something like this:
scan.php

Al thou I'm not an experienced PHP programmer you could possibly just fopen all files in a specified directory (Example: public_html/ or forum/) and search for commonly used strings in PHP Shells (Example: "c99") and then fwrite a log of suspicious files and then CHMOD them to deny all.

Then set it to run every hour or something.

[Quarterbore]

Well, thanks to the hackers I have some pretty slick PHP Code they donated that will scan a directory for files and I can even modify it so that instead of looking for passwords it could be used to scan for other things they seem to like to include in their scripts

Some examples:
hack
/etc/passwd
fgets(
opendir(
read_dir(
closedir(
fopen(
copy(
fwrite(
ftp_check(
ftp_connect(
ftp_login(
ftp_quit(
mysql_connect(
mysql_select_db(
base64
phpinfo
$_SERVER
http-equiv="refresh"
cookie
$_COOKIE
file_exists(
dbconn(
str_replace(
getChmod(
mkdir(
chmod(

I am sure there are other functions we would want to match but finding these would sure help!

[Dismounted]

Errr, plenty of "legit" PHP files use those functions. Take str_replace() for example - I'm willing to bet this is one of the most used PHP functions...

[Quarterbore]

Quote:

Originally Posted by Dismounted

Errr, plenty of "legit" PHP files use those functions. Take str_replace() for example - I'm willing to bet this is one of the most used PHP functions...

Right, but we could log files that are added or when files are changed that include some of these functions. If an Admin didn't upload new scripts, then a report of new files with a number of these woud certainly be worth looking at.

Just because you have a tool that sends a notice doen't mean the sky is falling but if you don't have a tool and you don't get a notice doesn't mean the sky isn't falling too

The goal is to have a configurable list and match rules could be added or removed. These are just a sample and sure not all of these are necessary to look for to identify a potential hack tool.

[Marco van Herwaarden]

Suspect Files in the Maintenance menu of the AdminCP would already scan for modified/unknown files.

[Quarterbore]

Quote:

Originally Posted by Marco van Herwaarden

Suspect Files in the Maintenance menu of the AdminCP would already scan for modified/unknown files.

Pretty slick but I don't think that does what we need to solve this issue as it only looks at vbulletin folders. The issue I am looking at is one as follows:

https://vborg.vbsupport.ru/showthread.php?t=192080
https://vborg.vbsupport.ru/showthread.php?t=191383

But I may take a peek at that code for help writing this

Otherwise, matching the phrases can be done like we do the two nospam scripts as follow:

https://vborg.vbsupport.ru/showthread.php?t=131568
https://vborg.vbsupport.ru/showthread.php?t=155242

Just need to spider the directories, fopen the files, look for matches, and log them. A setting could be added so a site Admin could get an e-mail notice immediately as well so they can check the file and logs so they can change the locks on the door and try to find the cause before the hacker has too much free time on the server.