Go Back   vb.org Archive > vBulletin 3 Discussion > vB3 Programming Discussions
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools Display Modes
  #1  
Old 09-27-2008, 11:20 PM
Quarterbore Quarterbore is offline
 
Join Date: Mar 2005
Location: Valley Forge PA
Posts: 538
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default Hacker detection tool?

I am looking for feedback of an idea I have been playing with but I have not had the time to start working on. If such a tool exists, please let me know as I would be interested in purchasing!

My idea is simply to have a script (php or even something else) that will look at all the folders and files on a server and scan the file for typical things that hackers add. The code would simply need to open the files on the server and scan the file for matches to a configurable list (base 64, hacker, other common things we see in hacker tools).

The script would then output the list to a log on the server in a line delineated format including a code for matches, file path/name, file size, date modified (anything else?). Also, I assume hacked files would show a modified date so we could likely only scan files changed since last scan too!

A second script would then be used to read the log file and put it into a database where the information can be reviewed by a site admin. The site admin could select actions such as "DELETE" or "IGNORE" after evaluation even if the admin had to go in via FTP and manually do the delete.

The next time the process is run, if a file in a path is previously marked IGNORE and the date is the same the code would not log the update so that the Admin only needs to evaluate changes!

So, does something like this exist?
What would be the best way to code something like this (PHP or some shell script or ???)?
Does this seem like too much of a server hog or something that could be done?

Oppinions?
Reply With Quote
  #2  
Old 09-28-2008, 12:04 AM
fum1n fum1n is offline
 
Join Date: Oct 2007
Location: TRNC/Cyprus
Posts: 31
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I believe mod security does some of the above mentioned.

You could do something like this:
scan.php

Al thou I'm not an experienced PHP programmer you could possibly just fopen all files in a specified directory (Example: public_html/ or forum/) and search for commonly used strings in PHP Shells (Example: "c99") and then fwrite a log of suspicious files and then CHMOD them to deny all.

Then set it to run every hour or something.
Reply With Quote
  #3  
Old 09-28-2008, 12:41 AM
Quarterbore Quarterbore is offline
 
Join Date: Mar 2005
Location: Valley Forge PA
Posts: 538
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Well, thanks to the hackers I have some pretty slick PHP Code they donated that will scan a directory for files and I can even modify it so that instead of looking for passwords it could be used to scan for other things they seem to like to include in their scripts

Some examples:
hack
/etc/passwd
fgets(
opendir(
read_dir(
closedir(
fopen(
copy(
fwrite(
ftp_check(
ftp_connect(
ftp_login(
ftp_quit(
mysql_connect(
mysql_select_db(
base64
phpinfo
$_SERVER
http-equiv="refresh"
cookie
$_COOKIE
file_exists(
dbconn(
str_replace(
getChmod(
mkdir(
chmod(

I am sure there are other functions we would want to match but finding these would sure help!
Reply With Quote
  #4  
Old 09-28-2008, 04:41 AM
Dismounted's Avatar
Dismounted Dismounted is offline
 
Join Date: Jun 2005
Location: Melbourne, Australia
Posts: 15,047
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Errr, plenty of "legit" PHP files use those functions. Take str_replace() for example - I'm willing to bet this is one of the most used PHP functions...
Reply With Quote
  #5  
Old 09-28-2008, 06:32 AM
Quarterbore Quarterbore is offline
 
Join Date: Mar 2005
Location: Valley Forge PA
Posts: 538
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Dismounted View Post
Errr, plenty of "legit" PHP files use those functions. Take str_replace() for example - I'm willing to bet this is one of the most used PHP functions...
Right, but we could log files that are added or when files are changed that include some of these functions. If an Admin didn't upload new scripts, then a report of new files with a number of these woud certainly be worth looking at.

Just because you have a tool that sends a notice doen't mean the sky is falling but if you don't have a tool and you don't get a notice doesn't mean the sky isn't falling too

The goal is to have a configurable list and match rules could be added or removed. These are just a sample and sure not all of these are necessary to look for to identify a potential hack tool.
Reply With Quote
  #6  
Old 09-28-2008, 09:56 AM
Marco van Herwaarden Marco van Herwaarden is offline
 
Join Date: Jul 2004
Posts: 25,415
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Suspect Files in the Maintenance menu of the AdminCP would already scan for modified/unknown files.
Reply With Quote
  #7  
Old 09-28-2008, 01:17 PM
Quarterbore Quarterbore is offline
 
Join Date: Mar 2005
Location: Valley Forge PA
Posts: 538
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Marco van Herwaarden View Post
Suspect Files in the Maintenance menu of the AdminCP would already scan for modified/unknown files.
Pretty slick but I don't think that does what we need to solve this issue as it only looks at vbulletin folders. The issue I am looking at is one as follows:

https://vborg.vbsupport.ru/showthread.php?t=192080
https://vborg.vbsupport.ru/showthread.php?t=191383

But I may take a peek at that code for help writing this

Otherwise, matching the phrases can be done like we do the two nospam scripts as follow:

https://vborg.vbsupport.ru/showthread.php?t=131568
https://vborg.vbsupport.ru/showthread.php?t=155242

Just need to spider the directories, fopen the files, look for matches, and log them. A setting could be added so a site Admin could get an e-mail notice immediately as well so they can check the file and logs so they can change the locks on the door and try to find the cause before the hacker has too much free time on the server.
Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 11:13 AM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.08307 seconds
  • Memory Usage 2,222KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (2)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (7)post_thanks_box
  • (7)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (7)post_thanks_postbit_info
  • (7)postbit
  • (7)postbit_onlinestatus
  • (7)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete