How to Identify Malicious Pharama Hacking Attack Scripts in your Website

This Perl script I've written after my sites were ( on 17th Sept, 2012) attacked Pharma hacking scripts. If you've VPS or dedicated server then Cpanel already allows scanning for malware.

I then scanned all the files and also compared the files( some 80,000) with earlier backup using folder comparison tool.

I was shocked to find another infection already present since 2009 but somehow it could not start!

Thank god I found out the infection by chance(within 12 days or so) and I save my sites rankings and revenue from falling down. Google had already started showing "Site compromised" in search results. It would take months to recover lost rankings if I had come to know about the infection late.

I decided to write my own tool to alert me whenever another attack occurs. I had to write it I don't trust Joomla as much as I do Drupal and moreover when I'm having older versions.

Assumption

All hacking code is made up of either:

  1. base 64 encoded strings in one form or the another, these strings don't contain any invisible characters and contain characters in random and not in pattern.
  2. A small code something like getting some code from _REQUEST and calling an eval on it.
  3. An executable file - although it does not do harm but if a virus is found by Google your site rankings suffer.

What's the objective?

  1. In case any .httaccess is changed, it will send us alert in email and mobile. This will check once every hour.
  2. All files are scanned once in a day(preferably at night) and if any hacking code is found we'll be alerted.

Limitation

Unfortunately I'm on shared hosting so I can write CPU intensive script otherwise my account may be closed.

Mandatory Alerts

Hacking attack occur once in months or years. So if the monitoring scripts stop running due to one reason or other, we will be susceptible of attack again. So scripts must send alert at least once in a day( after 12 night) of infections found or not.

If you don't receive any alert in a day then don't forget to check whether the scripts are running.

The Scripts

  1. Monitor changes in .htaccess
  2. Monitor of Hacking infections( this page is about this)

How to Run it

This is Perl script and remember Perl is available on all systems in the world. Mine is on Linux hosting and here is the line I've put it in crontab:

45 0 * * *  /usr/local/bin/perl /home/john/www/tmp/all/hacked/locatesuspiciousfiles.pl --noverbose --onlyphpfiles --exitonsecondtime --workingdir='/home/john/www/tmp/all/hacked' --targetdir='/home/john/public_html'

Here 45 means to run at 45th minute of 00 am ie., 00:45 am once every day. Also recommended not to use --onlyphpfiles this option. I'm using it as I'm on a shared server.

Command line option

If you run with -h or --help then these run time command line options will be printed:

  • --verbose/--noverbose sets/resets verbose mode
  • --onlyphpfiles/--noonlyphpfiles sets/resets the mode in which only php files will be processed and the rest ignored
  • --exitonsecondtime/-noexitonsecondtime exits/allows to run in case this program is called second time after 00:00 hours on any day
  • --workingdir="path" set the desired path where the log files will be created; if space is there in path then enclose it in double quotes for the path otherwise double quotes is optional
  • --targetdir="path" set the desired path whose directories/subdirs will be processed by this script; if space is there in path then enclose it in double quotes for the path otherwise double quotes is optional
  • --help invokes this help

Setting Parameters

Before you run it open the script and set the following parameters

  1. $ENV{TZ} = 'Asia/Kolkata'; #Change to your timezone
  2. Email Settings

    Set the SMTP server email settings - self explained

  3. $MAX_FILE_SIZE = 4 * 1048576 #If any file exceeds this limit(4 MB) only 4 MB of it's content will be read and examined. You can ignore unnecessary files by placing them in skipfilelistAntiHack.txt.
  4. @EXTENSIONS_TO_REPORT # Just add the regex for the type of filenames/extension which must be reported at any cost. By default *.exe will be reported.

Log Files

  1. LogfileAntiHack.txt: This is general log information which will not be emailed. All debug etc will go into this
  2. filelistAntiHack.txt : All files for which your attention is needed will be listed in this. If you ever want the script to ignore the list of files present in this then copy each complete line to skipfilelistAntiHack.txt
  3. skipfilelistAntiHack.txt : Create it and place files only in skipfilelistAntiHack.txt so that next time script runs it'll simply ignore the file. The format is filename:size. So to be ignored the size must match with the current size of file on the system because it could have been hacked if size has changed.

Output

When run if any infections are found then it'll email you with subject and body. All the infections found will be placed in filelistAntiHack.txt which you can move to skipfilelistAntiHack.txt to ignore it next time on wards it runs. If it generates many false positives, including Confirmed base64, large file size etc, just move all those safe files from filelistAntiHack.txt to skipfilelistAntiHack.txt each line "as is". Also if those files in skipfilelistAntiHack.txt ever change then the entry will be ignored.

License

Free to anything, but attribution to this page & my name "PP Gupta" is required.

Suggestions

Any suggestions? Email me at guptaprakashprem at_the_rate g-m-a-i-l dot com