Salta il contenuto

Cerca ed elimina dei falsi file .ico

Continua la guerra di contrasto ai tentativi di hackeraggio dei siti che ospito.
Avendo notato che ultimamente c'è un proliferare di file con un pattern particolare /^\.[0-9a-z]{8}\.ico$/
ho deciso di cercarli ed eliminarli direttamente, senza aspettare il passaggio del Maldet.
Intanto questo è un esempio di report. Da notare i .ico, obiettivo del nostro script:


malware detect scan report for server01.net:
SCAN ID: 043018-0400.7125
TIME: Apr 30 04:57:55 +0200
PATH: /home/*/public_html
TOTAL FILES: 911469
TOTAL HITS: 5
TOTAL CLEANED: 0

NOTE: quarantine is disabled! set quar_hits=1 in conf.maldet or to quarantine results run: maldet -q 043018-0400.7125
FILE HIT LIST:
{HEX}php.base64.v23au.186 : /home/example1/public_html/pontetresa/wp-includes/customize/.9579976e.ico
{HEX}php.base64.v23au.186 : /home/example2/public_html/the7/wp-content/uploads/layerslider/LayerSlider-5-responsive-demo-slider/ini.php
{HEX}php.base64.v23au.186 : /home/example3/public_html/gallery/albums/Vacanze-2009/ini.php
{HEX}php.base64.v23au.186 : /home/example4/public_html/wp-admin/network/mobileqsv/.c7485b55.ico
{HEX}php.base64.v23au.186 : /home/example5/public_html/wp-includes/SimplePie/Net/.3706a194.ico
===============================================
Linux Malware Detect v1.4.2 < proj@rfxn.com >

E questo è lo script in newLISP che viene lanciato ad intervalli regolari da un cron:

#!/usr/bin/env newlisp
;; ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
;; FILENAME: delete.fake.ico.files.lsp
;; SCOPO: Delete fake ".ico" files in /home/*/public_html/.
;;
;; VERS.: 1
;; USAGE: delete.fake.ico.files.lsp
;;
;; CHANGELOG:
;; Data | Change
;; -----------+---------------------------------------------------------------------------
;; 30-04-2018 | First version.
;; ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
(module "unix.lsp")
(context 'MAIN)
;-----------------------------------------------------------------------------------------
; Configurable parameters
;-----------------------------------------------------------------------------------------
(constant '*home* "/home")
(constant '*public_html* "/public_html")
(constant 'rm (real-path "rm" true))
(constant 'ico-regex "^\.[0-9a-f]{8}\.ico$")
;-----------------------------------------------------------------------------------------
(define (get-homes)
;- - - Get all potential homes
(setq homes (directory *home*))
;- - - Return only those with the "public_html"
(setq _ '())
(dolist (k homes)
(if (not (directory? (string *home* "/" k *public_html*)))
(push k _)))
(difference homes _)
)
;-----------------------------------------------------------------------------------------
; Remove "." and ".." from directory listing.
;
(define (remove-point-dirs list-to-check)
(clean (lambda (x) (or (= "." x) (= ".." x) )) list-to-check))
;-----------------------------------------------------------------------------------------
; True if the path-name is a symlink (vs. real file or dir).
;
(define (symlink? path-name)
(= 0120000 (& (file-info path-name 1) 0120000)))
;-----------------------------------------------------------------------------------------
; walks a disk directory and prints all path-file names matching the regex "ico-regex"
;
(define (list-all-ico dir)
(setq icos '())
(setq entries (remove-point-dirs (directory dir)))
(cond
((empty? entries) '() )
(true
(dolist (E entries)
(setq D (string dir "/" E))
(cond
((symlink? D)) ; skip symlinks...
((= E "favicon.ico")) ; skip index.php...
((directory? D) (setq icos (append icos (list-all-ico D))))
((regex ico-regex E) (setq icos (cons D icos)))))))
icos
)
;-----------------------------------------------------------------------------------------
; Program starts here
;-----------------------------------------------------------------------------------------
;--- Let's find the current filename.
(constant '*PROGRAM-NAME* (last (parse (first (1 (main-args))) "/")))
(unix:syslog 5 (string "[" *PROGRAM-NAME* "] Starting..."))
(set 'Homes (get-homes))
(dolist (k Homes)
; For any site, retrieve all filenames and them filter only the .ico
(setq icos (list-all-ico (string *home* "/" k *public_html*)))
(dolist (f icos)
(unix:syslog 5 (string "[" *PROGRAM-NAME* "] Removed [" f "] file."))
(! (string rm " " f))))
(unix:syslog 5 (string "[" *PROGRAM-NAME* "] Completed."))
(exit)