Continua la guerra di contrasto ai tentativi di hackeraggio dei siti che ospito.
Avendo notato che ultimamente c'è un proliferare di file con un pattern particolare /^\.[0-9a-z]{8}\.ico$/
ho deciso di cercarli ed eliminarli direttamente, senza aspettare il passaggio del Maldet.
Intanto questo è un esempio di report. Da notare i .ico, obiettivo del nostro script:
malware detect scan report for server01.net:
SCAN ID: 043018-0400.7125
TIME: Apr 30 04:57:55 +0200
PATH: /home/*/public_html
TOTAL FILES: 911469
TOTAL HITS: 5
TOTAL CLEANED: 0
NOTE: quarantine is disabled! set quar_hits=1 in conf.maldet or to quarantine results run: maldet -q 043018-0400.7125
FILE HIT LIST:
{HEX}php.base64.v23au.186 : /home/example1/public_html/pontetresa/wp-includes/customize/.9579976e.ico
{HEX}php.base64.v23au.186 : /home/example2/public_html/the7/wp-content/uploads/layerslider/LayerSlider-5-responsive-demo-slider/ini.php
{HEX}php.base64.v23au.186 : /home/example3/public_html/gallery/albums/Vacanze-2009/ini.php
{HEX}php.base64.v23au.186 : /home/example4/public_html/wp-admin/network/mobileqsv/.c7485b55.ico
{HEX}php.base64.v23au.186 : /home/example5/public_html/wp-includes/SimplePie/Net/.3706a194.ico
===============================================
Linux Malware Detect v1.4.2 < proj@rfxn.com >
E questo è lo script in newLISP che viene lanciato ad intervalli regolari da un cron:
#!/usr/bin/env newlisp
;; ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
;; FILENAME: delete.fake.ico.files.lsp
;; SCOPO: Delete fake ".ico" files in /home/*/public_html/.
;;
;; VERS.: 1
;; USAGE: delete.fake.ico.files.lsp
;;
;; CHANGELOG:
;; Data | Change
;; -----------+---------------------------------------------------------------------------
;; 30-04-2018 | First version.
;; ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
(module "unix.lsp")
(context 'MAIN)
;-----------------------------------------------------------------------------------------
; Configurable parameters
;-----------------------------------------------------------------------------------------
(constant '*home* "/home")
(constant '*public_html* "/public_html")
(constant 'rm (real-path "rm" true))
(constant 'ico-regex "^\.[0-9a-f]{8}\.ico$")
;-----------------------------------------------------------------------------------------
(define (get-homes)
;- - - Get all potential homes
(setq homes (directory *home*))
;- - - Return only those with the "public_html"
(setq _ '())
(dolist (k homes)
(if (not (directory? (string *home* "/" k *public_html*)))
(push k _)))
(difference homes _)
)
;-----------------------------------------------------------------------------------------
; Remove "." and ".." from directory listing.
;
(define (remove-point-dirs list-to-check)
(clean (lambda (x) (or (= "." x) (= ".." x) )) list-to-check))
;-----------------------------------------------------------------------------------------
; True if the path-name is a symlink (vs. real file or dir).
;
(define (symlink? path-name)
(= 0120000 (& (file-info path-name 1) 0120000)))
;-----------------------------------------------------------------------------------------
; walks a disk directory and prints all path-file names matching the regex "ico-regex"
;
(define (list-all-ico dir)
(setq icos '())
(setq entries (remove-point-dirs (directory dir)))
(cond
((empty? entries) '() )
(true
(dolist (E entries)
(setq D (string dir "/" E))
(cond
((symlink? D)) ; skip symlinks...
((= E "favicon.ico")) ; skip index.php...
((directory? D) (setq icos (append icos (list-all-ico D))))
((regex ico-regex E) (setq icos (cons D icos)))))))
icos
)
;-----------------------------------------------------------------------------------------
; Program starts here
;-----------------------------------------------------------------------------------------
;--- Let's find the current filename.
(constant '*PROGRAM-NAME* (last (parse (first (1 (main-args))) "/")))
(unix:syslog 5 (string "[" *PROGRAM-NAME* "] Starting..."))
(set 'Homes (get-homes))
(dolist (k Homes)
; For any site, retrieve all filenames and them filter only the .ico
(setq icos (list-all-ico (string *home* "/" k *public_html*)))
(dolist (f icos)
(unix:syslog 5 (string "[" *PROGRAM-NAME* "] Removed [" f "] file."))
(! (string rm " " f))))
(unix:syslog 5 (string "[" *PROGRAM-NAME* "] Completed."))
(exit)