__DIR__, 'scan_all_files' => (AI_EXPERT_MODE == 2), // full scan (rather than just a .js, .php, .html, .htaccess) 'scan_delay' => 0, // delay in file scanning to reduce system load 'max_size_to_scan' => '650K', 'max_size_to_cloudscan' => '650K', 'no_rw_dir' => 0, 'skip_ext' => '', 'skip_cache' => false, 'report_mask' => JSONReport::REPORT_MASK_FULL, 'use_template_in_path' => false, ); define('DEBUG_MODE', 0); define('DEBUG_PERFORMANCE', 0); define('AIBOLIT_START_TIME', time()); define('START_TIME', microtime(true)); define('DIR_SEPARATOR', '/'); define('AIBOLIT_MAX_NUMBER', 200); define('MIN_FILE_SIZE_FOR_CHECK', 14); //14b - The minimum possible file size for the initial checking define('MAX_FILE_SIZE_FOR_CHECK', 268435456); //256Mb - The maximum possible file size for the initial checking define('DOUBLECHECK_FILE', 'AI-BOLIT-DOUBLECHECK.php'); if ((isset($_SERVER['OS']) && stripos('Win', $_SERVER['OS']) !== false)) { define('DIR_SEPARATOR', '\\'); } /////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// if (!(function_exists("file_put_contents") && is_callable("file_put_contents"))) { echo "#####################################################\n"; echo "file_put_contents() is disabled. Cannot proceed.\n"; echo "#####################################################\n"; exit; } define('AI_VERSION', 'HOSTER-30.1.1'); //////////////////////////////////////////////////////////////////////////// $l_Res = ''; $g_SpecificExt = false; $g_UpdatedJsonLog = 0; $g_FileInfo = array(); $g_Iframer = array(); $g_PHPCodeInside = array(); $g_Base64 = array(); $g_HeuristicDetected = array(); $g_HeuristicType = array(); $g_UnixExec = array(); $g_UnsafeFilesFound = array(); $g_HiddenFiles = array(); $g_RegExpStat = array(); error_reporting(E_ALL ^ E_NOTICE ^ E_WARNING); srand(time()); set_time_limit(0); ini_set('max_execution_time', '900000'); ini_set('realpath_cache_size', '16M'); ini_set('realpath_cache_ttl', '1200'); ini_set('pcre.backtrack_limit', '1000000'); ini_set('pcre.recursion_limit', '200000'); ini_set('pcre.jit', '1'); $filter = new FileFilter(); $finder = new Finder($filter); if (!function_exists('stripos')) { function stripos($par_Str, $par_Entry, $Offset = 0) { return strpos(strtolower($par_Str), strtolower($par_Entry), $Offset); } } /** * Determine php script is called from the command line interface * @return bool */ function isCli() { return PHP_SAPI == 'cli'; } /** * Print to console * @param mixed $text * @param bool $add_lb Add line break * @return void */ function stdOut($text, $add_lb = true) { if (!isCli()) { return; } if (is_bool($text)) { $text = $text ? 'true' : 'false'; } else if (is_null($text)) { $text = 'null'; } if (!is_scalar($text)) { $text = print_r($text, true); } if ((!BOOL_RESULT) && (!JSON_STDOUT)) { @fwrite(STDOUT, $text . ($add_lb ? "\n" : '')); } } /** * Print progress * * @param int $num Current file * @param $par_File * @param $vars */ function printProgress($num, $par_File, $vars) { global $g_Base64, $g_Iframer, $g_UpdatedJsonLog, $g_AddPrefix, $g_NoPrefix; $total_files = $vars->foundTotalFiles; $elapsed_time = microtime(true) - START_TIME; $percent = number_format($total_files ? $num * 100 / $total_files : 0, 1); $stat = ''; $left_files = 0; $left_time = 0; $elapsed_seconds = 0; if ($elapsed_time >= 1) { $elapsed_seconds = round($elapsed_time, 0); $fs = floor($num / $elapsed_seconds); $left_files = $total_files - $num; if ($fs > 0) { $left_time = ($left_files / $fs); //ceil($left_files / $fs); $stat = ' [Avg: ' . round($fs, 2) . ' files/s' . ($left_time > 0 ? ' Left: ' . AibolitHelpers::seconds2Human($left_time) : '') . '] [Mlw:' . (count($vars->criticalPHP) + count($g_Base64) + count($vars->warningPHP)) . '|' . (count($vars->criticalJS) + count($g_Iframer) + count($vars->phishing)) . ']'; } } $l_FN = substr($par_File, -60); $text = "$percent% [$l_FN] $num of {$total_files}. " . $stat; $text = str_pad($text, 160, ' ', STR_PAD_RIGHT); stdOut(str_repeat(chr(8), 160) . $text, false); $data = array( 'self' => __FILE__, 'started' => AIBOLIT_START_TIME, 'updated' => time(), 'progress' => $percent, 'time_elapsed' => $elapsed_seconds, 'time_left' => round($left_time), 'files_left' => $left_files, 'files_total' => $total_files, 'current_file' => substr($g_AddPrefix . str_replace($g_NoPrefix, '', $par_File), -160) ); if (function_exists('aibolit_onProgressUpdate')) { aibolit_onProgressUpdate($data); } if (defined('PROGRESS_LOG_FILE') && (time() - $g_UpdatedJsonLog > 1)) { if (function_exists('json_encode')) { file_put_contents(PROGRESS_LOG_FILE, json_encode($data)); } else { file_put_contents(PROGRESS_LOG_FILE, serialize($data)); } $g_UpdatedJsonLog = time(); } if (defined('SHARED_MEMORY')) { shmop_write(SHARED_MEMORY, str_repeat("\0", shmop_size(SHARED_MEMORY)), 0); if (function_exists('json_encode')) { shmop_write(SHARED_MEMORY, json_encode($data), 0); } else { shmop_write(SHARED_MEMORY, serialize($data), 0); } } } if (isCli()) { $cli_options = array( 'y' => 'deobfuscate', 'c:' => 'avdb:', 'm:' => 'memory:', 's:' => 'size:', 'a' => 'all', 'd:' => 'delay:', 'l:' => 'list:', 'r:' => 'report:', 'f' => 'fast', 'j:' => 'file:', 'p:' => 'path:', 'q' => 'quite', 'e:' => 'cms:', 'x:' => 'mode:', 'k:' => 'skip:', 'n' => 'sc', 'o:' => 'json_report:', 't:' => 'php_report:', 'z:' => 'progress:', 'g:' => 'handler:', 'b' => 'smart', 'u:' => 'username:', 'h' => 'help' ); $cli_longopts = array( 'deobfuscate', 'avdb:', 'cmd:', 'noprefix:', 'addprefix:', 'scan:', 'one-pass', 'smart', 'with-2check', 'skip-cache', 'username:', 'no-html', 'json-stdout', 'listing:', 'encode-b64-fn', 'cloud-assist:', 'cloudscan-size:', 'with-suspicious', 'rapid-account-scan:', 'rapid-account-scan-type:', 'extended-report', 'factory-config:', 'shared-mem-progress:', 'create-shared-mem', 'max-size-scan-bytes:', 'input-fn-b64-encoded', 'use-heuristics', 'use-heuristics-suspicious', 'resident', 'detached:', 'log:', 'log-level:', 'use-template-in-path', 'ignore-list:', 'ignore-filenames:', 'only-filepaths:', 'skip-files-older:', 'skip-root-owner', 'skip-system-owner', 'follow-symlink', 'ignore-quarantine', 'quiet', 'use-filters', 'csv_report:' ); $cli_longopts = array_merge($cli_longopts, array_values($cli_options)); $reports = []; $options = getopt(implode('', array_keys($cli_options)), $cli_longopts); if (isset($options['h']) || isset($options['help'])) { $memory_limit = ini_get('memory_limit'); echo << Skip files with the same name by template. Example: *.php,*abc.abc,config.* --only-filepaths= Take only the paths matching this pattern. Example: /check/*.php,*.abc --skip-files-older=UNIXTIME If set then we ignore the files created or modified earlier than the specified date --skip-root-owner If set, we skip root's owner files --skip-system-owner If set, we skip system's owner files --follow-symlink If set then we follow symlink --ignore-quarantine If set, we ignore the files in the folder ".imunify.quarantined" if root is owner of it -x, --mode=INT Set scan mode. 0 - for basic, 1 - for expert and 2 for paranoic. -k, --skip=jpg,... Skip specific extensions. E.g. --skip=jpg,gif,png,xls,pdf --scan=php,... Scan only specific extensions. E.g. --scan=php,htaccess,js --cloud-assist=TOKEN Enable cloud assisted scanning. Disabled by default. --with-suspicious Detect suspicious files. Disabled by default. --rapid-account-scan= Enable rapid account scan. Use for base db dir. Need to set only root permissions(700) --rapid-account-scan-type= Type rapid account scan. = NONE|ALL|SUSPICIOUS, def:SUSPICIOUS --use-heuristics Enable heuristic algorithms and mark found files as malicious. --use-heuristics-suspicious Enable heuristic algorithms and mark found files as suspicious. -r, --report=PATH -o, --json_report=FILE Full path to create json-file with a list of found malware --csv_report=FILE Full path to create csv-file with a list of found malware -l, --list=FILE Full path to create plain text file with a list of found malware --no-html Disable HTML report --encode-b64-fn Encode file names in a report with base64 (for internal usage) --input-fn-b64-encoded Base64 encoded input filenames in listing or stdin --smart Enable smart mode (skip cache files and optimize scanning) -m, --memory=SIZE Maximum amount of memory a script may consume. Current value: $memory_limit Can take shorthand byte values (1M, 1G...) -s, --size=SIZE Scan files are smaller than SIZE with signatures. 0 - All files. Current value: {$defaults['max_size_to_scan']} --max-size-scan-bytes=SIZE Scan first for large(can set by --size) files with signatures. --cloudscan-size Scan files are smaller than SIZE with cloud assisted scan. 0 - All files. Current value: {$defaults['max_size_to_cloudscan']} -d, --delay=INT Delay in milliseconds when scanning files to reduce load on the file system (Default: 1) -a, --all Scan all files (by default scan. js,. php,. html,. htaccess) --one-pass Do not calculate remaining time --with-2check Create or use AI-BOLIT-DOUBLECHECK.php file -z, --progress=FILE Runtime progress of scanning, saved to the file, full path required. --shared-mem-progress= Runtime progress of scanning, saved to the shared memory . --create-shared-mem Need to create shared memory segment for --shared-mem-progress. -u, --username= Run scanner with specific user id and group id, e.g. --username=www-data -g, --hander=FILE External php handler for different events, full path to php file required. --cmd="command [args...]" Run command after scanning --help Display this help and exit * Mandatory arguments listed below are required for both full and short way of usage. HELP; exit; } $l_FastCli = false; if ((isset($options['memory']) && !empty($options['memory']) && ($memory = $options['memory'])) || (isset($options['m']) && !empty($options['m']) && ($memory = $options['m']))) { $memory = AibolitHelpers::getBytes($memory); if ($memory > 0) { $defaults['memory_limit'] = $memory; ini_set('memory_limit', $memory); } } $avdb = ''; if ((isset($options['avdb']) && !empty($options['avdb']) && ($avdb = $options['avdb'])) || (isset($options['c']) && !empty($options['c']) && ($avdb = $options['c']))) { if (file_exists($avdb)) { $defaults['avdb'] = $avdb; } } if ((isset($options['file']) && !empty($options['file']) && ($file = $options['file']) !== false) || (isset($options['j']) && !empty($options['j']) && ($file = $options['j']) !== false)) { define('SCAN_FILE', $file); } if (isset($options['deobfuscate']) || isset($options['y'])) { define('AI_DEOBFUSCATE', true); } if ((isset($options['list']) && !empty($options['list']) && ($file = $options['list']) !== false) || (isset($options['l']) && !empty($options['l']) && ($file = $options['l']) !== false)) { $reports[PlainReport::class] = $file; } if(isset($options['with-2check'])) { $reports[DoublecheckReport::class] = DOUBLECHECK_FILE; } if ((isset($options['listing']) && !empty($options['listing']) && ($listing = $options['listing']) !== false)) { if (file_exists($listing) && is_file($listing) && is_readable($listing)) { define('LISTING_FILE', $listing); } if ($listing == 'stdin') { define('LISTING_FILE', $listing); } } if ((isset($options['ignore-list']) && !empty($options['ignore-list']) && ($ignore_list_file = $options['ignore-list']) !== false)) { if (file_exists($ignore_list_file) && is_file($ignore_list_file) && is_readable($ignore_list_file)) { $filter->setIgnoreListFile($ignore_list_file); } } if ((isset($options['ignore-filenames']) && !empty($options['ignore-filenames']) && ($ignore_filenames = $options['ignore-filenames']) !== false)) { $filter->setIgnoreFilenames($ignore_filenames); } if ((isset($options['only-filepaths']) && !empty($options['only-filepaths']) && ($only_filepathes = $options['only-filepaths']) !== false)) { $filter->setOnlyFilepaths($only_filepathes); } if ((isset($options['skip-files-older']) && !empty($options['skip-files-older']) && ($skip_files_older = $options['skip-files-older']) !== false)) { $filter->setSkipFilesOlder($skip_files_older); } if (isset($options['skip-root-owner'])) { $filter->setSkipRootOwner(); } if (isset($options['skip-system-owner'])) { $max_min_uid = getMaxMinUid(); $vars->maxMinUid = $max_min_uid; $filter->setSkipSystemOwner($max_min_uid); unset($max_min_uid); } if (isset($options['follow-symlink'])) { $filter->setFollowSymlink(); } if (isset($options['ignore-quarantine'])) { $filter->setIgnoreQuarantine(); } if (isset($options['use-filters'])) { $filter->setImunifyFilters(); } if ((isset($options['json_report']) && !empty($options['json_report']) && ($file = $options['json_report']) !== false) || (isset($options['o']) && !empty($options['o']) && ($file = $options['o']) !== false)) { $reports[JSONReport::class] = $file; if (!function_exists('json_encode')) { die('json_encode function is not available. Enable json extension in php.ini'); } } if (isset($options['csv_report']) && !empty($options['csv_report']) && ($file = $options['csv_report']) !== false) { $reports[CSVReport::class] = $file; } if ((isset($options['php_report']) && !empty($options['php_report']) && ($file = $options['php_report']) !== false) || (isset($options['t']) && !empty($options['t']) && ($file = $options['t']) !== false)) { $reports[PHPReport::class] = $file; } $env_log = getenv('AIBOLIT_RESIDENT_LOG'); $env_log_level = getenv('AIBOLIT_RESIDENT_LOG_LEVEL'); if ((isset($options['log']) && !empty($options['log']) && ($log_file = $options['log']) !== false) || ($env_log !== false && ($log_file = $env_log) !== false)) { define('LOG_FILE', $log_file); } if ((isset($options['log-level']) && !empty($options['log-level']) && ($log_level = $options['log-level']) !== false) || ($env_log_level !== false && ($log_level = $env_log_level) !== false)) { define('LOG_LEVEL', $log_level); } if (defined('LOG_FILE') && !defined('LOG_LEVEL')) { define('LOG_LEVEL', 'INFO'); } if ((isset($options['handler']) && !empty($options['handler']) && ($file = $options['handler']) !== false) || (isset($options['g']) && !empty($options['g']) && ($file = $options['g']) !== false)) { if (file_exists($file)) { define('AIBOLIT_EXTERNAL_HANDLER', $file); } } if ((isset($options['progress']) && !empty($options['progress']) && ($file = $options['progress']) !== false) || (isset($options['z']) && !empty($options['z']) && ($file = $options['z']) !== false)) { define('PROGRESS_LOG_FILE', $file); } if (isset($options['create-shared-mem'])) { define('CREATE_SHARED_MEMORY', true); } else { define('CREATE_SHARED_MEMORY', false); } if (isset($options['shared-mem-progress']) && !empty($options['shared-mem-progress']) && ($sh_mem = $options['shared-mem-progress']) !== false) { if (CREATE_SHARED_MEMORY) { @$shid = shmop_open((int)$sh_mem, "n", 0666, 5000); } else { @$shid = shmop_open((int)$sh_mem, "w", 0, 0); } if (!empty($shid)) { define('SHARED_MEMORY', $shid); } else { die('Error with shared-memory.'); } } if ((isset($options['size']) && ($size = $options['size']) !== false) || (isset($options['s']) && ($size = $options['s']) !== false)) { $size = AibolitHelpers::getBytes($size); $defaults['max_size_to_scan'] = $size > 0 ? $size : 0; } if (isset($options['cloudscan-size']) && !empty($options['cloudscan-size']) && ($cloudscan_size = $options['cloudscan-size']) !== false) { $cloudscan_size = AibolitHelpers::getBytes($cloudscan_size); $defaults['max_size_to_cloudscan'] = $cloudscan_size > 0 ? $cloudscan_size : 0; } if (isset($options['max-size-scan-bytes']) && !empty($options['max-size-scan-bytes'])) { define('MAX_SIZE_SCAN_BYTES', AibolitHelpers::getBytes($options['max-size-scan-bytes'])); } else { define('MAX_SIZE_SCAN_BYTES', 0); } if ((isset($options['username']) && !empty($options['username']) && ($username = $options['username']) !== false) || (isset($options['u']) && !empty($options['u']) && ($username = $options['u']) !== false)) { if (!empty($username) && ($info = posix_getpwnam($username)) !== false) { posix_setgid($info['gid']); posix_setuid($info['uid']); $defaults['userid'] = $info['uid']; $defaults['groupid'] = $info['gid']; } else { echo ('Invalid username'); exit(-1); } } if ((isset($options['file']) && !empty($options['file']) && ($file = $options['file']) !== false) || ((isset($options['j']) && !empty($options['j']) && ($file = $options['j']) !== false) && (isset($options['q'])))) { $BOOL_RESULT = true; } if (isset($options['json-stdout'])) { define('JSON_STDOUT', true); } else { define('JSON_STDOUT', false); } if (isset($options['f'])) { $l_FastCli = true; } if (isset($options['q']) || isset($options['quite']) || isset($options['quiet'])) { $BOOL_RESULT = true; } if (isset($options['x'])) { define('AI_EXPERT', $options['x']); } else if (isset($options['mode'])) { define('AI_EXPERT', $options['mode']); } else { define('AI_EXPERT', AI_EXPERT_MODE); } if (AI_EXPERT < 2) { $g_SpecificExt = true; $defaults['scan_all_files'] = false; } else { $defaults['scan_all_files'] = true; } define('BOOL_RESULT', $BOOL_RESULT); if ((isset($options['delay']) && !empty($options['delay']) && ($delay = $options['delay']) !== false) || (isset($options['d']) && !empty($options['d']) && ($delay = $options['d']) !== false)) { $delay = (int) $delay; if (!($delay < 0)) { $defaults['scan_delay'] = $delay; } } if ((isset($options['skip']) && !empty($options['skip']) && ($ext_list = $options['skip']) !== false) || (isset($options['k']) && !empty($options['k']) && ($ext_list = $options['k']) !== false)) { $defaults['skip_ext'] = $ext_list; } if (isset($options['n']) || isset($options['skip-cache'])) { $defaults['skip_cache'] = true; } if (isset($options['scan'])) { $ext_list = strtolower(trim($options['scan'], " ,\t\n\r\0\x0B")); if ($ext_list != '') { $l_FastCli = true; $filter->setSensitiveExt($ext_list); $g_SensitiveFiles = $filter->getSensitiveExt(); $g_SpecificExt = true; } } if (isset($options['cloud-assist'])) { define('CLOUD_ASSIST_TOKEN', $options['cloud-assist']); } if (isset($options['rapid-account-scan'])) { define('RAPID_ACCOUNT_SCAN', $options['rapid-account-scan']); } if (defined('RAPID_ACCOUNT_SCAN')) { if (isset($options['rapid-account-scan-type'])) { define('RAPID_ACCOUNT_SCAN_TYPE', $options['rapid-account-scan-type']); } else { define('RAPID_ACCOUNT_SCAN_TYPE', 'SUSPICIOUS'); } } if (isset($options['with-suspicious'])) { define('AI_EXTRA_WARN', true); } if (isset($options['extended-report'])) { define('EXTENDED_REPORT', true); } if (isset($options['all'])||isset($options['a'])) { $defaults['scan_all_files'] = true; $g_SpecificExt = false; } if (isset($options['cms'])) { define('CMS', $options['cms']); } else if (isset($options['e'])) { define('CMS', $options['e']); } if (!defined('SMART_SCAN')) { define('SMART_SCAN', 0); } if (!defined('AI_DEOBFUSCATE')) { define('AI_DEOBFUSCATE', false); } if (!defined('AI_EXTRA_WARN')) { define('AI_EXTRA_WARN', false); } $l_SpecifiedPath = false; if ((isset($options['path']) && !empty($options['path']) && ($path = $options['path']) !== false) || (isset($options['p']) && !empty($options['p']) && ($path = $options['p']) !== false) ) { $defaults['path'] = $path; $l_SpecifiedPath = true; } $defaults['use_template_in_path'] = isset($options['use-template-in-path']); if (isset($options['noprefix']) && !empty($options['noprefix']) && ($g_NoPrefix = $options['noprefix']) !== false) { } else { $g_NoPrefix = ''; } if (isset($options['addprefix']) && !empty($options['addprefix']) && ($g_AddPrefix = $options['addprefix']) !== false) { } else { $g_AddPrefix = ''; } if (isset($options['use-heuristics'])) { define('USE_HEURISTICS', true); } if (isset($options['use-heuristics-suspicious'])) { define('USE_HEURISTICS_SUSPICIOUS', true); } if (defined('USE_HEURISTICS') && defined('USE_HEURISTICS_SUSPICIOUS')) { die('You can not use --use-heuristic and --use-heuristic-suspicious the same time.'); } $l_SuffixReport = str_replace('/var/www', '', $defaults['path']); $l_SuffixReport = str_replace('/home', '', $l_SuffixReport); $l_SuffixReport = preg_replace('~[/\\\.\s]~', '_', $l_SuffixReport); $l_SuffixReport .= "-" . rand(1, 999999); if ((isset($options['report']) && ($report = $options['report']) !== false) || (isset($options['r']) && ($report = $options['r']) !== false)) { $report = str_replace('@PATH@', $l_SuffixReport, $report); $report = str_replace('@RND@', rand(1, 999999), $report); $report = str_replace('@DATE@', date('d-m-Y-h-i'), $report); define('REPORT', $report); define('NEED_REPORT', true); } if (isset($options['no-html'])) { define('REPORT', 'no@email.com'); } defined('ENCODE_FILENAMES_WITH_BASE64') || define('ENCODE_FILENAMES_WITH_BASE64', isset($options['encode-b64-fn'])); defined('INPUT_FILENAMES_BASE64_ENCODED') || define('INPUT_FILENAMES_BASE64_ENCODED', isset($options['input-fn-b64-encoded'])); defined('REPORT') || define('REPORT', 'AI-BOLIT-REPORT-' . $l_SuffixReport . '-' . date('d-m-Y_H-i') . '.html'); $last_arg = max(1, sizeof($_SERVER['argv']) - 1); if (isset($_SERVER['argv'][$last_arg])) { $path = $_SERVER['argv'][$last_arg]; if (substr($path, 0, 1) != '-' && (substr($_SERVER['argv'][$last_arg - 1], 0, 1) != '-' || array_key_exists(substr($_SERVER['argv'][$last_arg - 1], -1), $cli_options) ) ) { $defaults['path'] = $path; } } define('ONE_PASS', isset($options['one-pass'])); // BEGIN of configuring the factory $factoryConfig = [ RapidAccountScan::class => RapidAccountScan::class, RapidScanStorage::class => RapidScanStorage::class, CloudAssistedStorage::class => CloudAssistedStorage::class, DbFolderSpecification::class => DbFolderSpecification::class, CriticalFileSpecification::class => CriticalFileSpecification::class, CloudAssistedRequest::class => CloudAssistedRequest::class, CSVReport::class => CSVReport::class, JSONReport::class => JSONReport::class, PHPReport::class => PHPReport::class, PlainReport::class => PlainReport::class, DoublecheckReport::class => DoublecheckReport::class, HTMLReport::class => HTMLReport::class, DetachedMode::class => DetachedMode::class, ResidentMode::class => ResidentMode::class, Logger::class => Logger::class, ]; if (isset($options['factory-config'])) { $optionalFactoryConfig = require($options['factory-config']); $factoryConfig = array_merge($factoryConfig, $optionalFactoryConfig); } Factory::configure($factoryConfig); // END of configuring the factory } else { define('AI_EXPERT', AI_EXPERT_MODE); define('ONE_PASS', true); } if (ONE_PASS && defined('CLOUD_ASSIST_TOKEN')) { die('Both parameters(one-pass and cloud-assist) not supported'); } if (defined('RAPID_ACCOUNT_SCAN') && !defined('CLOUD_ASSIST_TOKEN')) { die('CloudScan should be enabled'); } if (defined('CREATE_SHARED_MEMORY') && CREATE_SHARED_MEMORY == true && !defined('SHARED_MEMORY')) { die('shared-mem-progress should be enabled and ID specified.'); } if (defined('RAPID_ACCOUNT_SCAN')) { if (!mkdir(RAPID_ACCOUNT_SCAN, 0700, true) && !is_dir(RAPID_ACCOUNT_SCAN)) { throw new Exception(sprintf('Directory "%s" was not created', RAPID_ACCOUNT_SCAN)); } $specification = Factory::instance()->create(DbFolderSpecification::class); if (!$specification->satisfiedBy(RAPID_ACCOUNT_SCAN)) { @unlink(RAPID_ACCOUNT_SCAN); die('Rapid DB folder error! Please check the folder.'); } } if (defined('RAPID_ACCOUNT_SCAN_TYPE') && !in_array(RAPID_ACCOUNT_SCAN_TYPE, array('NONE', 'ALL', 'SUSPICIOUS'))) { die('Wrong Rapid account scan type'); } if (defined('RAPID_ACCOUNT_SCAN') && !extension_loaded('leveldb')) { die('LevelDB extension needed for Rapid DB'); } $vars->blackFiles = []; if (DEBUG_MODE || DEBUG_PERFORMANCE) { $debug = new DebugMode(DEBUG_MODE, DEBUG_PERFORMANCE); } else { $debug = null; } $vars->signs = new LoadSignaturesForScan(isset($defaults['avdb']) ? $defaults['avdb'] : null, AI_EXPERT, DEBUG_PERFORMANCE); if ($vars->signs->getResult() == $vars->signs::SIGN_EXTERNAL) { stdOut('Loaded external signatures from ' . $defaults['avdb']); } else if ($vars->signs->getResult() == $vars->signs::SIGN_IMPORT) { stdOut('Loaded ' . __DIR__ . '/ai-bolit.sig signatures from ai-bolit.sig'); } else if (is_object($debug) && $vars->signs->getResult() == $vars->signs::SIGN_ERROR) { $debug->QCR_Debug('Import ai-bolit.sig ' . $vars->signs->getLastError()); } if (is_object($debug)) { $debug->QCR_Debug(); } if (isset($defaults['userid'])) { stdOut('Running from ' . $defaults['userid'] . ':' . $defaults['groupid']); } if (AI_EXTRA_WARN) { $sign_count = $vars->signs->getDBCountWithSuspicious(); } else { $sign_count = $vars->signs->getDBCount(); } stdOut('Malware signatures: ' . $sign_count); if ($g_SpecificExt) { stdOut("Scan specific extensions: " . implode(',', $g_SensitiveFiles)); } // Black list database try { $file = __DIR__ . '/AIBOLIT-BINMALWARE.db'; if (isset($defaults['avdb'])) { $file = dirname($defaults['avdb']) . '/AIBOLIT-BINMALWARE.db'; } $vars->blacklist = FileHashMemoryDb::open($file); stdOut("Binary malware signatures: " . ceil($vars->blacklist->count())); } catch (Exception $e) { $vars->blacklist = null; } if (DEBUG_PERFORMANCE) { stdOut("Debug Performance Scan"); } // Init define('MAX_PREVIEW_LEN', 120); if (defined('AIBOLIT_EXTERNAL_HANDLER')) { include_once(AIBOLIT_EXTERNAL_HANDLER); stdOut("\nLoaded external handler: " . AIBOLIT_EXTERNAL_HANDLER . "\n"); if (function_exists("aibolit_onStart")) { aibolit_onStart(); } } // Perform full scan when running from command line if ($l_FastCli) { $defaults['scan_all_files'] = 0; } define('SCAN_ALL_FILES', (bool) $defaults['scan_all_files']); define('SCAN_DELAY', (int) $defaults['scan_delay']); define('MAX_SIZE_TO_SCAN', AibolitHelpers::getBytes($defaults['max_size_to_scan'])); define('MAX_SIZE_TO_CLOUDSCAN', AibolitHelpers::getBytes($defaults['max_size_to_cloudscan'])); if (SCAN_ALL_FILES) { $filter->setScanAll(); } if ($defaults['memory_limit'] && ($defaults['memory_limit'] = AibolitHelpers::getBytes($defaults['memory_limit'])) > 0) { ini_set('memory_limit', $defaults['memory_limit']); stdOut("Changed memory limit to " . $defaults['memory_limit']); } if (realpath($defaults['path']) === false) { define('ROOT_PATH', $defaults['path']); } else { define('ROOT_PATH', realpath($defaults['path'])); } if (!ROOT_PATH) { if (isCli()) { die(stdOut("Directory '{$defaults['path']}' not found!")); } } elseif (!$defaults['use_template_in_path'] && !is_readable(ROOT_PATH) && isCli()) { die2(stdOut("Cannot read directory '" . ROOT_PATH . "'!")); } define('CURRENT_DIR', getcwd()); if(!$defaults['use_template_in_path']) { chdir(ROOT_PATH); } if (isCli() && REPORT !== '' && REPORT !== 'no@email.com') { $report = str_replace('\\', '/', REPORT); $abs = strpos($report, '/') === 0 ? DIR_SEPARATOR : ''; $report = array_values(array_filter(explode('/', $report))); $report_file = array_pop($report); $report_path = realpath($abs . implode(DIR_SEPARATOR, $report)); define('REPORT_FILE', $report_file); define('REPORT_PATH', $report_path); if (REPORT_FILE && REPORT_PATH && is_file(REPORT_PATH . DIR_SEPARATOR . REPORT_FILE)) { @unlink(REPORT_PATH . DIR_SEPARATOR . REPORT_FILE); } if (!isset($options['no-html']) && defined('REPORT_FILE')) { $reports[HTMLReport::class] = REPORT_PATH . DIR_SEPARATOR . REPORT_FILE; } } if (defined('REPORT_PATH')) { $l_ReportDirName = REPORT_PATH; } $vars->options = $options; $path = $defaults['path']; $report_mask = $defaults['report_mask']; $extended_report = defined('EXTENDED_REPORT') && EXTENDED_REPORT; $rapid_account_scan_report = defined('RAPID_ACCOUNT_SCAN'); $max_size_to_scan = AibolitHelpers::getBytes(MAX_SIZE_TO_SCAN); $max_size_to_scan = $max_size_to_scan > 0 ? $max_size_to_scan : AibolitHelpers::getBytes('1m'); $max_size_to_scan = AibolitHelpers::bytes2Human($max_size_to_scan); $use_doublecheck = isset($options['with-2check']) && file_exists(DOUBLECHECK_FILE); $reportFactory = function ($reports) use ($vars, $path, $db_meta_info, $report_mask, $extended_report, $rapid_account_scan_report, $g_AddPrefix, $g_NoPrefix, $snum, $max_size_to_scan, $g_SpecificExt, $use_doublecheck) { foreach($reports as $report_class => $file) { yield Factory::instance()->create($report_class, [$vars->signs->_Mnemo, $path, $vars->signs->getDBLocation(), $vars->signs->getDBMetaInfoVersion(), $report_mask, $extended_report, $rapid_account_scan_report, AI_VERSION, AI_HOSTER, AI_EXTRA_WARN, AI_EXPERT, SMART_SCAN, ROOT_PATH, SCAN_ALL_FILES, $g_SpecificExt, DOUBLECHECK_FILE, $use_doublecheck, START_TIME, $snum, $max_size_to_scan, $g_AddPrefix, $g_NoPrefix, isset($reports[CSVReport::class]), $file, JSON_STDOUT]); } }; define('QUEUE_FILENAME', ($l_ReportDirName != '' ? $l_ReportDirName . '/' : '') . 'AI-BOLIT-QUEUE-' . md5($defaults['path']) . '-' . rand(1000, 9999) . '.txt'); if (isset($options['detached'])) { $detached = Factory::instance()->create(DetachedMode::class, [$finder, $debug, $options['detached'], $vars, START_TIME, $reportFactory]); if (defined('LISTING_FILE')) { $detached->scanListing(LISTING_FILE, INPUT_FILENAMES_BASE64_ENCODED); } else { $detached->scanDirectories(ROOT_PATH); } exit(0); } if (isset($options['resident'])) { $logger = null; $levels = explode(',', LOG_LEVEL); $logger = new Logger(LOG_FILE, $levels); Factory::instance()->create(ResidentMode::class, [$finder, $debug, $reportFactory, $vars->signs, $vars->blacklist, $logger, $vars->maxMinUid]); exit(0); } //////////////////////////////////////////////////////////////////////////// if (!isCli()) { header('Content-type: text/html; charset=utf-8'); } if (!$defaults['use_template_in_path'] && !is_readable(ROOT_PATH)) { echo Translate::getStr('warning.folder_read_permission'); exit; } if (isCli()) { if (defined('REPORT_PATH') && REPORT_PATH) { if (!is_writable(REPORT_PATH)) { die2("\nCannot write report. Report dir " . REPORT_PATH . " is not writable."); } else if (!REPORT_FILE) { die2("\nCannot write report. Report filename is empty."); } else if (($file = REPORT_PATH . DIR_SEPARATOR . REPORT_FILE) && is_file($file) && !is_writable($file)) { die2("\nCannot write report. Report file '$file' exists but is not writable."); } } } // detect version CMS $g_CmsListDetector = null; if (!$defaults['use_template_in_path']) { $g_KnownCMS = []; $g_CmsListDetector = new CmsVersionDetector(ROOT_PATH); $l_CmsDetectedNum = $g_CmsListDetector->getCmsNumber(); for ($tt = 0; $tt < $l_CmsDetectedNum; $tt++) { $vars->CMS[] = $g_CmsListDetector->getCmsName($tt) . ' v' . AibolitHelpers::makeSafeFn($g_CmsListDetector->getCmsVersion($tt), $g_AddPrefix, $g_NoPrefix); } } $g_DirIgnoreList = array(); $g_IgnoreList = array(); $g_UrlIgnoreList = array(); $g_KnownList = array(); $g_AiBolitAbsolutePath = __DIR__; $l_IgnoreFilename = $g_AiBolitAbsolutePath . '/.aignore'; $l_DirIgnoreFilename = $g_AiBolitAbsolutePath . '/.adirignore'; $l_UrlIgnoreFilename = $g_AiBolitAbsolutePath . '/.aurlignore'; if (file_exists($l_IgnoreFilename)) { $l_IgnoreListRaw = file($l_IgnoreFilename); for ($i = 0, $iMax = count($l_IgnoreListRaw); $i < $iMax; $i++) { $g_IgnoreList[] = explode("\t", trim($l_IgnoreListRaw[$i])); } unset($l_IgnoreListRaw); } if (file_exists($l_UrlIgnoreFilename)) { $g_UrlIgnoreList = file($l_UrlIgnoreFilename); for ($i = 0, $iMax = count($g_UrlIgnoreList); $i < $iMax; $i++) { $g_UrlIgnoreList[$i] = trim($g_UrlIgnoreList[$i]); } } $filter->setIgnoreListPatterns($l_DirIgnoreFilename); if (SMART_SCAN) { $filter->setSmartScan(); $g_DirIgnoreList = array_merge($g_DirIgnoreList, $l_SkipMask); } if (is_object($debug)) { $debug->QCR_Debug(); } $defaults['skip_ext'] = strtolower(trim($defaults['skip_ext'])); if ($defaults['skip_ext'] != '') { $filter->setIgnoreExt($defaults['skip_ext']); $g_IgnoredExt = explode(',', $defaults['skip_ext']); for ($i = 0, $iMax = count($g_IgnoredExt); $i < $iMax; $i++) { $g_IgnoredExt[$i] = trim($g_IgnoredExt[$i]); } if (is_object($debug)) { $debug->QCR_Debug('Skip files with extensions: ' . implode(',', $g_IgnoredExt)); } stdOut('Skip extensions: ' . implode(',', $g_IgnoredExt)); } $use_listingfile = defined('LISTING_FILE'); $listing = false; if ($use_doublecheck) { $listing = DOUBLECHECK_FILE; } elseif ($use_listingfile) { $listing = LISTING_FILE; } $base64_encoded = INPUT_FILENAMES_BASE64_ENCODED; try { $scan = new Scanner($finder, $vars, $debug); if (defined('SCAN_FILE')) { // scan single file $filepath = INPUT_FILENAMES_BASE64_ENCODED ? FilepathEscaper::decodeFilepathByBase64(SCAN_FILE) : SCAN_FILE; stdOut("Start scanning file '" . $filepath . "'."); if (file_exists($filepath) && is_file($filepath) && is_readable($filepath)) { $vars->foundTotalFiles = 1; $s_file[] = $filepath; $base64_encoded = false; } else { stdOut("Error:" . $filepath . " either is not a file or readable"); } } elseif ($listing) { //scan listing if ($listing == 'stdin') { $lines = explode("\n", getStdin()); } else { $lines = new SplFileObject($listing); $lines->setFlags(SplFileObject::READ_AHEAD | SplFileObject::SKIP_EMPTY | SplFileObject::DROP_NEW_LINE); } if (is_array($lines)) { $vars->foundTotalFiles = count($lines); } else if ($lines instanceof SplFileObject) { $lines->seek($lines->getSize()); $vars->foundTotalFiles = $lines->key(); $lines->seek(0); } $s_file = $lines; stdOut("Start scanning the list from '" . $listing . "'.\n"); } else { //scan by path $base64_encoded = true; file_exists(QUEUE_FILENAME) && unlink(QUEUE_FILENAME); $scan->QCR_ScanDirectories(ROOT_PATH); stdOut("Found $vars->foundTotalFiles files in $vars->foundTotalDirs directories."); stdOut("Start scanning '" . ROOT_PATH . "'.\n"); if (is_object($debug)) { $debug->QCR_Debug(); } stdOut(str_repeat(' ', 160), false); $s_file = new SplFileObject(QUEUE_FILENAME); $s_file->setFlags(SplFileObject::READ_AHEAD | SplFileObject::SKIP_EMPTY | SplFileObject::DROP_NEW_LINE); } $scan->QCR_GoScan($s_file, null, $base64_encoded, $use_doublecheck); unset($s_file); @unlink(QUEUE_FILENAME); $vars->foundTotalDirs = $vars->totalFolder; if (defined('PROGRESS_LOG_FILE') && file_exists(PROGRESS_LOG_FILE)) { @unlink(PROGRESS_LOG_FILE); } if (CREATE_SHARED_MEMORY) { shmop_delete(SHARED_MEMORY); } if (defined('SHARED_MEMORY')) { shmop_close(SHARED_MEMORY); } } catch (Exception $e) { if (is_object($debug)) { $debug->QCR_Debug($e->getMessage()); } } if (is_object($debug)) { $debug->QCR_Debug(); } if (true) { $g_HeuristicDetected = array(); $g_Iframer = array(); $g_Base64 = array(); } list($snum, $i) = $scan->whitelisting(); //////////////////////////////////////////////////////////////////////////// if (AI_HOSTER) { $g_IframerFragment = array(); $g_Iframer = array(); $vars->redirect = array(); $vars->doorway = array(); $g_EmptyLink = array(); $g_HeuristicType = array(); $g_HeuristicDetected = array(); $vars->adwareList = array(); $vars->phishing = array(); $g_PHPCodeInside = array(); $g_PHPCodeInsideFragment = array(); $vars->bigFiles = array(); $vars->redirectPHPFragment = array(); $g_EmptyLinkSrc = array(); $g_Base64Fragment = array(); $g_UnixExec = array(); $vars->phishingSigFragment = array(); $vars->phishingFragment = array(); $g_PhishingSig = array(); $g_IframerFragment = array(); $vars->CMS = array(); $vars->adwareListFragment = array(); } if (BOOL_RESULT && (!defined('NEED_REPORT'))) { if ((count($vars->criticalPHP) > 0) || (count($vars->criticalJS) > 0) || (count($g_PhishingSig) > 0)) { exit(2); } else { exit(0); } } //////////////////////////////////////////////////////////////////////////// $time_taken = AibolitHelpers::seconds2Human(microtime(true) - START_TIME); stdOut("\nBuilding report [ mode = " . AI_EXPERT . " ]\n"); //stdOut("\nLoaded signatures: " . count($g_FlexDBShe) . " / " . count($g_JSVirSig) . "\n"); //////////////////////////////////////////////////////////////////////////// $scan_time = round(microtime(true) - START_TIME, 1); foreach($reportFactory($reports) as $report) { $report->generateReport($vars, $scan_time); $res = $report->write(); if ($res !== '') { stdOut($res); } } stdOut("\n"); if (!AI_HOSTER) { stdOut("Building list of vulnerable scripts " . count($vars->vulnerable)); } stdOut("Building list of shells " . count($vars->criticalPHP)); stdOut("Building list of js " . count($vars->criticalJS)); stdOut("Building list of unread files " . count($vars->notRead)); if (!AI_HOSTER) { stdOut("Building list of phishing pages " . count($vars->phishing)); stdOut('Building list of redirects ' . count($vars->redirect)); stdOut("Building list of symlinks " . count($vars->symLinks)); } if (AI_EXTRA_WARN) { stdOut("Building list of suspicious files " . count($vars->warningPHP)); } //////////////////////////////////// if (!AI_HOSTER) { stdOut("Building list of adware " . count($vars->adwareList)); stdOut("Building list of bigfiles " . count($vars->bigFiles)); stdOut("Building list of doorways " . count($vars->doorway)); } if (!defined('REPORT') || REPORT === '') { die2('Report not written.'); } stdOut("Scanning complete! Time taken: " . AibolitHelpers::seconds2Human($scan_time)); if (DEBUG_PERFORMANCE) { $debug->printPerfomanceStats(); die(); } stdOut("\n\n!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"); stdOut("Attention! DO NOT LEAVE either ai-bolit.php or AI-BOLIT-REPORT--.html \nfile on server. COPY it locally then REMOVE from server. "); stdOut("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"); if (isset($options['cmd'])) { stdOut("Run \"{$options['cmd']}\" "); system($options['cmd']); } if (is_object($debug)) { $debug->QCR_Debug(); } # exit with code $l_EC1 = count($vars->criticalPHP); $l_EC2 = count($vars->criticalJS) + count($vars->phishing) + count($vars->warningPHP); $code = 0; if ($l_EC1 > 0) { $code = 2; } else { if ($l_EC2 > 0) { $code = 1; } } $stat = array( 'php_malware' => count($vars->criticalPHP), 'cloudhash' => count($vars->blackFiles), 'js_malware' => count($vars->criticalJS), 'phishing' => count($vars->phishing) ); if (function_exists('aibolit_onComplete')) { aibolit_onComplete($code, $stat); } stdOut('Exit code ' . $code); exit($code); ############################################# END ############################################### function getStdin() { $stdin = ''; $f = @fopen('php://stdin', 'r'); while($line = fgets($f)) { $stdin .= $line; } fclose($f); return $stdin; } function die2($str) { if (function_exists('aibolit_onFatalError')) { aibolit_onFatalError($str); } die($str); } function getMaxMinUid($path = '/etc/login.defs') { $uid_min = 1000; $uid_max = 60000; if (!file_exists($path)) { $release = new OsReleaseInfo(); $ver = $release->getOsVersion(); if ($release->isIdLikeCentos() && $ver && (strpos($ver, '6') === 0)) { $uid_min = 500; $uid_max = 60000; } unset($ver); return [$uid_min, $uid_max]; } $file = file($path, FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES); foreach ($file as $line) { $line = trim($line); if (strpos($line, 'UID_MIN') === 0) { list($key, $value) = preg_split('~\s+~', trim($line), 2, PREG_SPLIT_NO_EMPTY); $uid_min = intval(trim($value)); } if (strpos($line, 'UID_MAX') === 0) { list($key, $value) = preg_split('~\s+~', trim($line), 2, PREG_SPLIT_NO_EMPTY); $uid_max = intval(trim($value)); } } return [$uid_min, $uid_max]; } //////////////////////////////////////////////////////////////////////////////////////////////////////////////// /// The following instructions should be written the same pattern, /// because they are replaced by file content while building a release. /// See the release_aibolit_ru.sh file for details. class AibolitHelpers { /** * Format bytes to human readable * * @param int $bytes * * @return string */ public static function bytes2Human($bytes) { if ($bytes < 1024) { return $bytes . ' b'; } elseif (($kb = $bytes / 1024) < 1024) { return number_format($kb, 2) . ' Kb'; } elseif (($mb = $kb / 1024) < 1024) { return number_format($mb, 2) . ' Mb'; } elseif (($gb = $mb / 1024) < 1024) { return number_format($gb, 2) . ' Gb'; } else { return number_format($gb / 1024, 2) . 'Tb'; } } /** * Seconds to human readable * @param int $seconds * @return string */ public static function seconds2Human($seconds) { $r = ''; $_seconds = floor($seconds); $ms = $seconds - $_seconds; $seconds = $_seconds; if ($hours = floor($seconds / 3600)) { $r .= $hours . ' h '; $seconds %= 3600; } if ($minutes = floor($seconds / 60)) { $r .= $minutes . ' m '; $seconds %= 60; } if ($minutes < 3) { $r .= ' ' . (string)($seconds + ($ms > 0 ? round($ms) : 0)) . ' s'; } return $r; } /** * Get bytes from shorthand byte values (1M, 1G...) * @param int|string $val * @return int */ public static function getBytes($val) { $val = trim($val); $last = strtolower($val[strlen($val) - 1]); switch ($last) { case 't': $val *= 1024; case 'g': $val *= 1024; case 'm': $val *= 1024; case 'k': $val *= 1024; } return intval($val); } /** * Convert dangerous chars to html entities * * @param $par_Str * @param string $addPrefix * @param string $noPrefix * @param bool $replace_path * * @return string */ public static function makeSafeFn($par_Str, $addPrefix = '', $noPrefix = '', $replace_path = false) { if ($replace_path) { $lines = explode("\n", $par_Str); array_walk($lines, static function(&$n) use ($addPrefix, $noPrefix) { $n = $addPrefix . str_replace($noPrefix, '', $n); }); $par_Str = implode("\n", $lines); } return htmlspecialchars($par_Str, ENT_SUBSTITUTE | ENT_QUOTES); } public static function myCheckSum($str) { return hash('crc32b', $str); } } class Variables { public $structure = array(); public $totalFolder = 0; public $totalFiles = 0; public $adwareList = array(); public $criticalPHP = array(); public $phishing = array(); public $CMS = array(); public $redirect = array(); public $redirectPHPFragment = array(); public $criticalJS = array(); public $criticalJSFragment = array(); public $blackFiles = array(); public $notRead = array(); public $bigFiles = array(); public $criticalPHPSig = array(); public $criticalPHPFragment = array(); public $phishingSigFragment = array(); public $phishingFragment = array(); public $criticalJSSig = array(); public $adwareListFragment = array(); public $warningPHPSig = array(); public $warningPHPFragment = array(); public $warningPHP = array(); public $blacklist = null; public $vulnerable = array(); public $crc = 0; public $counter = 0; public $foundTotalDirs = 0; public $foundTotalFiles = 0; public $files_and_ignored = 0; public $doorway = array(); public $symLinks = array(); public $skippedFolders = array(); public $hashtable = null; public $fileinfo = null; public $rescanCount = 0; public $maxMinUid = array(); public $options = array(); public $signs = array(); } class Logger { /** * $log_file - path and log file name * @var string */ protected $log_file; /** * $file - file * @var string */ protected $file; /** * dateFormat * @var string */ protected $dateFormat = 'd-M-Y H:i:s'; /** * @var array */ const LEVELS = ['ERROR' => 1, 'DEBUG' => 2, 'INFO' => 4, 'ALL' => 7]; /** * @var int */ private $level; /** * Class constructor * * @param string $log_file - path and filename of log * @param string|array $level - Level of logging * * @throws Exception */ public function __construct($log_file = null, $level = 'INFO') { if (!$log_file) { return; } if (is_array($level)) { foreach ($level as $v) { if (!isset(self::LEVELS[$v])) { $v = 'INFO'; } $this->level |= self::LEVELS[$v]; } } else { if (isset(self::LEVELS[$level])) { $this->level = self::LEVELS[$level]; } else { $this->level = self::LEVELS['INFO']; } } $this->log_file = $log_file; //Create log file if it doesn't exist. if (!file_exists($log_file)) { fopen($log_file, 'w') or exit("Can't create $log_file!"); } //Check permissions of file. if (!is_writable($log_file)) { //throw exception if not writable throw new Exception('ERROR: Unable to write to file!', 1); } } /** * Info method (write info message) * @param string $message * @return void */ public function info($message) { if ($this->level & self::LEVELS['INFO']) { $this->writeLog($message, 'INFO'); } } /** * Debug method (write debug message) * @param string $message * @return void */ public function debug($message) { if ($this->level & self::LEVELS['DEBUG']) { $this->writeLog($message, 'DEBUG'); } } /** * Error method (write error message) * @param string $message * @return void */ public function error($message) { if ($this->level & self::LEVELS['ERROR']) { $this->writeLog($message, 'ERROR'); } } /** * Write to log file * @param string $message * @param string $level * @return void */ public function writeLog($message, $level) { if (!$this->log_file) { return; } // open log file if (!is_resource($this->file)) { $this->openLog(); } //Grab time - based on timezone in php.ini $time = date($this->dateFormat); // Write time & message to end of file fwrite($this->file, "[$time] : [$level] - $message" . PHP_EOL); } /** * Open log file * @return void */ private function openLog() { $openFile = $this->log_file; // 'a' option = place pointer at end of file $this->file = fopen($openFile, 'a') or exit("Can't open $openFile!"); } /** * Class destructor */ public function __destruct() { if ($this->file) { fclose($this->file); } } } class LoadSignaturesForScan { private $sig_db = array(); private $sig_db_meta_info = array(); private $sig_db_location = 'internal'; private $mode; private $debug; public $_DBShe; public $X_DBShe; public $_FlexDBShe; public $X_FlexDBShe; public $XX_FlexDBShe; public $_ExceptFlex; public $_AdwareSig; public $_PhishingSig; public $_JSVirSig; public $X_JSVirSig; public $_SusDB; public $_SusDBPrio; public $_DeMapper; public $_Mnemo; public $whiteUrls; public $blackUrls; public $ownUrl = null; private $count; private $count_susp; private $result = 0; private $last_error = ''; const SIGN_INTERNAL = 1; const SIGN_EXTERNAL = 2; const SIGN_IMPORT = 3; const SIGN_ERROR = 9; public function __construct($avdb_file, $mode, $debug) { $this->mode = $mode; $this->debug = $debug; $this->sig_db_meta_info = array( 'build-date' => 'n/a', 'version' => 'n/a', 'release-type' => 'n/a', ); if ($avdb_file && file_exists($avdb_file)) { $avdb = explode("\n", gzinflate(base64_decode(str_rot13(strrev(trim(file_get_contents($avdb_file))))))); $this->sig_db_location = 'external'; $this->_DBShe = explode("\n", base64_decode($avdb[0])); $this->X_DBShe = explode("\n", base64_decode($avdb[1])); $this->_FlexDBShe = explode("\n", base64_decode($avdb[2])); $this->X_FlexDBShe = explode("\n", base64_decode($avdb[3])); $this->XX_FlexDBShe = explode("\n", base64_decode($avdb[4])); $this->_ExceptFlex = explode("\n", base64_decode($avdb[5])); $this->_AdwareSig = explode("\n", base64_decode($avdb[6])); $this->_PhishingSig = explode("\n", base64_decode($avdb[7])); $this->_JSVirSig = explode("\n", base64_decode($avdb[8])); $this->X_JSVirSig = explode("\n", base64_decode($avdb[9])); $this->_SusDB = explode("\n", base64_decode($avdb[10])); $this->_SusDBPrio = explode("\n", base64_decode($avdb[11])); $this->_DeMapper = array_combine(explode("\n", base64_decode($avdb[12])), explode("\n", base64_decode($avdb[13]))); $this->_Mnemo = @array_flip(@array_combine(explode("\n", base64_decode($avdb[14])), explode("\n", base64_decode($avdb[15])))); // get meta information $avdb_meta_info = json_decode(base64_decode($avdb[16]), true); $this->sig_db_meta_info['build-date'] = $avdb_meta_info ? $avdb_meta_info['build-date'] : 'n/a'; $this->sig_db_meta_info['version'] = $avdb_meta_info ? $avdb_meta_info['version'] : 'n/a'; $this->sig_db_meta_info['release-type'] = $avdb_meta_info ? $avdb_meta_info['release-type'] : 'n/a'; if (count($this->_DBShe) <= 1) { $this->_DBShe = array(); } if (count($this->X_DBShe) <= 1) { $this->X_DBShe = array(); } if (count($this->_FlexDBShe) <= 1) { $this->_FlexDBShe = array(); } if (count($this->X_FlexDBShe) <= 1) { $this->X_FlexDBShe = array(); } if (count($this->XX_FlexDBShe) <= 1) { $this->XX_FlexDBShe = array(); } if (count($this->_ExceptFlex) <= 1) { $this->_ExceptFlex = array(); } if (count($this->_AdwareSig) <= 1) { $this->_AdwareSig = array(); } if (count($this->_PhishingSig) <= 1) { $this->_PhishingSig = array(); } if (count($this->X_JSVirSig) <= 1) { $this->X_JSVirSig = array(); } if (count($this->_JSVirSig) <= 1) { $this->_JSVirSig = array(); } if (count($this->_SusDB) <= 1) { $this->_SusDB = array(); } if (count($this->_SusDBPrio) <= 1) { $this->_SusDBPrio = array(); } $this->result = self::SIGN_EXTERNAL; } else { InternalSignatures::init(); $this->_DBShe = InternalSignatures::$_DBShe; $this->X_DBShe = InternalSignatures::$X_DBShe; $this->_FlexDBShe = InternalSignatures::$_FlexDBShe; $this->X_FlexDBShe = InternalSignatures::$X_FlexDBShe; $this->XX_FlexDBShe = InternalSignatures::$XX_FlexDBShe; $this->_ExceptFlex = InternalSignatures::$_ExceptFlex; $this->_AdwareSig = InternalSignatures::$_AdwareSig; $this->_PhishingSig = InternalSignatures::$_PhishingSig; $this->_JSVirSig = InternalSignatures::$_JSVirSig; $this->X_JSVirSig = InternalSignatures::$X_JSVirSig; $this->_SusDB = InternalSignatures::$_SusDB; $this->_SusDBPrio = InternalSignatures::$_SusDBPrio; $this->_DeMapper = InternalSignatures::$_DeMapper; $this->_Mnemo = InternalSignatures::$_Mnemo; // get meta information $avdb_meta_info = InternalSignatures::$db_meta_info; $this->sig_db_meta_info['build-date'] = $avdb_meta_info ? $avdb_meta_info['build-date'] : 'n/a'; $this->sig_db_meta_info['version'] = $avdb_meta_info ? $avdb_meta_info['version'] : 'n/a'; $this->sig_db_meta_info['release-type'] = $avdb_meta_info ? $avdb_meta_info['release-type'] : 'n/a'; $this->result = self::SIGN_INTERNAL; } // use only basic signature subset if ($mode < 2) { $this->X_FlexDBShe = array(); $this->XX_FlexDBShe = array(); $this->X_JSVirSig = array(); } // Load custom signatures if (file_exists(__DIR__ . '/ai-bolit.sig')) { try { $s_file = new SplFileObject(__DIR__ . '/ai-bolit.sig'); $s_file->setFlags(SplFileObject::READ_AHEAD | SplFileObject::SKIP_EMPTY | SplFileObject::DROP_NEW_LINE); foreach ($s_file as $line) { $this->_FlexDBShe[] = preg_replace('#\G(?:[^~\\\\]+|\\\\.)*+\K~#', '\\~', $line); // escaping ~ } $this->result = self::SIGN_IMPORT; $s_file = null; // file handler is closed } catch (Exception $e) { $this->result = self::SIGN_ERROR; $this->last_error = $e->getMessage(); } } $this->count = count($this->_JSVirSig) + count($this->X_JSVirSig) + count($this->_DBShe) + count($this->X_DBShe) + count($this->_FlexDBShe) + count($this->X_FlexDBShe) + count($this->XX_FlexDBShe); $this->count_susp = $this->count + count($this->_SusDB); if (!$debug) { $this->OptimizeSignatures(); } $this->_DBShe = array_map('strtolower', $this->_DBShe); $this->X_DBShe = array_map('strtolower', $this->X_DBShe); } private function OptimizeSignatures() { ($this->mode == 2) && ($this->_FlexDBShe = array_merge($this->_FlexDBShe, $this->X_FlexDBShe, $this->XX_FlexDBShe)); ($this->mode == 1) && ($this->_FlexDBShe = array_merge($this->_FlexDBShe, $this->X_FlexDBShe)); $this->X_FlexDBShe = $this->XX_FlexDBShe = array(); ($this->mode == 2) && ($this->_JSVirSig = array_merge($this->_JSVirSig, $this->X_JSVirSig)); $this->X_JSVirSig = array(); $count = count($this->_FlexDBShe); for ($i = 0; $i < $count; $i++) { if ($this->_FlexDBShe[$i] == '[a-zA-Z0-9_]+?\(\s*[a-zA-Z0-9_]+?=\s*\)') $this->_FlexDBShe[$i] = '\((?<=[a-zA-Z0-9_].)\s*[a-zA-Z0-9_]++=\s*\)'; if ($this->_FlexDBShe[$i] == '([^\?\s])\({0,1}\.[\+\*]\){0,1}\2[a-z]*e') $this->_FlexDBShe[$i] = '(?J)\.[+*](?<=(?[^\?\s])\(..|(?[^\?\s])..)\)?\g{d}[a-z]*e'; if ($this->_FlexDBShe[$i] == '$[a-zA-Z0-9_]\{\d+\}\s*\.$[a-zA-Z0-9_]\{\d+\}\s*\.$[a-zA-Z0-9_]\{\d+\}\s*\.') $this->_FlexDBShe[$i] = '\$[a-zA-Z0-9_]\{\d+\}\s*\.\$[a-zA-Z0-9_]\{\d+\}\s*\.\$[a-zA-Z0-9_]\{\d+\}\s*\.'; $this->_FlexDBShe[$i] = str_replace('http://.+?/.+?\.php\?a', 'http://[^?\s]++(?<=\.php)\?a', $this->_FlexDBShe[$i]); $this->_FlexDBShe[$i] = preg_replace('~\[a-zA-Z0-9_\]\+\K\?~', '+', $this->_FlexDBShe[$i]); $this->_FlexDBShe[$i] = preg_replace('~^\\\\[d]\+&@~', '&@(?<=\d..)', $this->_FlexDBShe[$i]); $this->_FlexDBShe[$i] = str_replace('\s*[\'"]{0,1}.+?[\'"]{0,1}\s*', '.+?', $this->_FlexDBShe[$i]); $this->_FlexDBShe[$i] = str_replace('[\'"]{0,1}.+?[\'"]{0,1}', '.+?', $this->_FlexDBShe[$i]); $this->_FlexDBShe[$i] = preg_replace('~^\[\'"\]\{0,1\}\.?|^@\*|^\\\\s\*~', '', $this->_FlexDBShe[$i]); } $this->optSig($this->_FlexDBShe); $this->optSig($this->_JSVirSig); $this->optSig($this->_AdwareSig); $this->optSig($this->_PhishingSig); $this->optSig($this->_SusDB); //optSig($g_SusDBPrio); //optSig($g_ExceptFlex); // convert exception rules $cnt = count($this->_ExceptFlex); for ($i = 0; $i < $cnt; $i++) { $this->_ExceptFlex[$i] = trim(Normalization::normalize($this->_ExceptFlex[$i])); if ($this->_ExceptFlex[$i] == '') unset($this->_ExceptFlex[$i]); } $this->_ExceptFlex = array_values($this->_ExceptFlex); } private function optSig(&$sigs) { $sigs = array_unique($sigs); // Add SigId foreach ($sigs as &$s) { $s .= '(?)'; } unset($s); $fix = array( '([^\?\s])\({0,1}\.[\+\*]\){0,1}\2[a-z]*e' => '(?J)\.[+*](?<=(?[^\?\s])\(..|(?[^\?\s])..)\)?\g{d}[a-z]*e', 'http://.+?/.+?\.php\?a' => 'http://[^?\s]++(?<=\.php)\?a', '\s*[\'"]{0,1}.+?[\'"]{0,1}\s*' => '.+?', '[\'"]{0,1}.+?[\'"]{0,1}' => '.+?' ); $sigs = str_replace(array_keys($fix), array_values($fix), $sigs); $fix = array( '~^\\\\[d]\+&@~' => '&@(?<=\d..)', '~^((\[\'"\]|\\\\s|@)(\{0,1\}\.?|[?*]))+~' => '' ); $sigs = preg_replace(array_keys($fix), array_values($fix), $sigs); $this->optSigCheck($sigs); $tmp = array(); foreach ($sigs as $i => $s) { if (!preg_match('~^(?>(?!\.[*+]|\\\\\d)(?:\\\\.|\[.+?\]|.))+$~', $s)) { unset($sigs[$i]); $tmp[] = $s; } } usort($sigs, 'strcasecmp'); $txt = implode("\n", $sigs); for ($i = 24; $i >= 1; ($i > 4) ? $i -= 4 : --$i) { $txt = preg_replace_callback('#^((?>(?:\\\\.|\\[.+?\\]|[^(\n]|\((?:\\\\.|[^)(\n])++\))(?:[*?+]\+?|\{\d+(?:,\d*)?\}[+?]?|)){' . $i . ',})[^\n]*+(?:\\n\\1(?![{?*+]).+)+#im', [$this, 'optMergePrefixes'], $txt); } $sigs = array_merge(explode("\n", $txt), $tmp); $this->optSigCheck($sigs); } private function optMergePrefixes($m) { $limit = 8000; $prefix = $m[1]; $prefix_len = strlen($prefix); $len = $prefix_len; $r = array(); $suffixes = array(); foreach (explode("\n", $m[0]) as $line) { if (strlen($line) > $limit) { $r[] = $line; continue; } $s = substr($line, $prefix_len); $len += strlen($s); if ($len > $limit) { if (count($suffixes) == 1) { $r[] = $prefix . $suffixes[0]; } else { $r[] = $prefix . '(?:' . implode('|', $suffixes) . ')'; } $suffixes = array(); $len = $prefix_len + strlen($s); } $suffixes[] = $s; } if (!empty($suffixes)) { if (count($suffixes) == 1) { $r[] = $prefix . $suffixes[0]; } else { $r[] = $prefix . '(?:' . implode('|', $suffixes) . ')'; } } return implode("\n", $r); } private function optMergePrefixes_Old($m) { $prefix = $m[1]; $prefix_len = strlen($prefix); $suffixes = array(); foreach (explode("\n", $m[0]) as $line) { $suffixes[] = substr($line, $prefix_len); } return $prefix . '(?:' . implode('|', $suffixes) . ')'; } /* * Checking errors in pattern */ private function optSigCheck(&$sigs) { $result = true; foreach ($sigs as $k => $sig) { if (trim($sig) == "") { if ($this->debug) { echo ("************>>>>> EMPTY\n pattern: " . $sig . "\n"); } unset($sigs[$k]); $result = false; } if (@preg_match('~' . $sig . '~smiS', '') === false) { $error = error_get_last(); if ($this->debug) { echo ("************>>>>> " . $error['message'] . "\n pattern: " . $sig . "\n"); } unset($sigs[$k]); $result = false; } } return $result; } public static function getSigId($l_Found) { foreach ($l_Found as $key => &$v) { if (is_string($key) && $v[1] != -1 && strlen($key) == 9) { return substr($key, 1); } } return null; } public function setOwnUrl($url) { if (isset($this->blackUrls)) { foreach ($this->blackUrls->getDb() as $black) { if (preg_match('~' . $black . '~msi', $url)) { $this->ownUrl = null; return; } } } $this->ownUrl = $url; } public function getOwnUrl() { return $this->ownUrl; } public function getDBLocation() { return $this->sig_db_location; } public function getDB() { return $this->sig_db; } public function getDBMetaInfo() { return $this->sig_db_meta_info; } public function getDBMetaInfoVersion() { return $this->sig_db_meta_info['version']; } public function getDBCount() { return $this->count; } public function getDBCountWithSuspicious() { return $this->count_susp; } public function getResult() { return $this->result; } public function getLastError() { return $this->last_error; } } class InternalSignatures { public static $_DBShe; public static $X_DBShe; public static $_FlexDBShe; public static $X_FlexDBShe; public static $XX_FlexDBShe; public static $_ExceptFlex; public static $_AdwareSig; public static $_PhishingSig; public static $_JSVirSig; public static $X_JSVirSig; public static $_SusDB; public static $_SusDBPrio; public static $_DeMapper; public static $_Mnemo; public static $db_meta_info; public static function init() { //BEGIN_SIG 28/09/2020 01:02:09 self::$_DBShe = unserialize(gzinflate(/*1601287329*/base64_decode("S7QysKquBQA="))); self::$X_DBShe = unserialize(gzinflate(/*1601287329*/base64_decode("S7QysKquBQA="))); self::$_FlexDBShe = unserialize(gzinflate(/*1601287329*/base64_decode(""))); self::$X_FlexDBShe = unserialize(gzinflate(/*1601287329*/base64_decode("S7QysKquBQA="))); self::$XX_FlexDBShe = unserialize(gzinflate(/*1601287329*/base64_decode("S7QysKquBQA="))); self::$_ExceptFlex = unserialize(gzinflate(/*1601287329*/base64_decode("S7QysKquBQA="))); self::$_AdwareSig = unserialize(gzinflate(/*1601287329*/base64_decode("S7QysKquBQA="))); self::$_PhishingSig = unserialize(gzinflate(/*1601287329*/base64_decode("S7QysKquBQA="))); self::$_JSVirSig = unserialize(gzinflate(/*1601287329*/base64_decode(""))); self::$X_JSVirSig = unserialize(gzinflate(/*1601287329*/base64_decode("S7QysKquBQA="))); self::$_SusDB = unserialize(gzinflate(/*1601287329*/base64_decode(""))); self::$_SusDBPrio = unserialize(gzinflate(/*1601287329*/base64_decode("S7QysKquBQA="))); self::$_Mnemo = @array_flip(unserialize(gzinflate(/*1601287329*/base64_decode("")))); self::$_DeMapper = unserialize(base64_decode("YTo1OntzOjEwOiJ3aXphcmQucGhwIjtzOjM3OiJjbGFzcyBXZWxjb21lU3RlcCBleHRlbmRzIENXaXphcmRTdGVwIjtzOjE3OiJ1cGRhdGVfY2xpZW50LnBocCI7czozNzoieyBDVXBkYXRlQ2xpZW50OjpBZGRNZXNzYWdlMkxvZygiZXhlYyI7czoxMToiaW5jbHVkZS5waHAiO3M6NDg6IkdMT0JBTFNbIlVTRVIiXS0+SXNBdXRob3JpemVkKCkgJiYgJGFyQXV0aFJlc3VsdCI7czo5OiJzdGFydC5waHAiO3M6NjA6IkJYX1JPT1QuJy9tb2R1bGVzL21haW4vY2xhc3Nlcy9nZW5lcmFsL3VwZGF0ZV9kYl91cGRhdGVyLnBocCI7czoxMDoiaGVscGVyLnBocCI7czo1ODoiSlBsdWdpbkhlbHBlcjo6Z2V0UGx1Z2luKCJzeXN0ZW0iLCJvbmVjbGlja2NoZWNrb3V0X3ZtMyIpOyI7fQ==")); self::$db_meta_info = unserialize(base64_decode("YTozOntzOjEwOiJidWlsZC1kYXRlIjtzOjEwOiIxNjAxMjg3Mjc2IjtzOjc6InZlcnNpb24iO3M6MTM6IjIwMjAwOTI4LTM4NTAiO3M6MTI6InJlbGVhc2UtdHlwZSI7czoxMDoicHJvZHVjdGlvbiI7fQ==")); //END_SIG } } class CmsVersionDetector { const CMS_BITRIX = 'Bitrix'; const CMS_WORDPRESS = 'WordPress'; const CMS_JOOMLA = 'Joomla'; const CMS_DLE = 'Data Life Engine'; const CMS_IPB = 'Invision Power Board'; const CMS_WEBASYST = 'WebAsyst'; const CMS_OSCOMMERCE = 'OsCommerce'; const CMS_DRUPAL = 'Drupal'; const CMS_MODX = 'MODX'; const CMS_INSTANTCMS = 'Instant CMS'; const CMS_PHPBB = 'PhpBB'; const CMS_VBULLETIN = 'vBulletin'; const CMS_SHOPSCRIPT = 'PHP ShopScript Premium'; const CMS_VERSION_UNDEFINED = '0.0'; private $root_path; private $versions; private $types; public function __construct($root_path = '.') { $this->root_path = $root_path; $this->versions = array(); $this->types = array(); $version = ''; $dir_list = $this->getDirList($root_path); $dir_list[] = $root_path; foreach ($dir_list as $dir) { if ($this->checkBitrix($dir, $version)) { $this->addCms(self::CMS_BITRIX, $version); } if ($this->checkWordpress($dir, $version)) { $this->addCms(self::CMS_WORDPRESS, $version); } if ($this->checkJoomla($dir, $version)) { $this->addCms(self::CMS_JOOMLA, $version); } if ($this->checkDle($dir, $version)) { $this->addCms(self::CMS_DLE, $version); } if ($this->checkIpb($dir, $version)) { $this->addCms(self::CMS_IPB, $version); } if ($this->checkWebAsyst($dir, $version)) { $this->addCms(self::CMS_WEBASYST, $version); } if ($this->checkOsCommerce($dir, $version)) { $this->addCms(self::CMS_OSCOMMERCE, $version); } if ($this->checkDrupal($dir, $version)) { $this->addCms(self::CMS_DRUPAL, $version); } if ($this->checkMODX($dir, $version)) { $this->addCms(self::CMS_MODX, $version); } if ($this->checkInstantCms($dir, $version)) { $this->addCms(self::CMS_INSTANTCMS, $version); } if ($this->checkPhpBb($dir, $version)) { $this->addCms(self::CMS_PHPBB, $version); } if ($this->checkVBulletin($dir, $version)) { $this->addCms(self::CMS_VBULLETIN, $version); } if ($this->checkPhpShopScript($dir, $version)) { $this->addCms(self::CMS_SHOPSCRIPT, $version); } } } function getDirList($target) { $remove = array( '.', '..' ); $directories = array_diff(scandir($target), $remove); $res = array(); foreach ($directories as $value) { if (is_dir($target . '/' . $value)) { $res[] = $target . '/' . $value; } } return $res; } function isCms($name, $version) { for ($i = 0, $iMax = count($this->types); $i < $iMax; $i++) { if ((strpos($this->types[$i], $name) !== false) && (strpos($this->versions[$i], $version) !== false)) { return true; } } return false; } function getCmsList() { return $this->types; } function getCmsVersions() { return $this->versions; } function getCmsNumber() { return count($this->types); } function getCmsName($index = 0) { return $this->types[$index]; } function getCmsVersion($index = 0) { return $this->versions[$index]; } private function addCms($type, $version) { $this->types[] = $type; $this->versions[] = $version; } private function checkBitrix($dir, &$version) { $version = self::CMS_VERSION_UNDEFINED; $res = false; if (file_exists($dir . '/bitrix')) { $res = true; $tmp_content = @file_get_contents($this->root_path . '/bitrix/modules/main/classes/general/version.php'); if (preg_match('|define\("SM_VERSION","(.+?)"\)|smi', $tmp_content, $tmp_ver)) { $version = $tmp_ver[1]; } } return $res; } private function checkWordpress($dir, &$version) { $version = self::CMS_VERSION_UNDEFINED; $res = false; if (file_exists($dir . '/wp-admin')) { $res = true; $tmp_content = @file_get_contents($dir . '/wp-includes/version.php'); if (preg_match('|\$wp_version\s*=\s*\'(.+?)\'|smi', $tmp_content, $tmp_ver)) { $version = $tmp_ver[1]; } } return $res; } private function checkJoomla($dir, &$version) { $version = self::CMS_VERSION_UNDEFINED; $res = false; if (file_exists($dir . '/libraries/joomla')) { $res = true; // for 1.5.x $tmp_content = @file_get_contents($dir . '/libraries/joomla/version.php'); if (preg_match('|var\s+\$RELEASE\s*=\s*\'(.+?)\'|smi', $tmp_content, $tmp_ver)) { $version = $tmp_ver[1]; if (preg_match('|var\s+\$DEV_LEVEL\s*=\s*\'(.+?)\'|smi', $tmp_content, $tmp_ver)) { $version .= '.' . $tmp_ver[1]; } } // for 1.7.x $tmp_content = @file_get_contents($dir . '/includes/version.php'); if (preg_match('|public\s+\$RELEASE\s*=\s*\'(.+?)\'|smi', $tmp_content, $tmp_ver)) { $version = $tmp_ver[1]; if (preg_match('|public\s+\$DEV_LEVEL\s*=\s*\'(.+?)\'|smi', $tmp_content, $tmp_ver)) { $version .= '.' . $tmp_ver[1]; } } // for 2.5.x and 3.x $tmp_content = @file_get_contents($dir . '/libraries/cms/version/version.php'); if (preg_match('|const\s+RELEASE\s*=\s*\'(.+?)\'|smi', $tmp_content, $tmp_ver)) { $version = $tmp_ver[1]; if (preg_match('|const\s+DEV_LEVEL\s*=\s*\'(.+?)\'|smi', $tmp_content, $tmp_ver)) { $version .= '.' . $tmp_ver[1]; } } } return $res; } private function checkDle($dir, &$version) { $version = self::CMS_VERSION_UNDEFINED; $res = false; if (file_exists($dir . '/engine/engine.php')) { $res = true; $tmp_content = @file_get_contents($dir . '/engine/data/config.php'); if (preg_match('|\'version_id\'\s*=>\s*"(.+?)"|smi', $tmp_content, $tmp_ver)) { $version = $tmp_ver[1]; } $tmp_content = @file_get_contents($dir . '/install.php'); if (preg_match('|\'version_id\'\s*=>\s*"(.+?)"|smi', $tmp_content, $tmp_ver)) { $version = $tmp_ver[1]; } } return $res; } private function checkIpb($dir, &$version) { $version = self::CMS_VERSION_UNDEFINED; $res = false; if (file_exists($dir . '/ips_kernel')) { $res = true; $tmp_content = @file_get_contents($dir . '/ips_kernel/class_xml.php'); if (preg_match('|IP.Board\s+v([0-9\.]+)|si', $tmp_content, $tmp_ver)) { $version = $tmp_ver[1]; } } return $res; } private function checkWebAsyst($dir, &$version) { $version = self::CMS_VERSION_UNDEFINED; $res = false; if (file_exists($dir . '/wbs/installer')) { $res = true; $tmp_content = @file_get_contents($dir . '/license.txt'); if (preg_match('|v([0-9\.]+)|si', $tmp_content, $tmp_ver)) { $version = $tmp_ver[1]; } } return $res; } private function checkOsCommerce($dir, &$version) { $version = self::CMS_VERSION_UNDEFINED; $res = false; if (file_exists($dir . '/includes/version.php')) { $res = true; $tmp_content = @file_get_contents($dir . '/includes/version.php'); if (preg_match('|([0-9\.]+)|smi', $tmp_content, $tmp_ver)) { $version = $tmp_ver[1]; } } return $res; } private function checkDrupal($dir, &$version) { $version = self::CMS_VERSION_UNDEFINED; $res = false; if (file_exists($dir . '/sites/all')) { $res = true; $tmp_content = @file_get_contents($dir . '/CHANGELOG.txt'); if (preg_match('|Drupal\s+([0-9\.]+)|smi', $tmp_content, $tmp_ver)) { $version = $tmp_ver[1]; } } if (file_exists($dir . '/core/lib/Drupal.php')) { $res = true; $tmp_content = @file_get_contents($dir . '/core/lib/Drupal.php'); if (preg_match('|VERSION\s*=\s*\'(\d+\.\d+\.\d+)\'|smi', $tmp_content, $tmp_ver)) { $version = $tmp_ver[1]; } } if (file_exists($dir . 'modules/system/system.info')) { $res = true; $tmp_content = @file_get_contents($dir . 'modules/system/system.info'); if (preg_match('|version\s*=\s*"\d+\.\d+"|smi', $tmp_content, $tmp_ver)) { $version = $tmp_ver[1]; } } return $res; } private function checkMODX($dir, &$version) { $version = self::CMS_VERSION_UNDEFINED; $res = false; if (file_exists($dir . '/manager/assets')) { $res = true; // no way to pick up version } return $res; } private function checkInstantCms($dir, &$version) { $version = self::CMS_VERSION_UNDEFINED; $res = false; if (file_exists($dir . '/plugins/p_usertab')) { $res = true; $tmp_content = @file_get_contents($dir . '/index.php'); if (preg_match('|InstantCMS\s+v([0-9\.]+)|smi', $tmp_content, $tmp_ver)) { $version = $tmp_ver[1]; } } return $res; } private function checkPhpBb($dir, &$version) { $version = self::CMS_VERSION_UNDEFINED; $res = false; if (file_exists($dir . '/includes/acp')) { $res = true; $tmp_content = @file_get_contents($dir . '/config.php'); if (preg_match('|phpBB\s+([0-9\.x]+)|smi', $tmp_content, $tmp_ver)) { $version = $tmp_ver[1]; } } return $res; } private function checkVBulletin($dir, &$version) { $version = self::CMS_VERSION_UNDEFINED; $res = false; // removed dangerous code from here, see DEF-10390 for details return $res; } private function checkPhpShopScript($dir, &$version) { $version = self::CMS_VERSION_UNDEFINED; $res = false; if (file_exists($dir . '/install/consts.php')) { $res = true; $tmp_content = @file_get_contents($dir . '/install/consts.php'); if (preg_match('|STRING_VERSION\',\s*\'(.+?)\'|smi', $tmp_content, $tmp_ver)) { $version = $tmp_ver[1]; } } return $res; } } class CloudAssistedRequest { const API_URL = 'https://api.imunify360.com/api/hashes/check'; private $timeout = 60; private $server_id = ''; public function __construct($server_id, $timeout = 60) { $this->server_id = $server_id; $this->timeout = $timeout; } public function checkFilesByHash($list_of_hashes = array()) { if (empty($list_of_hashes)) { return array( [], [], [], 'white' => [], 'black' => [], 'verdicts_black' => [], ); } $result = $this->request($list_of_hashes); $white = isset($result['white']) ? $result['white'] : []; $black = isset($result['black']) ? $result['black'] : []; $verdicts_black = isset($result['verdicts_black']) ? $result['verdicts_black'] : []; return [ $white, $black, $verdicts_black, 'white' => $white, 'black' => $black, 'verdicts_black' => $verdicts_black, ]; } // ///////////////////////////////////////////////////////////////////////// private function request($list_of_hashes) { $url = self::API_URL . '?server_id=' . urlencode($this->server_id) . '&indexed=1'; $data = array( 'hashes' => $list_of_hashes, ); $json_hashes = json_encode($data); $info = []; try { $ch = curl_init(); curl_setopt($ch, CURLOPT_URL , $url); curl_setopt($ch, CURLOPT_CUSTOMREQUEST , 'POST'); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER , false); curl_setopt($ch, CURLOPT_SSL_VERIFYHOST , false); curl_setopt($ch, CURLOPT_TIMEOUT , $this->timeout); curl_setopt($ch, CURLOPT_CONNECTTIMEOUT , $this->timeout); curl_setopt($ch, CURLOPT_RETURNTRANSFER , true); curl_setopt($ch, CURLOPT_HTTPHEADER , array('Content-Type: application/json')); curl_setopt($ch, CURLOPT_POSTFIELDS , $json_hashes); $response_data = curl_exec($ch); $info = curl_getinfo($ch); $errno = curl_errno($ch); curl_close($ch); } catch (Exception $e) { throw new Exception($e->getMessage()); } $http_code = isset($info['http_code']) ? $info['http_code'] : 0; if ($http_code !== 200) { if ($errno == 28) { throw new Exception('Reuqest timeout! Return code: ' . $http_code . ' Curl error num: ' . $errno); } throw new Exception('Invalid response from the Cloud Assisted server! Return code: ' . $http_code . ' Curl error num: ' . $errno); } $result = json_decode($response_data, true); if (is_null($result)) { throw new Exception('Invalid json format in the response!'); } if (isset($result['error'])) { throw new Exception('API server returned error!'); } if (!isset($result['result'])) { throw new Exception('API server returned error! Cannot find field "result".'); } return $result['result']; } } /** * Class Report */ abstract class Report { const MAX_ROWS = 15000; const AIBOLIT_MAX_NUMBER = 200; /** * Report constructor. * @param $mnemo * @param $path * @param $db_location * @param $db_meta_info_version * @param $report_mask * @param $extended_report * @param $rapid_account_scan * @param $ai_version * @param $ai_hoster * @param $ai_extra_warn * @param $ai_expert * @param $ai_smart * @param $root_path * @param $scan_all * @param $specific_ext * @param $doublecheck * @param $use_doublecheck * @param $start * @param $snum * @param $max_size * @param $add_prefix * @param $no_prefix * @param $small * @param $file * @param $echo */ public function __construct($mnemo, $path, $db_location, $db_meta_info_version, $report_mask, $extended_report, $rapid_account_scan, $ai_version, $ai_hoster, $ai_extra_warn, $ai_expert, $ai_smart, $root_path, $scan_all, $specific_ext, $doublecheck, $use_doublecheck, $start, $snum, $max_size, $add_prefix, $no_prefix, $small, $file, $echo) { } /** * Generate report * @param $vars * @param $scan_time * @return mixed */ public function generateReport($vars, $scan_time) { } /** * Write report to file and return string to stdout after write attempt * @return string */ public function write() { } protected static function convertToUTF8($text) { if (function_exists('mb_convert_encoding')) { $text = @mb_convert_encoding($text, 'utf-8', 'auto'); $text = @mb_convert_encoding($text, 'UTF-8', 'UTF-8'); } return $text; } } /** * Class JSONReport report all data to JSON */ class JSONReport extends Report { const REPORT_MASK_DOORWAYS = 1<<2; const REPORT_MASK_SUSP = 1<<3; const REPORT_MASK_FULL = self::REPORT_MASK_DOORWAYS | self::REPORT_MASK_SUSP; protected $raw_report; private $extended_report; private $rapid_account_scan; private $ai_extra_warn; private $ai_hoster; private $report_mask; private $noPrefix; private $addPrefix; private $mnemo; private $small; protected $file; private $echo; public function __construct($mnemo, $path, $db_location, $db_meta_info_version, $report_mask, $extended_report, $rapid_account_scan, $ai_version, $ai_hoster, $ai_extra_warn, $ai_expert, $ai_smart, $root_path, $scan_all, $specific_ext, $doublecheck, $use_doublecheck, $start, $snum, $max_size, $add_prefix, $no_prefix, $small = false, $file = false, $echo = false) { $this->mnemo = $mnemo; $this->ai_extra_warn = $ai_extra_warn; $this->extended_report = $extended_report; $this->rapid_account_scan = $rapid_account_scan; $this->ai_hoster = $ai_hoster; $this->report_mask = $report_mask; $this->addPrefix = $add_prefix; $this->noPrefix = $no_prefix; $this->small = $small; $this->echo = $echo; $this->raw_report = []; $this->raw_report['summary'] = array( 'scan_path' => $path, 'report_time' => time(), 'ai_version' => $ai_version, 'db_location' => $db_location, 'db_version' => $db_meta_info_version, ); $this->file = $file; if($this->file) { @unlink($this->file); @unlink($this->file . '.tmp'); } } public function generateReport($vars, $scan_time) { $tmp = clone $vars; if (!$this->small) { $tmp->criticalPHP = array_slice($tmp->criticalPHP, 0, self::MAX_ROWS); $tmp->criticalJS = array_slice($tmp->criticalJS, 0, self::MAX_ROWS); $tmp->notRead = array_slice($tmp->notRead, 0, self::AIBOLIT_MAX_NUMBER); $tmp->symLinks = array_slice($tmp->symLinks, 0, self::AIBOLIT_MAX_NUMBER); $tmp->warningPHP = array_slice($tmp->warningPHP, 0, self::AIBOLIT_MAX_NUMBER); $tmp->bigFiles = array_slice($tmp->bigFiles, 0, self::AIBOLIT_MAX_NUMBER); $tmp->doorway = array_slice($tmp->doorway, 0, self::AIBOLIT_MAX_NUMBER); $this->generateJSONTables($tmp); } $this->generateSummary($tmp, $scan_time); } private function generateSummary($vars, $scan_time) { $summary_counters = array(); $summary_counters['redirect'] = count($vars->redirect); $summary_counters['critical_php'] = count($vars->criticalPHP); $summary_counters['critical_js'] = count($vars->criticalJS); $summary_counters['cloudhash'] = count($vars->blackFiles); $summary_counters['phishing'] = count($vars->phishing); $summary_counters['unix_exec'] = 0; // count($g_UnixExec); $summary_counters['iframes'] = 0; // count($g_Iframer); $summary_counters['not_read'] = count($vars->notRead); $summary_counters['base64'] = 0; // count($g_Base64); $summary_counters['heuristics'] = 0; // count($g_HeuristicDetected); $summary_counters['symlinks'] = count($vars->symLinks); $summary_counters['big_files_skipped'] = count($vars->bigFiles); $summary_counters['suspicious'] = count($vars->warningPHP); $this->raw_report['summary']['counters'] = $summary_counters; $this->raw_report['summary']['total_files'] = $vars->foundTotalFiles; $this->raw_report['summary']['scan_time'] = $scan_time; if ($this->extended_report && $this->rapid_account_scan) { $this->raw_report['summary']['counters']['rescan_count'] = $vars->rescanCount; } } private function generateJSONTables($vars) { $this->raw_report['vulners'] = $this->getRawJsonVuln($vars->vulnerable, $vars); if (count($vars->criticalPHP) > 0) { $this->raw_report['php_malware'] = $this->getRawJson($vars->criticalPHP, $vars, $vars->criticalPHPFragment, $vars->criticalPHPSig); } if (count($vars->blackFiles) > 0) { $this->raw_report['cloudhash'] = $this->getRawBlackData($vars->blackFiles); } if (count($vars->criticalJS) > 0) { $this->raw_report['js_malware'] = $this->getRawJson($vars->criticalJS, $vars, $vars->criticalJSFragment, $vars->criticalJSSig); } if (count($vars->notRead) > 0) { $this->raw_report['not_read'] = $vars->notRead; } if ($this->ai_hoster) { if (count($vars->phishing) > 0) { $this->raw_report['phishing'] = $this->getRawJson($vars->phishing, $vars, $vars->phishingFragment, $vars->phishingSigFragment); } if (count($vars->redirect) > 0) { $this->raw_report['redirect'] = $this->getRawJson($vars->redirect, $vars, $vars->redirectPHPFragment); } if (count($vars->symLinks) > 0) { $this->raw_report['sym_links'] = $vars->symLinks; } } else { if (count($vars->adwareList) > 0) { $this->raw_report['adware'] = $this->getRawJson($vars->adwareList, $vars, $vars->adwareListFragment); } if (count($vars->bigFiles) > 0) { $this->raw_report['big_files'] = $this->getRawJson($vars->bigFiles, $vars); } if ((count($vars->doorway) > 0) && JSONReport::checkMask($this->report_mask, JSONReport::REPORT_MASK_DOORWAYS)) { $this->raw_report['doorway'] = $this->getRawJson($vars->doorway, $vars); } if (count($vars->CMS) > 0) { $this->raw_report['cms'] = $vars->CMS; } } if ($this->ai_extra_warn) { if ((count($vars->warningPHP) > 0) && JSONReport::checkMask($this->report_mask, JSONReport::REPORT_MASK_FULL)) { $this->raw_report['suspicious'] = $this->getRawJson($vars->warningPHP, $vars, $vars->warningPHPFragment, $vars->warningPHPSig); } } } public static function checkMask($mask, $need) { return (($mask & $need) == $need); } public function write() { $ret = ''; $res = @json_encode($this->raw_report); if ($this->file!== '.' && $l_FH = fopen($this->file . '.tmp', 'w')) { fputs($l_FH, $res); fclose($l_FH); if (rename($this->file . '.tmp', $this->file)) { $ret = "Report written to '$this->file'."; } else { $ret = "Cannot create '$this->file'."; } } if ($this->echo) { echo $res; } return $ret; } //////////////////////////////////////////////////////////////////////////// private function getRawJsonVuln($par_List, $vars) { $results = array(); $l_Src = array( '"', '<', '>', '&', ''', '<' . '?php.' ); $l_Dst = array( '"', '<', '>', '&', '\'', '<' . '?php ' ); for ($i = 0, $iMax = count($par_List); $i < $iMax; $i++) { $l_Pos = $par_List[$i]['ndx']; $fn = $this->addPrefix . str_replace($this->noPrefix, '', $vars->structure['n'][$l_Pos]); if (ENCODE_FILENAMES_WITH_BASE64) { $res['fn'] = base64_encode($fn); } else { $res['fn'] = self::convertToUTF8($fn); } $res['sig'] = $par_List[$i]['id']; $res['ct'] = $vars->structure['c'][$l_Pos]; $res['mt'] = $vars->structure['m'][$l_Pos]; $res['et'] = $vars->structure['e'][$l_Pos]; $res['sz'] = $vars->structure['s'][$l_Pos]; $res['sigid'] = 'vuln_' . md5($vars->structure['n'][$l_Pos] . $par_List[$i]['id']); $results[] = $res; } return $results; } private function getRawJson($par_List, $vars, $par_Details = null, $par_SigId = null) { $results = array(); $l_Src = array( '"', '<', '>', '&', ''', '<' . '?php.' ); $l_Dst = array( '"', '<', '>', '&', '\'', '<' . '?php ' ); for ($i = 0, $iMax = count($par_List); $i < $iMax; $i++) { if ($par_SigId != null) { $l_SigId = 'id_' . $par_SigId[$i]; } else { $l_SigId = 'id_n' . rand(1000000, 9000000); } $l_Pos = $par_List[$i]; $fn = $this->addPrefix . str_replace($this->noPrefix, '', $vars->structure['n'][$l_Pos]); if (ENCODE_FILENAMES_WITH_BASE64) { $res['fn'] = base64_encode($fn); } else { $res['fn'] = self::convertToUTF8($fn); } if ($par_Details != null) { $res['sig'] = preg_replace('|(L\d+).+__AI_MARKER__|smi', '[$1]: ...', $par_Details[$i]); $res['sig'] = preg_replace('/[^\x20-\x7F]/', '.', $res['sig']); $res['sig'] = preg_replace('/__AI_LINE1__(\d+)__AI_LINE2__/', '[$1] ', $res['sig']); $res['sig'] = preg_replace('/__AI_MARKER__/', ' @!!!>', $res['sig']); $res['sig'] = str_replace($l_Src, $l_Dst, $res['sig']); } $res['sig'] = self::convertToUTF8($res['sig']); $res['ct'] = $vars->structure['c'][$l_Pos]; $res['mt'] = $vars->structure['m'][$l_Pos]; $res['sz'] = $vars->structure['s'][$l_Pos]; $res['et'] = $vars->structure['e'][$l_Pos]; $res['hash'] = $vars->structure['crc'][$l_Pos]; $res['sigid'] = $l_SigId; if (isset($vars->structure['sha256'][$l_Pos])) { $res['sha256'] = $vars->structure['sha256'][$l_Pos]; } else { $res['sha256'] = ''; } if (isset($par_SigId) && isset($this->mnemo[$par_SigId[$i]])) { $res['sn'] = $this->mnemo[$par_SigId[$i]]; } else { $res['sn'] = ''; } $results[] = $res; } return $results; } private function getRawBlackData($black_list) { $result = array(); foreach ($black_list as $filename => $hash) { try { $stat = stat($filename); $sz = $stat['size']; $ct = $stat['ctime']; $mt = $stat['mtime']; } catch (Exception $e) { continue; } $result[] = array( 'fn' => $filename, 'sig' => '', 'ct' => $ct, 'mt' => $mt, 'et' => $hash['ts'], 'sz' => $sz, 'hash' => $hash['h'], 'sigid' => crc32($filename), 'sn' => isset($hash['sn']) ? $hash['sn'] : 'cld', ); } return $result; } } /** * Class JSONReport report all data to JSON */ class PHPReport extends JSONReport { public function write() { $ret = ''; $res = @serialize($this->raw_report); if ($l_FH = fopen($this->file . '.tmp', 'w')) { fputs($l_FH, $res); fclose($l_FH); if (rename($this->file . '.tmp', $this->file)) { $ret = "Report written to '$this->file'."; } else { $ret = "Cannot create '$this->file'."; } } return $ret; } //////////////////////////////////////////////////////////////////////////// } /** * Class PlainReport report to text file */ class PlainReport extends Report { private $extended_report; private $rapid_account_scan; private $ai_extra_warn; private $ai_hoster; private $noPrefix; private $addPrefix; private $mnemo; private $file; private $raw_report; public function __construct($mnemo, $path, $db_location, $db_meta_info_version, $report_mask, $extended_report, $rapid_account_scan, $ai_version, $ai_hoster, $ai_extra_warn, $ai_expert, $ai_smart, $root_path, $scan_all, $specific_ext, $doublecheck, $use_doublecheck, $start, $snum, $max_size, $add_prefix, $no_prefix, $small = false, $file = false, $echo = false) { $this->mnemo = $mnemo; $this->ai_extra_warn = $ai_extra_warn; $this->extended_report = $extended_report; $this->rapid_account_scan = $rapid_account_scan; $this->ai_hoster = $ai_hoster; $this->addPrefix = $add_prefix; $this->noPrefix = $no_prefix; $this->file = $file; if($this->file) { @unlink($this->file); @unlink($this->file . '.tmp'); } $this->raw_report = ''; if (function_exists("gethostname") && is_callable("gethostname")) { $l_HostName = gethostname(); } else { $l_HostName = '???'; } $this->raw_report = "# Malware list detected by AI-Bolit (https://revisium.com/ai/) on " . date("d/m/Y H:i:s", time()) . " " . $l_HostName . "\n\n"; } public function generateReport($vars, $scan_time = false) { if (!$this->ai_hoster) { foreach ($vars->vulnerable as $l_Item) { $this->raw_report .= '[VULNERABILITY] ' . $this->replacePathArray($vars->structure['n'][$l_Item['ndx']]) . ' - ' . $l_Item['id'] . "\n"; } $this->raw_report .= "\n"; } if (count($vars->criticalPHP) > 0) { $this->raw_report .= '[SERVER MALWARE]' . "\n" . $this->printPlainList(array_slice($vars->criticalPHP, 0, self::MAX_ROWS), $vars, $vars->criticalPHPFragment) . "\n"; } if (count($vars->criticalJS) > 0) { $this->raw_report .= '[CLIENT MALWARE / JS]' . "\n" . $this->printPlainList(array_slice($vars->criticalJS, 0, self::MAX_ROWS), $vars, $vars->criticalJSFragment) . "\n"; } if (count($vars->notRead) > 0) { $this->raw_report .= '[SCAN ERROR / SKIPPED]' . "\n" . $this->printPlainList(array_slice($vars->notRead, 0, self::AIBOLIT_MAX_NUMBER), $vars) . "\n\n"; } if (count($vars->symLinks) > 0) { $this->raw_report .= '[SYMLINKS]' . "\n" . $this->printPlainList(array_slice($vars->symLinks, 0, self::AIBOLIT_MAX_NUMBER), $vars) . "\n\n"; } if (!$this->ai_hoster) { if (count($vars->phishing) > 0) { $this->raw_report .= '[PHISHING]' . "\n" . $this->printPlainList($vars->phishing, $vars, $vars->phishingFragment) . "\n"; } if (count($vars->redirect) > 0) { $this->raw_report .= printList($vars->redirect, $vars, $vars->redirectPHPFragment); } } if ($this->ai_extra_warn) { if (count($vars->warningPHP) > 0) { $this->raw_report .= '[SUSPICIOUS]' . "\n" . $this->printPlainList(array_slice($vars->warningPHP, 0, self::AIBOLIT_MAX_NUMBER), $vars, $vars->warningPHPFragment) . "\n"; } } if (!$this->ai_hoster) { if (count($vars->adwareList) > 0) { $this->raw_report .= '[ADWARE]' . "\n" . $this->printPlainList($vars->adwareList, $vars, $vars->adwareListFragment) . "\n"; } if (count($vars->bigFiles) > 0) { $this->raw_report .= '[BIG FILES / SKIPPED]' . "\n" . $this->printPlainList(array_slice($vars->bigFiles, 0, self::AIBOLIT_MAX_NUMBER), $vars) . "\n\n"; } } $this->raw_report = preg_replace('|__AI_LINE1__|smi', '[', $this->raw_report); $this->raw_report = preg_replace('|__AI_LINE2__|smi', '] ', $this->raw_report); $this->raw_report = preg_replace('|__AI_MARKER__|smi', ' %> ', $this->raw_report); } public function write() { $ret = ''; if ($l_FH = fopen($this->file . '.tmp', "w")) { fputs($l_FH, $this->raw_report); fclose($l_FH); } if (rename($this->file . '.tmp', $this->file)) { $ret = "Report written to '$this->file'."; } else { $ret = "Cannot create '$this->file'."; } return $ret; } //////////////////////////////////////////////////////////////////////////// private function printPlainList($par_List, $vars, $par_Details = null) { $l_Result = ""; $l_Src = array( '"', '<', '>', '&', ''' ); $l_Dst = array( '"', '<', '>', '&', '\'' ); for ($i = 0, $iMax = count($par_List); $i < $iMax; $i++) { $l_Pos = $par_List[$i]; if ($par_Details != null) { $l_Body = preg_replace('|(L\d+).+__AI_MARKER__|smi', '$1: ...', $par_Details[$i]); $l_Body = preg_replace('/[^\x20-\x7F]/', '.', $l_Body); $l_Body = str_replace($l_Src, $l_Dst, $l_Body); } else { $l_Body = ''; } if (is_file($vars->structure['n'][$l_Pos])) { $l_Result .= $this->addPrefix . str_replace($this->noPrefix, '', $vars->structure['n'][$l_Pos]) . "\t\t\t" . $l_Body . "\n"; } else { $l_Result .= $this->addPrefix . str_replace($this->noPrefix, '', $vars->structure['n'][$par_List[$i]]) . "\n"; } } return $l_Result; } private function replacePathArray($par_Arr) { array_walk($par_Arr, function(&$n) { $n = $this->addPrefix . str_replace($this->noPrefix, '', $n); }); return $par_Arr; } } /** * Class CSVReport report table data to CSV */ class CSVReport extends Report { const CRITICAL_PHP = 'p'; const CRITICAL_JS = 'j'; const SUSPICIOUS = 's'; const PHISHING = 'h'; const VULNERABLE = 'v'; const CLOUDHASH = 'c'; const BIG_FILES = 'b'; const NOT_READ = 'n'; const DOORWAY = 'd'; const SYMLINKS = 'm'; const ADWARE = 'a'; const CMS = 'e'; private $extended_report; private $rapid_account_scan; private $ai_extra_warn; private $ai_hoster; private $noPrefix; private $addPrefix; private $mnemo; private $file; public function __construct($mnemo, $path, $db_location, $db_meta_info_version, $report_mask, $extended_report, $rapid_account_scan, $ai_version, $ai_hoster, $ai_extra_warn, $ai_expert, $ai_smart, $root_path, $scan_all, $specific_ext, $doublecheck, $use_doublecheck, $start, $snum, $max_size, $add_prefix, $no_prefix, $small = false, $file = false, $echo = false) { $this->mnemo = $mnemo; $this->ai_extra_warn = $ai_extra_warn; $this->extended_report = $extended_report; $this->rapid_account_scan = $rapid_account_scan; $this->ai_hoster = $ai_hoster; $this->addPrefix = $add_prefix; $this->noPrefix = $no_prefix; $this->file = $file; if($this->file) { @unlink($this->file); @unlink($this->file . '.tmp'); } } public function generateReport($vars, $scan_time = false) { $this->writeRawCSVVuln($vars->vulnerable, $vars); if (count($vars->criticalPHP) > 0) { $this->writeRawCSV($vars->criticalPHP, $vars, self::CRITICAL_PHP, $vars->criticalPHPFragment, $vars->criticalPHPSig); } if (count($vars->blackFiles) > 0) { $this->writeRawBlackData($vars->blackFiles); } if (count($vars->criticalJS) > 0) { $this->writeRawCSV($vars->criticalJS, $vars, self::CRITICAL_JS, $vars->criticalJSFragment, $vars->criticalJSSig); } if (count($vars->notRead) > 0) { $this->writeListCSV(self::NOT_READ, $vars->notRead); } if ($this->ai_hoster) { if (count($vars->phishing) > 0) { $this->writeRawCSV($vars->phishing, $vars, self::PHISHING, $vars->phishingFragment, $vars->phishingSigFragment); } if (count($vars->symLinks) > 0) { $this->writeListCSV(self::SYMLINKS, $vars->symLinks); } } else { if (count($vars->adwareList) > 0) { $this->writeRawCSV($vars->adwareList, $vars, self::ADWARE, $vars->adwareListFragment); } if (count($vars->bigFiles) > 0) { $this->writeRawCSV($vars->bigFiles, $vars, self::BIG_FILES); } if (count($vars->doorway) > 0) { $this->writeRawCSV($vars->doorway, $vars, self::DOORWAY); } if (count($vars->CMS) > 0) { $this->writeListCSV(self::CMS, $vars->CMS); } } if ($this->ai_extra_warn) { if (count($vars->warningPHP) > 0) { $this->writeRawCSV($vars->warningPHP, $vars, self::SUSPICIOUS, $vars->warningPHPFragment, $vars->warningPHPSig); } } } public function write() { $ret = ''; if ($this->file) { if (rename($this->file . '.tmp', $this->file)) { $ret = "Report written to '$this->file'."; } else { $ret = "Cannot create '$this->file'."; } } return $ret; } //////////////////////////////////////////////////////////////////////////// private function writeRawCSVVuln($par_List, $vars) { if (count($par_List) === 0) { return; } $fh = fopen($this->file . '.tmp', "a+"); for ($i = 0, $iMax = count($par_List); $i < $iMax; $i++) { $res = []; $l_Pos = $par_List[$i]['ndx']; $res[] = self::VULNERABLE; $fn = $this->addPrefix . str_replace($this->noPrefix, '', $vars->structure['n'][$l_Pos]); if (ENCODE_FILENAMES_WITH_BASE64) { $res[] = base64_encode($fn); } else { $res[] = self::convertToUTF8($fn); } $res[] = $par_List[$i]['id']; $res[] = $vars->structure['c'][$l_Pos]; $res[] = $vars->structure['m'][$l_Pos]; $res[] = $vars->structure['s'][$l_Pos]; $res[] = $vars->structure['e'][$l_Pos]; $res[] = 'vuln_' . md5($vars->structure['n'][$l_Pos] . $par_List[$i]['id']); $res[] = ''; $res[] = ''; $res[] = ''; fputcsv($fh, $res); } fflush($fh); fclose($fh); } private function writeListCSV($section, $list) { if (count($list) === 0) { return; } $fh = fopen($this->file . '.tmp', "a+"); for ($i = 0, $iMax = count($list); $i < $iMax; $i++) { $res = []; $res[] = $section; $res[] = $list[$i]; $res[] = ''; $res[] = ''; $res[] = ''; $res[] = ''; $res[] = ''; $res[] = ''; $res[] = ''; $res[] = ''; $res[] = ''; fputcsv($fh, $res); } fflush($fh); fclose($fh); } private function writeRawCSV($par_List, $vars, $section = '', $par_Details = null, $par_SigId = null) { if (count($par_List) === 0) { return; } $fh = fopen($this->file . '.tmp', "a+"); $l_Src = array( '"', '<', '>', '&', ''', '<' . '?php.', '\\' ); $l_Dst = array( '"', '<', '>', '&', '\'', '<' . '?php ', '' ); for ($i = 0, $iMax = count($par_List); $i < $iMax; $i++) { $res = []; $res[] = $section; if ($par_SigId != null) { $l_SigId = 'id_' . $par_SigId[$i]; } else { $l_SigId = 'id_n' . rand(1000000, 9000000); } $l_Pos = $par_List[$i]; $fn = $this->addPrefix . str_replace($this->noPrefix, '', $vars->structure['n'][$l_Pos]); if (ENCODE_FILENAMES_WITH_BASE64) { $res[] = base64_encode($fn); } else { $res[] = self::convertToUTF8($fn); } if ($par_Details != null) { $sig = preg_replace('|(L\d+).+__AI_MARKER__|smi', '[$1]: ...', $par_Details[$i]); $sig = preg_replace('/[^\x20-\x7F]/', '.', $sig); $sig = preg_replace('/__AI_LINE1__(\d+)__AI_LINE2__/', '[$1] ', $sig); $sig = preg_replace('/__AI_MARKER__/', ' @!!!>', $sig); $sig = str_replace($l_Src, $l_Dst, $sig); $sig = self::convertToUTF8($sig); } $res[] = $sig; $res[] = $vars->structure['c'][$l_Pos]; $res[] = $vars->structure['m'][$l_Pos]; $res[] = $vars->structure['s'][$l_Pos]; $res[] = $vars->structure['e'][$l_Pos]; $res[] = $l_SigId; $res[] = $vars->structure['crc'][$l_Pos]; if (isset($par_SigId) && isset($this->mnemo[$par_SigId[$i]])) { $res[] = $this->mnemo[$par_SigId[$i]]; } else { $res[] = ''; } if (isset($vars->structure['sha256'][$l_Pos])) { $res[] = $vars->structure['sha256'][$l_Pos]; } else { $res[] = ''; } fputcsv($fh, $res); } fflush($fh); fclose($fh); } private function writeRawBlackData($black_list) { if (count($black_list) === 0) { return; } $fh = fopen($this->file . '.tmp', "a+"); foreach ($black_list as $filename => $hash) { $res = []; try { $stat = stat($filename); $sz = $stat['size']; $ct = $stat['ctime']; $mt = $stat['mtime']; } catch (Exception $e) { continue; } $res[] = self::CLOUDHASH; $res[] = $filename; $res[] = ''; $res[] = $ct; $res[] = $mt; $res[] = $sz; $res[] = $hash['ts']; $res[] = crc32($filename); $res[] = $hash['h']; $res[] = isset($hash['sn']) ? $hash['sn'] : 'cld'; $res[] = ''; fputcsv($fh, $res); } fflush($fh); fclose($fh); } } /** * Class DoublecheckReport generate doublecheck file */ class DoublecheckReport extends Report { private $raw_report; private $skip = false; private $file = false; private $res = ''; public function __construct($mnemo, $path, $db_location, $db_meta_info_version, $report_mask, $extended_report, $rapid_account_scan, $ai_version, $ai_hoster, $ai_extra_warn, $ai_expert, $ai_smart, $root_path, $scan_all, $specific_ext, $doublecheck, $use_doublecheck, $start, $snum, $max_size, $add_prefix, $no_prefix, $small = false, $file = false, $echo = false) { $this->raw_report = []; $this->file = $file; if(file_exists($this->file)) { $this->skip = true; $this->res .= $this->file . ' already exists.' . PHP_EOL; } else if ($l_FH = fopen($this->file . '.tmp', 'w')) { fputs($l_FH, '' . "\n"); fclose($l_FH); } else { $this->skip = true; $this->res .= 'Error! Cannot create ' . $this->file . PHP_EOL; } } public function generateReport($vars, $scan_time) { if ($this->skip) { return; } $l_CurrPath = dirname(__FILE__); if (!isset($vars->criticalPHP)) { $vars->criticalPHP = array(); } if (!isset($vars->criticalJS)) { $vars->criticalJS = array(); } if (!isset($vars->phishing)) { $vars->phishing = array(); } if (!isset($vars->adwareList)) { $vars->adwareList = array(); } if (!isset($vars->redirect)) { $vars->redirect = array(); } $this->raw_report = array_merge($vars->criticalPHP, $vars->criticalJS, $vars->phishing, $vars->adwareList, $vars->redirect); $this->raw_report = array_values(array_unique($this->raw_report)); for ($i = 0, $iMax = count($this->raw_report); $i < $iMax; $i++) { $this->raw_report[$i] = str_replace($l_CurrPath, '.', $vars->structure['n'][$this->raw_report[$i]]); } $this->raw_report = array_values(array_unique($this->raw_report)); if (count($this->raw_report) === 0) { $this->skip = true; unlink($this->file . '.tmp'); } } public function write() { $ret = ''; if ($this->skip) { return $this->res; } $fh = fopen($this->file . '.tmp', "a+"); for ($i = 0, $iMax = count($this->raw_report); $i < $iMax; $i++) { fputs($fh, $this->raw_report[$i] . "\n"); } fclose($fh); if (rename($this->file . '.tmp', $this->file)) { $ret = "Report written to '$this->file'."; } else { $ret = "Cannot create '$this->file'."; } return $ret; } } /** * Class HTMLReport report all data to HTML */ class HTMLReport extends Report { const REPORT_MASK_DOORWAYS = 1<<2; const REPORT_MASK_SUSP = 1<<3; const REPORT_MASK_FULL = self::REPORT_MASK_DOORWAYS | self::REPORT_MASK_SUSP; private $raw_report; private $extended_report; private $rapid_account_scan; private $ai_extra_warn; private $ai_hoster; private $report_mask; private $noPrefix; private $addPrefix; private $mnemo; private $small; private $file; private $echo; private $template; private $max_size; private $start; private $doublecheck; public function __construct($mnemo, $path, $db_location, $db_meta_info_version, $report_mask, $extended_report, $rapid_account_scan, $ai_version, $ai_hoster, $ai_extra_warn, $ai_expert, $ai_smart, $root_path, $scan_all, $specific_ext, $doublecheck, $use_doublecheck, $start, $snum, $max_size, $add_prefix, $no_prefix, $small = false, $file = false, $echo = false) { $this->mnemo = $mnemo; $this->ai_extra_warn = $ai_extra_warn; $this->extended_report = $extended_report; $this->rapid_account_scan = $rapid_account_scan; $this->ai_hoster = $ai_hoster; $this->report_mask = $report_mask; $this->addPrefix = $add_prefix; $this->noPrefix = $no_prefix; $this->small = $small; $this->echo = $echo; $this->max_size = $max_size; $this->start = $start; $this->doublecheck = $doublecheck; $this->raw_report = ''; $this->file = $file; if($this->file) { @unlink($this->file); @unlink($this->file . '.tmp'); } if (file_exists(dirname(__FILE__) . '/ai-design.html')) { $this->template = Template::create(file_get_contents(dirname(__FILE__) . '/ai-design.html')); } else { $this->template = Template::create(TemplateList::MAIN_PAGE); $this->template->set('msg1', Translate::getStr('data_table.length_menu')); $this->template->set('msg2', Translate::getStr('data_table.zero_records')); $this->template->set('msg3', Translate::getStr('data_table.info')); $this->template->set('msg4', Translate::getStr('data_table.info_empty')); $this->template->set('msg5', Translate::getStr('data_table.info_filtered')); $this->template->set('msg6', Translate::getStr('data_table.search')); $this->template->set('msg7', Translate::getStr('data_table.paginate.first')); $this->template->set('msg8', Translate::getStr('data_table.paginate.previous')); $this->template->set('msg9', Translate::getStr('data_table.paginate.next')); $this->template->set('msg10', Translate::getStr('data_table.paginate.last')); $this->template->set('msg11', Translate::getStr('data_table.aria.sort_ascending')); $this->template->set('msg12', Translate::getStr('data_table.aria.sort_descending')); } $this->template->set('MAIN_TITLE', Translate::getStr('header.scan_report_title')); $this->template->set('MODE', $ai_expert . '/' . $ai_smart); if (AI_EXPERT == 0) { $this->raw_report .= '
' . Translate::getStr('scan.offer_modes_after_express') . '
'; } $this->template->set('HEAD_TITLE', Translate::getStr('report_for') . $this->addPrefix . str_replace($this->noPrefix, '', $root_path)); $this->template->set('SERVICE_INFO', htmlspecialchars("[" . @ini_get('mbstring.internal_encoding') . "][" . $snum . "]")); $this->template->set('PATH_URL', (isset($_SERVER['HTTP_HOST']) ? $_SERVER['HTTP_HOST'] : $this->addPrefix . str_replace($this->noPrefix, '', $this->addSlash($root_path)))); $this->template->set('VERSION', $ai_version); $this->template->set('WARN_QUICK', (($scan_all || $specific_ext) ? '' : Translate::getStr('notice.scan_express', [$doublecheck]))); if ($use_doublecheck) { if (Translate::getStr('file.scanned_manual', [$this->doublecheck, $this->doublecheck]) != '') { $this->raw_report .= '
' . Translate::getStr('file.scanned_manual', [$this->doublecheck, $this->doublecheck]) . '
'; } } } public function generateReport($vars, $scan_time) { $l_ShowOffer = false; $this->template->set('SCANNED', Translate::getStr('info.files_checked', [$vars->totalFolder, $vars->totalFiles])); $l_Summary = '
' . Translate::getStr('report.summary') . '
'; $l_Summary .= ''; if (count($vars->redirect) > 0) { $l_Summary .= $this->makeSummary(Translate::getStr('mobile_redirects'), count($vars->redirect), 'crit'); } if (count($vars->criticalPHP) > 0) { $l_Summary .= $this->makeSummary(Translate::getStr('malware'), count($vars->criticalPHP), "crit"); } if (count($vars->criticalJS) > 0) { $l_Summary .= $this->makeSummary(Translate::getStr('js_virused'), count($vars->criticalJS), "crit"); } if (count($vars->phishing) > 0) { $l_Summary .= $this->makeSummary(Translate::getStr('phishing_pages'), count($vars->phishing), "crit"); } if (count($vars->notRead) > 0) { $l_Summary .= $this->makeSummary(Translate::getStr('error.read_file'), count($vars->notRead), "crit"); } if (count($vars->warningPHP) > 0) { $l_Summary .= $this->makeSummary(Translate::getStr('suspicious'), count($vars->warningPHP), "warn"); } if (count($vars->bigFiles) > 0) { $l_Summary .= $this->makeSummary(Translate::getStr('skipped_large_file'), count($vars->bigFiles), "warn"); } if (count($vars->symLinks) > 0) { $l_Summary .= $this->makeSummary(Translate::getStr('link.symbolic'), count($vars->symLinks), "warn"); } $l_Summary .= "
"; $l_ArraySummary = array(); $l_ArraySummary["redirect"] = count($vars->redirect); $l_ArraySummary["critical_php"] = count($vars->criticalPHP); $l_ArraySummary["critical_js"] = count($vars->criticalJS); $l_ArraySummary["phishing"] = count($vars->phishing); $l_ArraySummary["unix_exec"] = 0; // count($g_UnixExec); $l_ArraySummary["iframes"] = 0; // count($g_Iframer); $l_ArraySummary["not_read"] = count($vars->notRead); $l_ArraySummary["base64"] = 0; // count($g_Base64); $l_ArraySummary["heuristics"] = 0; // count($g_HeuristicDetected); $l_ArraySummary["symlinks"] = count($vars->symLinks); $l_ArraySummary["big_files_skipped"] = count($vars->bigFiles); $l_ArraySummary["suspicious"] = count($vars->warningPHP); if (function_exists('json_encode')) { $l_Summary .= ""; } $l_Summary .= "
" . Translate::getStr('notice.files_may_not_malicious') . "
\n"; $this->template->set('SUMMARY', $l_Summary); $this->raw_report .= Translate::getStr('critical.title'); if(!$this->ai_hoster) { if (count($vars->vulnerable) > 0) { $this->raw_report .= '
' . Translate::getStr('script.vulnerable') . ' (' . count($vars->vulnerable) . ')
'; foreach ($vars->vulnerable as $l_Item) { $this->raw_report .= '
  • ' . AibolitHelpers::makeSafeFn($vars->structure['n'][$l_Item['ndx']], $this->addPrefix, $this->noPrefix, true) . ' - ' . $l_Item['id'] . '
  • '; } $this->raw_report .= '

    ' . PHP_EOL; } } if (count($vars->criticalPHP) > 0) { $criticalPHP = array_slice($vars->criticalPHP, 0, self::MAX_ROWS); $this->raw_report .= '

    ' . Translate::getStr('detected.shell_scripts') . ' (' . count($criticalPHP) . ')
    '; $this->raw_report .= $this->printList($criticalPHP, $vars, $vars->criticalPHPFragment, $vars->criticalPHPSig, 'table_crit'); $this->raw_report .= '
    ' . PHP_EOL; $l_ShowOffer = true; } else { $this->raw_report .= '
    ' . Translate::getStr('not_detected.shell_scripts') . '
    '; } if (count($vars->criticalJS) > 0) { $criticalJS = array_slice($vars->criticalJS, 0, self::MAX_ROWS); $this->raw_report .= '
    ' . Translate::getStr('detected.javascript') . ' (' . count($criticalJS) . ')
    '; $this->raw_report .= $this->printList($criticalJS, $vars, $vars->criticalJSFragment, $vars->criticalJSSig, 'table_vir'); $this->raw_report .= "
    " . PHP_EOL; $l_ShowOffer = true; } if (count($vars->notRead) > 0) { $notRead = array_slice($vars->notRead, 0, self::AIBOLIT_MAX_NUMBER); $this->raw_report .= '
    ' . Translate::getStr('warning.reading_error') . ' (' . count($notRead) . ')
    '; $this->raw_report .= $this->printList($notRead, $vars); $this->raw_report .= "
    " . PHP_EOL; } if (!$this->ai_hoster) { if (count($vars->phishing) > 0) { $this->raw_report .= '
    ' . Translate::getStr('detected.phishing_pages') . ' (' . count($vars->phishing) . ')
    '; $this->raw_report .= $this->printList($vars->phishing, $vars, $vars->phishingFragment, $vars->phishingSigFragment, 'table_vir'); $this->raw_report .= "
    " . PHP_EOL; $l_ShowOffer = true; } if (count($vars->redirect) > 0) { $l_ShowOffer = true; $this->raw_report .= '
    ' . Translate::getStr('suspicion.htaccess') . ' (' . count($vars->redirect) . ')
    '; $this->raw_report .= "
    " . PHP_EOL; } if (count($vars->symLinks) > 0) { $symLinks = array_slice($vars->symLinks, 0, self::AIBOLIT_MAX_NUMBER); $this->raw_report .= '
    ' . Translate::getStr('symlinks') . ' (' . count($symLinks) . ')
    '; $this->raw_report .= nl2br(AibolitHelpers::makeSafeFn(implode("\n", $symLinks), $this->addPrefix, $this->noPrefix, true)); $this->raw_report .= "
    "; } } if ($this->ai_extra_warn) { $l_WarningsNum = count($vars->warningPHP); if ($l_WarningsNum > 0) { $this->raw_report .= "
    " . Translate::getStr('warnings') . "
    "; } if ($l_WarningsNum > 0) { $warningPHP = array_slice($vars->warningPHP, 0, self::AIBOLIT_MAX_NUMBER); $this->raw_report .= '
    ' . Translate::getStr('suspicion.code') . ' (' . count($warningPHP) . ')
    '; $this->raw_report .= $this->printList($warningPHP, $vars, $vars->warningPHPFragment, $vars->warningPHPSig, 'table_warn'); $this->raw_report .= '
    ' . PHP_EOL; } } if (!$this->ai_hoster) { $l_WarningsNum = count($vars->bigFiles) + count($vars->adwareList) + count($vars->doorway) + count($vars->warningPHP) + count($vars->skippedFolders); if ($l_WarningsNum > 0) { $this->raw_report .= "
    " . Translate::getStr('warnings') . "
    "; } if (count($vars->adwareList) > 0) { $this->raw_report .= '
    ' . Translate::getStr('detected.bad_links') . '
    '; $this->raw_report .= $this->printList($vars->adwareList, $vars, $vars->adwareListFragment); $this->raw_report .= "
    " . PHP_EOL; } if (count($vars->bigFiles) > 0) { $bigFiles = array_slice($vars->bigFiles, 0, self::AIBOLIT_MAX_NUMBER); $this->raw_report .= "
    " . Translate::getStr('skipped.large_file', [$this->max_size]) . '
    '; $this->raw_report .= $this->printList($bigFiles, $vars); $this->raw_report .= "
    "; } if (count($vars->doorway) > 0) { $doorway = array_slice($vars->doorway, 0, self::AIBOLIT_MAX_NUMBER); $this->raw_report .= '
    ' . Translate::getStr('suspicion.doorway') . '
    '; $this->raw_report .= nl2br(AibolitHelpers::makeSafeFn(implode("\n", $doorway), $this->addPrefix, $this->noPrefix, true)); $this->raw_report .= "
    " . PHP_EOL; } if (count($vars->CMS) > 0) { $this->raw_report .= "
    " . Translate::getStr('founded_CMS') . "
    "; $this->raw_report .= nl2br(AibolitHelpers::makeSafeFn(implode("\n", $vars->CMS), $this->addPrefix, $this->noPrefix)); $this->raw_report .= "
    "; } } if (function_exists('memory_get_peak_usage')) { $this->template->set('MEMORY', Translate::getStr('memory_used') . AibolitHelpers::bytes2Human(memory_get_peak_usage())); } if ($l_ShowOffer) { $this->template->set('OFFER', Translate::getStr('offer.when_has_critical')); } else { $this->template->set('OFFER', Translate::getStr('offer.when_no_critical')); } $this->template->set('OFFER_OUR_PRODUCTS', Translate::getStr('offer_our_products')); $this->template->set('CAUTION', Translate::getStr('сaution.aibolit_file')); $this->template->set('CREDITS', Translate::getStr('info.non_commercial_use')); $this->template->set('FOOTER', Translate::getStr('footer')); $this->template->set('STAT', Translate::getStr('info.time_elapsed', [$scan_time, date('d-m-Y в H:i:s', floor($this->start)), date('d-m-Y в H:i:s')])); //////////////////////////////////////////////////////////////////////////// $this->template->set('MAIN_CONTENT', $this->raw_report); } public function write() { $ret = ''; $res = $this->template->render(); if ($l_FH = fopen($this->file . '.tmp', "w")) { fputs($l_FH, $res); fclose($l_FH); } if (rename($this->file . '.tmp', $this->file)) { $ret = "Report written to '$this->file'."; } else { $ret = "Cannot create '$this->file'."; } return $ret; } //////////////////////////////////////////////////////////////////////////// ///////////////////////////////////////////////////////////////////////////////////// private function makeSummary($par_Str, $par_Number, $par_Style) { return '' . $par_Str . '' . $par_Number . ''; } private function printList($par_List, $vars, $par_Details = null, $par_SigId = null, $par_TableName = null) { $i = 0; if ($par_TableName == null) { $par_TableName = 'table_' . rand(1000000, 9000000); } $l_Result = ''; $l_Result .= "
    "; $l_Result .= ""; $l_Result .= ""; $l_Result .= ""; $l_Result .= ""; $l_Result .= ""; $l_Result .= ""; $l_Result .= ""; $l_Result .= ""; $l_Result .= ""; $l_Result .= ""; for ($i = 0, $iMax = count($par_List); $i < $iMax; $i++) { if ($par_SigId != null) { $l_SigId = 'id_' . $par_SigId[$i]; } else { $l_SigId = 'id_z' . rand(1000000, 9000000); } $l_Pos = $par_List[$i]; $l_Creat = $vars->structure['c'][$l_Pos] > 0 ? date("d/m/Y H:i:s", $vars->structure['c'][$l_Pos]) : '-'; $l_Modif = $vars->structure['m'][$l_Pos] > 0 ? date("d/m/Y H:i:s", $vars->structure['m'][$l_Pos]) : '-'; $l_Size = $vars->structure['s'][$l_Pos] > 0 ? AibolitHelpers::bytes2Human($vars->structure['s'][$l_Pos]) : '-'; if ($par_Details != null) { $l_WithMarker = preg_replace('|__AI_MARKER__|smi', ' ', $par_Details[$i]); $l_WithMarker = preg_replace('|__AI_LINE1__|smi', '', $l_WithMarker); $l_WithMarker = preg_replace('|__AI_LINE2__|smi', '', $l_WithMarker); $l_Body = '
    '; if ($par_SigId != null) { $l_Body .= '[x] '; } $l_Body .= $l_WithMarker . '
    '; } else { $l_Body = ''; } $l_Result .= ''; if (is_file($vars->structure['n'][$l_Pos])) { $l_Result .= ''; } else { $l_Result .= ''; } $l_Result .= ''; $l_Result .= ''; $l_Result .= ''; $l_Result .= ''; $l_Result .= ''; $l_Result .= ''; $l_Result .= ''; $l_Result .= ''; } $l_Result .= "
    " . Translate::getStr('path') . "" . Translate::getStr('property_change') . "" . Translate::getStr('content_change') . "" . Translate::getStr('size') . "CRC32
    ' . $l_Body . '
    ' . $l_Creat . '
    ' . $l_Modif . '
    ' . $l_Size . '
    ' . $vars->structure['crc'][$l_Pos] . '
    ' . 'x' . '
    ' . $vars->structure['m'][$l_Pos] . '
    ' . $l_SigId . '
    "; return $l_Result; } private function addSlash($dir) { return rtrim($dir, DIRECTORY_SEPARATOR) . DIRECTORY_SEPARATOR; } } class CloudAssistedFiles { private $white = []; private $black = []; public function __construct(CloudAssistedRequest $car, $file_list, $vars) { $list_of_hash = []; $list_of_filepath = []; foreach ($file_list as $index => $filepath) { if (!file_exists($filepath) || !is_readable($filepath) || is_dir($filepath)) { continue; } try { $list_of_hash[] = hash('sha256', file_get_contents($filepath)); $list_of_filepath[] = $filepath; } catch (Exception $e) { } } unset($file_list); if ($vars->hashtable !== null) { $vars->hashtable->add($list_of_filepath, $list_of_hash); } try { list($white_raw, $black_raw, $verdicts_black_raw) = $car->checkFilesByHash($list_of_hash); } catch (Exception $e) { throw $e; } $this->white = $this->getListOfFile($white_raw, $list_of_hash, $list_of_filepath); $this->black = $this->getListOfFile($black_raw, $list_of_hash, $list_of_filepath, $verdicts_black_raw); unset($white_raw, $black_raw, $verdicts_black_raw, $list_of_hash, $list_of_filepath); } public function getWhiteList() { return $this->white; } public function getBlackList() { return $this->black; } // ========================================================================= private function getListOfFile($data_raw, $list_of_hash, $list_of_filepath, $verdicts = []) { $result = []; foreach ($data_raw as $index => $hash_index) { if (!isset($list_of_hash[$hash_index])) { continue; } $hash_result = [ 'h' => $list_of_hash[$hash_index], 'ts' => time(), ]; if ($verdicts) { if (!isset($verdicts[$index])) { throw new Exception('Wrong CloudAssisted format. List of verdicts has structure different from main list.'); } $hash_result['sn'] = $verdicts[$index]; } $result[$list_of_filepath[$hash_index]] = $hash_result; } return $result; } } class DetachedMode { protected $workdir; protected $scan_id; protected $pid_file; protected $report_file; protected $csvreport_file; protected $done_file; protected $vars; protected $start_time; protected $json_report; protected $sock_file; protected $reports; protected $finder; protected $debug; public function __construct($finder, $debug, $scan_id, $vars, $start_time, $json_report, $basedir = '/var/imunify360/aibolit/run', $sock_file = '/var/run/defence360agent/generic_sensor.sock.2') { $this->scan_id = $scan_id; $this->vars = $vars; $this->setWorkDir($basedir, $scan_id); $this->pid_file = $this->workdir . '/pid'; $this->report_file = $this->workdir . '/report.json'; $this->csvreport_file = $this->workdir . '/report.csv'; $this->done_file = $this->workdir . '/done'; $this->start_time = $start_time; $this->json_report = $json_report; $this->setSocketFile($sock_file); $this->savePid(); $this->checkWorkDir($this->workdir); if (isset($vars->options['json_report']) && !empty($vars->options['json_report']) && $vars->options['json_report'] !== '.') { $this->report_file = $vars->options['json_report']; } if (isset($vars->options['csv_report']) && !empty($vars->options['csv_report']) && $vars->options['csv_report'] !== '.') { $this->csvreport_file = $vars->options['csv_report']; $this->reports[CSVReport::class] = $this->csvreport_file; } $this->reports[JSONReport::class] = $this->report_file; $this->finder = $finder; $this->debug = $debug; } public function scanListing($listing, $use_base64) { $this->checkList($listing); $this->scanFilesFromListingFile($listing, $use_base64); $this->writeReport(); $this->complete(); } public function scanDirectories($dir) { file_exists(QUEUE_FILENAME) && unlink(QUEUE_FILENAME); $scan = new Scanner($this->finder, $this->vars); if (method_exists($scan, 'QCR_ScanDirectories')) { $scan->QCR_ScanDirectories($dir); } $this->scanFilesFromListingFile(QUEUE_FILENAME, true); file_exists(QUEUE_FILENAME) && unlink(QUEUE_FILENAME); $this->writeReport(); $this->complete(); unset($scan); } // ///////////////////////////////////////////////////////////////////////// protected function scanFilesFromListingFile($list_filepath, $use_base64 = false) { if (!is_file($list_filepath) || !is_readable($list_filepath)) { $this->vars->foundTotalFiles = 0; return; } $s_file = new SplFileObject($list_filepath); $s_file->setFlags(SplFileObject::READ_AHEAD | SplFileObject::SKIP_EMPTY | SplFileObject::DROP_NEW_LINE); $s_file->seek($s_file->getSize()); $this->vars->foundTotalFiles = $s_file->key(); $s_file->seek(0); $scan = new Scanner($this->finder, $this->vars); if (method_exists($scan, 'QCR_GoScan')) { $scan->QCR_GoScan($s_file, null, $use_base64, false); $scan->whitelisting(); } unset($scan); unset($s_file); } protected function checkWorkDir($workdir) { if (!file_exists($workdir) && !mkdir($workdir) && !is_dir($workdir)) { die('Error! Cannot create workdir ' . $workdir . ' for detached scan.'); } elseif (file_exists($workdir) && !is_writable($workdir)) { die('Error! Workdir ' . $workdir . ' is not writable.'); } } protected function checkList($listing) { if (!file_exists($listing) || !is_readable($listing)) { die('Error! Listing file ' . $listing . ' not exists or not readable'); } } protected function savePid() { file_put_contents($this->pid_file, strval(getmypid())); } protected function writeReport() { $scan_time = round(microtime(true) - $this->start_time, 1); foreach($this->json_report->call($this, $this->reports) as $json_report) { $json_report->generateReport($this->vars, $scan_time); $json_report->write(); } } protected function complete() { @touch($this->done_file); $complete = array( 'method' => 'MALWARE_SCAN_COMPLETE', 'scan_id' => $this->scan_id, ); $json_complete = json_encode($complete) . "\n"; $socket = fsockopen('unix://' . $this->sock_file); stream_set_blocking($socket, false); fwrite($socket, $json_complete); fclose($socket); } protected function setWorkDir($dir, $scan_id) { $this->workdir = $dir . '/' . $scan_id; } protected function setSocketFile($sock) { $this->sock_file = $sock; } } /** * Class ResidentMode used to stay aibolit alive in memory and wait for a job. */ class ResidentMode { /** * parent dir for all resident aibolit related * @var string */ protected $resident_dir; /** * directory for all jobs to be processed by aibolit * @var string */ protected $resident_in_dir; /** * directory with all the malicious files reports to be processed by imunify * @var string */ protected $resident_out_dir; /** * resident aibolit pid * @var string */ protected $aibolit_pid; /** * file lock used to make sure we start only one aibolit * @var string */ protected $aibolit_start_lock; /** * status file used to make sure aibolit didn't get stuck * @var string */ protected $aibolit_status_file; /** * number of seconds while aibolit will stay alive, while not receiving any work * @var int */ protected $stay_alive; /** * maximum number of seconds without updating ABOLIT_STATUS_FILE, * used to track if AIBOLIT is stuck, should be killed * @var int */ protected $stuck_timeout; /** * number of seconds scripts would wait for aibolit to finish / send signal * @var int */ protected $upload_timeout; /** * max number of files to pick * @var int */ protected $max_files_per_notify_scan; /** * timestamp of last scan * @var int */ protected $last_scan_time; /** * time to sleep between lifecycle iterations in microseconds */ protected $sleep_time; protected $scannedNotify = 0; protected $report; protected $logger; protected $resident_in_dir_notify; protected $resident_in_dir_upload; protected $blacklist; protected $watchdog_socket; protected $activation_socket; protected $systemd = false; protected $interval = 0; protected $lastKeepAlive = 0; protected $maxMinUid = array(); protected $signs; protected $finder; const JOB_UPLOAD = 'upload'; const JOB_NOTIFY = 'notify'; protected $upload_jobs = []; protected $notify_jobs = []; /** * ResidentMode constructor. * * @param $finder * @param $debug * @param Closure $report * @param $signs * @param null $blacklist * @param Logger|null $logger * @param array $maxMinUid * @param string $resident_dir * @param int $stay_alive * @param int $stuck_timeout * @param int $upload_timeout * @param int $max_files_per_notify_scan * @param int $sleep_time */ public function __construct( $finder, $debug, Closure $report, $signs, $blacklist = null, Logger $logger = null, $maxMinUid = array(), $resident_dir = '/var/imunify360/aibolit/resident', $stay_alive = 30, $stuck_timeout = 5, $upload_timeout = 10, $max_files_per_notify_scan = 500, $sleep_time = 100000 ) { $this->signs = $signs; $this->setResidentDir($resident_dir); $this->resident_in_dir = $this->resident_dir . '/in'; $this->resident_in_dir_upload = $this->resident_in_dir . '/upload-jobs'; $this->resident_in_dir_notify = $this->resident_in_dir . '/notify-jobs'; $this->resident_out_dir = $this->resident_dir . '/out'; $this->aibolit_pid = $this->resident_dir . '/aibolit.pid'; $this->aibolit_start_lock = $this->resident_dir . '/start.lock'; $this->aibolit_status_file = $this->resident_dir . '/aibolit.status'; $this->stay_alive = $stay_alive; $this->stuck_timeout = $stuck_timeout; $this->upload_timeout = $upload_timeout; if (!empty($max_files_per_notify_scan)) { $this->max_files_per_notify_scan = $max_files_per_notify_scan; } $this->sleep_time = $sleep_time; $this->report = $report; $this->blacklist = $blacklist; $this->logger = $logger; $this->maxMinUid = $maxMinUid; umask(0); if (!file_exists($this->resident_dir)) { if (!mkdir($this->resident_dir, 0777, true) && !is_dir($this->resident_dir)) { throw new Exception(sprintf('Directory "%s" was not created', $this->resident_dir)); } } if (!file_exists($this->resident_in_dir)) { if (!mkdir($this->resident_in_dir, 0755) && !is_dir($this->resident_in_dir)) { throw new Exception(sprintf('Directory "%s" was not created', $this->resident_in_dir)); } } if (!file_exists($this->resident_out_dir)) { if (!mkdir($this->resident_out_dir, 0755) && !is_dir($this->resident_out_dir)) { throw new Exception(sprintf('Directory "%s" was not created', $this->resident_out_dir)); } } if (!file_exists($this->resident_in_dir_notify)) { if (!mkdir($this->resident_in_dir_notify, 0700) && !is_dir($this->resident_in_dir_notify)) { throw new Exception(sprintf('Directory "%s" was not created', $this->resident_in_dir_notify)); } } if (!file_exists($this->resident_in_dir_upload)) { if (!mkdir($this->resident_in_dir_upload, 01777) && !is_dir($this->resident_in_dir_upload)) { throw new Exception(sprintf('Directory "%s" was not created', $this->resident_in_dir_upload)); } } $this->checkSpecs(); $addr = getenv('NOTIFY_SOCKET'); if ($addr[0] == '@') { $addr = "\0"; } if ($addr) { $this->systemd = true; } if ($this->systemd) { $this->watchdog_socket = fsockopen('udg://' . $addr); stream_set_blocking($this->watchdog_socket, false); $this->activation_socket = fopen('php://fd/3', 'r'); if ($this->activation_socket === false) { die("Something went wrong with activation socket."); } stream_set_blocking($this->activation_socket, false); if (getenv('WATCHDOG_USEC') !== false) { $this->interval = intval(getenv('WATCHDOG_USEC')); } else { $this->interval = 1000000; } } $this->finder = $finder; $this->debug = isset($debug) ? $debug : null; $this->lifeCycle(); } protected function isRootWriteable($folder) { if (!file_exists($folder) || !is_dir($folder)) { return false; } $owner_id = (int)fileowner($folder); if (function_exists('posix_getpwuid')) { $owner = posix_getpwuid($owner_id); if (!isset($owner['name']) || $owner['name'] !== 'root') { return false; } } elseif ($owner_id != 0) { return false; } $perms = fileperms($folder); if (($perms & 0x0100) // owner r && ($perms & 0x0080) // owner w && ($perms & 0x0040) && !($perms & 0x0800) // owner x && !($perms & 0x0010) // group without w && !($perms & 0x0002) // other without w ) { return true; } return false; } protected function isWorldWriteable($folder) { if (!file_exists($folder) || !is_dir($folder)) { return false; } $perms = fileperms($folder); if (($perms & 0x0004) // other r && ($perms & 0x0002) // other w && ($perms & 0x0200) // sticky bit ) { return true; } return false; } protected function checkSpecs() { if (!extension_loaded('posix')) { die('Error! For resident scan need posix extension.'); } elseif (!$this->isRootWriteable($this->resident_in_dir_notify)) { die('Error! Notify in dir ' . $this->resident_in_dir_notify . ' must be root writeable.'); } elseif (!$this->isWorldWriteable($this->resident_in_dir_upload)) { die('Error! Upload in dir ' . $this->resident_in_dir_upload . ' must be world writeable.'); } } protected function setResidentDir($dir) { $this->resident_dir = $dir; } protected function writeReport($vars, $scan_time, $type, $file) { $file = basename($file); $critPHP = count($vars->criticalPHP); $critJS = count($vars->criticalJS); $black = count($vars->blackFiles); $warning = count($vars->warningPHP); $malware = ($critPHP > 0) || ($critJS > 0) || ($black > 0) || ($warning > 0); if ($malware) { $this->debugLog("Job {$file}: Found malware. PHP: {$critPHP}; JS: {$critJS}; Black: {$black}; SUS: {$warning}"); } else { $this->debugLog("Job {$file}: No malware found."); } if ($type == 'upload') { $pid = (int)basename($file, '.upload_job'); if ($malware) { $this->debugLog("Job {$file}: Sending SIGUSR1 to {$pid}"); posix_kill($pid, SIGUSR1); } else { $this->debugLog("Job {$file}: Sending SIGUSR2 to {$pid}"); posix_kill($pid, SIGUSR2); } } elseif ($type == 'notify' && $malware) { $filename = basename($file, '.notify_job'); $reports[JSONReport::class] = $this->resident_out_dir . '/' . $filename . '.report'; foreach($this->report->call($this, $reports) as $report) { $report->generateReport($vars, $scan_time); $this->debugLog("Job {$file}: Creating report for job in {$filename}.report"); $report->write(); } unset($reports); } } /** * @param string $pattern * @param string $type * * @return bool */ protected function isJobFileExists($pattern, $type) { if ($type === self::JOB_UPLOAD) { if (empty($this->upload_jobs)) { $this->upload_jobs = glob($this->resident_in_dir . $pattern); if (!empty($this->upload_jobs)) { return true; } } else { return true; } } if ($type === self::JOB_NOTIFY) { if (empty($this->notify_jobs)) { $this->notify_jobs = glob($this->resident_in_dir . $pattern); if (!empty($this->notify_jobs)) { return true; } } else { return true; } } return false; } protected function isUploadJob() { if ($this->isJobFileExists('/upload-jobs/*.upload_job', self::JOB_UPLOAD)) { return true; } return false; } protected function scanJob($job_file, $type) { $start_time = microtime(true); $vars = new Variables(); $vars->blacklist = $this->blacklist; $vars->maxMinUid = $type == 'notify' ? $this->maxMinUid : []; $vars->signs = $this->signs; $files_to_scan = array(); $count = 0; $job = json_decode(file_get_contents($job_file)); $file = basename($job_file); $this->debugLog("Job {$file} received from queue."); if ($type == 'notify') { $files_to_scan = $job->files; $count = count($files_to_scan); $this->debugLog("Job {$file}: notify. {$count} files to be scanned"); if ($count > $this->max_files_per_notify_scan) { $this->debugLog("Job {$file}: Too many files to scan. Job skipped."); // TODO: show a warning: too many files to scan, the job was skipped return true; } if ($this->scannedNotify + $count > $this->max_files_per_notify_scan) { $this->scannedNotify = 0; unset($vars, $files_to_scan); return false; } else { $this->scannedNotify += $count; } } elseif ($type == 'upload') { $files_to_scan = $job->files; $count = count($files_to_scan); $this->debugLog("Job {$file}: upload. {$count} files to be scanned"); if ($count > 1) { $this->debugLog("Job {$file}: Too many files to scan. Job skipped."); // TODO: show a warning: too many files to scan, the job was skipped return true; } } $vars->foundTotalFiles = $count; $scan = new Scanner($this->finder, $vars, $this->debug); if (method_exists($scan, 'QCR_GoScan')) { if ($this->systemd) { $scan->QCR_GoScan($files_to_scan, array($this, 'keepAlive'), true, false); } else { $scan->QCR_GoScan($files_to_scan, null, true, false); } $scan->whitelisting(); } $scan_time = round(microtime(true) - $start_time, 1); $this->last_scan_time = time(); $this->writeReport($vars, $scan_time, $type, $job_file); unset($vars, $files_to_scan, $scan); if (defined('PROGRESS_LOG_FILE') && file_exists(PROGRESS_LOG_FILE)) { @unlink(PROGRESS_LOG_FILE); } if (defined('CREATE_SHARED_MEMORY') && CREATE_SHARED_MEMORY) { shmop_delete(SHARED_MEMORY); } if (defined('SHARED_MEMORY')) { shmop_close(SHARED_MEMORY); } return true; } protected function isNotifyJob() { if ($this->isJobFileExists('/notify-jobs/*.notify_job', self::JOB_NOTIFY)) { return true; } return false; } protected function scanUploadJob() { if (!empty($this->upload_jobs)) { foreach ($this->upload_jobs as $index => $upload_job) { $this->scanJob($upload_job, 'upload'); $file = basename($upload_job); $this->debugLog("Job {$file}: Removing job."); unlink($upload_job); unset($this->upload_jobs[$index]); } } } protected function scanNotifyJob() { if (!empty($this->notify_jobs)) { foreach ($this->notify_jobs as $index => $job) { $res = $this->scanJob($job, 'notify'); if ($res) { $file = basename($job); $this->debugLog("Job {$file}: Removing job."); unlink($job); unset($this->notify_jobs[$index]); } else { break; } } } } public function keepAlive() { if ((int)((microtime(true) - $this->lastKeepAlive) * 1000000) > $this->interval / 2) { stream_get_contents($this->activation_socket); fwrite($this->watchdog_socket, 'WATCHDOG=1'); $this->lastKeepAlive = microtime(true); } } protected function lifeCycle() { $this->debugLog("Starting resident-mode loop."); $this->last_scan_time = time(); while (true) { if ($this->systemd) { $this->keepAlive(); } while ($this->isUploadJob()) { $this->scanUploadJob(); } while ($this->isNotifyJob() && !$this->isUploadJob()) { $this->scanNotifyJob(); } if ($this->last_scan_time + $this->stay_alive < time()) { $this->debugLog("No more jobs. Shutting down."); break; } touch($this->aibolit_status_file); usleep($this->sleep_time); // 1/10 of second by default } if ($this->systemd) { fclose($this->watchdog_socket); fclose($this->activation_socket); } unlink($this->aibolit_status_file); } protected function debugLog($message) { if ($this->logger === null) { return; } $this->logger->debug($message); } } class DebugMode { private $debugMode = false; private $debugPerfomance = false; private $perfomance_stats = []; public function __construct($debugMode, $debugPerfomance) { $this->debugMode = $debugMode; $this->debugPerfomance = $debugPerfomance; } public function QCR_Debug($par_Str = "") { if ($this->debugMode) { return; } $l_MemInfo = ' '; if (function_exists('memory_get_usage')) { $l_MemInfo .= ' curmem=' . AibolitHelpers::bytes2Human(memory_get_usage()); } if (function_exists('memory_get_peak_usage')) { $l_MemInfo .= ' maxmem=' . AibolitHelpers::bytes2Human(memory_get_peak_usage()); } stdOut("\n" . date('H:i:s') . ': ' . $par_Str . $l_MemInfo . "\n"); } public function getDebugMode() { return $this->debugMode; } public function getDebugPerfomance() { return $this->debugPerfomance; } public function addPerfomanceItem($item, $time) { $this->perfomance_stats[$item] = isset($this->perfomance_stats[$item]) ? $this->perfomance_stats[$item] + $time : 0; } public function printPerfomanceStats() { $keys = array_keys($this->perfomance_stats); for ($i = 0, $iMax = count($keys); $i < $iMax; $i++) { $this->perfomance_stats[$keys[$i]] = round($this->perfomance_stats[$keys[$i]] * 1000000); } arsort($this->perfomance_stats); foreach ($this->perfomance_stats as $r => $v) { echo $v . "\t\t" . $r . "\n"; } } } class FileInfo { private $index = 0; private $inode = 0; private $filename = ''; private $size = 0; private $created = 0; private $modified = 0; private $hash = 0; private $sha256 = 0; private $sha1file = 0; private $content = ''; private $norm_content = ''; private $is_binary = 0; private $hashtable = null; /** * @return int|string */ public function getSha1file() { if ($this->sha1file == 0) { $this->sha1file = sha1_file($this->filename); } return $this->sha1file; } public function __construct($filename, $index, $hashtable = null) { $this->index = $index; $this->filename = $filename; $this->hashtable = $hashtable; } /** * @return bool */ public function isBinary() { $header = ''; if ($this->is_binary === 0) { if ($this->content == '') { $header = @file_get_contents($this->filename, false, null, 0, 4); } else { $header = substr($this->content, 0, 4); } if ($header === chr(127) . 'ELF') { $this->is_binary = true; } else { $this->is_binary = false; } unset($header); } return $this->is_binary; } /** * @return false|mixed|string */ public function getContent() { if ($this->content == '') { $this->content = @file_get_contents($this->filename); } return $this->content; } /** * @return string */ public function getContentWithoutSpaces($max_size = false) { if($this->norm_content !== '') { return $this->norm_content; } if (!$max_size) { $this->norm_content = Normalization::strip_whitespace($this->getContent()); } else if(is_numeric($max_size)) { $this->norm_content = Normalization::strip_whitespace($this->getContentBytes($max_size)); } return $this->norm_content; } public function getContentBytes($max_bytes) { if ($this->content == '') { $this->content = @file_get_contents($this->filename, false, null, 0, $max_bytes); } return $this->content; } /** * @param $text * @return string */ private function _hash_($text) { static $r; if (empty($r)) { for ($i = 0; $i < 256; $i++) { if ($i < 33 or $i > 127) { $r[chr($i)] = ''; } } } return sha1(strtr($text, $r)); } /** * @return integer */ public function getIndex() { return $this->index; } /** * @return string */ public function getFilename() { return $this->filename; } private function _setStat() { $info = stat($this->filename); $this->size = $info['size']; $this->created = $info['ctime']; $this->modified = $info['mtime']; $this->inode = $info['ino']; } /** * @return int|mixed */ public function getSize() { if ($this->size == 0) { $this->_setStat(); } return $this->size; } /** * @return int|mixed */ public function getInode() { if ($this->inode == 0) { $this->_setStat(); } return $this->inode; } /** * @return int|mixed */ public function getCreated() { if ($this->created == 0) { $this->_setStat(); } return $this->created; } /** * @return int|mixed */ public function getModified() { if ($this->modified == 0) { $this->_setStat(); } return $this->modified; } /** * @return int|string */ public function getHash() { if ($this->hash == 0) { $this->hash = $this->_hash_($this->getContentWithoutSpaces()); } return $this->hash; } /** * @return int|string */ public function getSha256() { if ($this->hashtable !== null && $this->hashtable->get($this->filename) !== false) { $this->sha256 = $this->hashtable->get($this->filename); } if ($this->sha256 == 0) { $this->sha256 = hash('sha256', $this->getContent()); } return $this->sha256; } } class HashTable { private $hashes = []; public function add($paths, $hashes) { $this->hashes[0] = $paths; $this->hashes[1] = $hashes; } public function get($filename) { $index = array_search($filename, $this->hashes[0]); if ($index === false) { return false; } return $this->hashes[1][$index]; } } class Finder { const MAX_ALLOWED_PHP_HTML_IN_DIR = 600; private $sym_links = []; private $skipped_folders = []; private $doorways = []; private $total_dir_counter = 0; private $total_files_counter = 0; private $checked_hashes = []; private $initial_dir = ''; private $initial_level = null; private $level_limit = null; private $filter; public function __construct($filter = null, $level_limit = null) { $this->filter = $filter; $this->level_limit = $level_limit; } private function linkResolve($path) { return realpath($path); } private function resolve($path, $follow_symlinks) { if (!$follow_symlinks || !is_link($path)) { return $path; } return $this->linkResolve($path); } private function isPathCheckedAlready($path) { $root_hash = crc32($path); if (isset($this->checked_hashes[$root_hash])) { return true; } $this->checked_hashes[$root_hash] = ''; return false; } private function walk($path, $follow_symlinks) { $level = substr_count($path, '/'); if (isset($this->level_limit) && (($level - $this->initial_level + 1) > $this->level_limit)) { return; } $l_DirCounter = 0; $l_DoorwayFilesCounter = 0; if ($follow_symlinks && $this->isPathCheckedAlready($path)) { return; } # will not iterate dir, if it should be ignored if (!$this->filter->needToScan($path, false, true)) { $this->skipped_folders[] = $path; return; } $dirh = @opendir($path); if ($dirh === false) { return; } while (($entry = readdir($dirh)) !== false) { if ($entry == '.' || $entry == '..') { continue; } $entry = $path . DIRECTORY_SEPARATOR . $entry; if (is_link($entry)) { $this->sym_links[] = $entry; if (!$follow_symlinks) { continue; } $real_path = $this->resolve($entry, true); } else { $real_path = $entry; } if (is_dir($entry)) { $l_DirCounter++; if ($l_DirCounter > self::MAX_ALLOWED_PHP_HTML_IN_DIR) { $this->doorways[] = $path; $l_DirCounter = -655360; } $this->total_dir_counter++; yield from $this->walk($real_path, $follow_symlinks); } else if (is_file($entry)) { $stat = stat($entry); if (!$stat) { continue; } if (is_callable([$this->filter, 'checkShortExt']) && $this->filter->checkShortExt($entry)) { $l_DoorwayFilesCounter++; if ($l_DoorwayFilesCounter > self::MAX_ALLOWED_PHP_HTML_IN_DIR) { $this->doorways[] = $path; $l_DoorwayFilesCounter = -655360; } } if ($follow_symlinks && $this->isPathCheckedAlready($real_path)) { continue; } $need_to_scan = $this->filter->needToScan($real_path, $stat); if ($need_to_scan) { $this->total_files_counter++; yield $real_path; } } } closedir($dirh); } private function expandPath($path, $follow_symlinks) { if ($path) { if (is_dir($path)) { yield from $this->walk($path, $follow_symlinks); } else { $need_to_scan = $this->filter->needToScan($path); if ($need_to_scan) { yield $path; } } } } public function find($target) { if ($target === '/') { $target = '/*'; } if (is_string($target) && substr($target, -1) == DIRECTORY_SEPARATOR) { $target = substr($target, 0, -1); } # We shouldn't use iglob for list of paths, # cause they cannot contain * or regexp # but can contain invalid sequence e.g. [9-0] if (is_callable([$this->filter, 'generateCheckers'])) { $this->filter->generateCheckers(); } $paths = is_array($target) ? $target : new GlobIterator($target, FilesystemIterator::CURRENT_AS_PATHNAME); foreach ($paths as $path) { $this->initial_dir = realpath($path); $this->initial_level = substr_count($this->initial_dir, '/'); $path = $this->linkResolve($path); yield from $this->expandPath($path, $this->filter->isFollowSymlink()); } } private function convertTemplatesToRegexp($templates) { return '~(' . str_replace([',', '.', '*'], ['|', '\\.', '.*'], $templates) . ')~i'; } public function setLevelLimit($level) { $this->level_limit = $level; } public function getSymlinks() { return $this->sym_links; } public function getDoorways() { return $this->doorways; } public function skippedDirs() { return $this->skipped_folders; } public function getTotalDirs() { return $this->total_dir_counter; } public function getTotalFiles() { return $this->total_files_counter; } } class FileFilter { const LOG_AND_MAIL_PATTERN = [ '/sess\_\w*$', '/stat/usage\_\w+\.html', '/stat/site\_\w+\.html', '/webstat/awstats.*\.txt', '/awstats/awstats.*\.txt', '/awstats/.{1,80}\.pl', '/awstats/.{1,80}\.html', '/logs/error\_log\..*', '/logs/xferlog\..*', '/logs/access\_log\..*', '/domlogs/.+', '/logs/cron\..*', '/logs/exceptions/.+\.log(?:\.\d)?(?:\.gz)?$', '/mail(?:/[^/]+)*/[^,]+,S=[^,]+,W=.+', '/mail(?:/[^/]+)*/[^,]+,S=.+', '/mail(?:/[^/]+)*/storage/u\.[0-9]+', '/mail(?:/[^/]+)*/storage/m\.[0-9]+', '/Maildir(?:/[^/]+)*/[^,]+,S=[^,]+,W=.+', '/Maildir(?:/[^/]+)*/[^,]+,S=.+', '^/var/ossec/.*', ]; const IMUNIFY_LOG_PATTERN = [ '/var/log/imunify360/acronis-installer\.log$', '/var/log/imunify360/console\.log(?:\.\d)?(?:\.gz)?$', '/var/log/imunify360/debug\.log$', '/var/log/imunify360/error\.log$', '/var/log/install-mod\_remoteip\.log(?:\.\d{1.4})?(?:\.pid)?r$', '/var/log/imunify360/malware\_scan\_\d{10}\.log$', '/var/log/imunify360/network\.log$', '/var/log/imunify360/process\_message\.log$', '/var/log/imunify360-webshield/access.log(?:-\d{8})?(?:.gz)?$', '/var/log/imunify360-webshield/error.log(?:-\d{8})?(?:.gz)?$', '/.revisium_antivirus_cache/.revisium\d+/', '/admin/plib/modules/revisium-antivirus/library/externals/', ]; const IMUNIFY_DIRS = [ '/etc/cagefs/conf.d/ai-bolit.cfg', '/etc/cagefs/conf.d/clamav.cfg', '/etc/cagefs/exclude/imunify360', '/etc/chkserv.d/imunify-antivirus', '/etc/chkserv.d/imunify360-agent', '/etc/cron.daily/imunify-antivirus.cron', '/etc/cron.daily/imunify360.cron', '/etc/imunify360-webshield', '/etc/imunify360', '/etc/logrotate.d/imunify360', '/etc/nginx/conf.d/i360.remoteip.conf', '/etc/sysconfig/imunify360', '/opt/ai-bolit', '/opt/alt/python35/bin/imunify360-agent', '/opt/alt/python35/bin/imunify360-command-wrapper', '/opt/alt/python35/lib/python3.5/site-packages/defence360agent', '/opt/alt/python35/share/imunify360', '/run/chkservd/imunify360-webshield', '/run/chkservd/restart_track/imunify360-webshield', '/run/imunify360-webshield.pid', '/usr/bin/imunify-antivirus', '/usr/bin/imunify360-agent', '/usr/bin/imunify360-command-wrapper', '/usr/lib/systemd/system/imunify-antivirus.service', '/usr/lib/systemd/system/imunify360-pure.service', '/usr/lib/systemd/system/imunify360-webshield', '/usr/lib/systemd/system/imunify360.service', '/usr/local/cpanel/base/frontend/paper_lantern/imunify', '/usr/local/directadmin/plugins/Imunify', '/usr/sbin/imunify360-webshield', '/var/cache/imunify360-webshield', '/var/cpanel/apps', '/var/imunify360', '/var/log/cloudlinux-backup-util' ]; const SHORT_LIST_EXT = [ 'php', 'php3', 'php4', 'php5', 'php7', 'pht', 'html', 'htm', 'phtml', 'shtml', 'khtml', '', 'ico', 'txt' ]; const SUSPICIOUS_EXT = [ 'cgi', 'pl', 'o', 'so', 'py', 'sh', 'phtml', 'php3', 'php4', 'php5', 'php6', 'php7', 'pht', 'shtml' ]; private $sensitiveExt = [ 'php', 'js', 'json', 'htaccess', 'html', 'htm', 'tpl', 'inc', 'css', 'txt', 'sql', 'ico', '', 'susp', 'suspected', 'zip', 'tar' ]; const SKIP_SMART_MASK = [ '/template_\w{32}.css', '/cache/templates/.{1,150}\.tpl\.php', '/system/cache/templates_c/\w{1,40}\.php', '/assets/cache/rss/\w{1,60}', '/cache/minify/minify_\w{32}', '/cache/page/\w{32}\.php', '/cache/object/\w{1,10}/\w{1,10}/\w{1,10}/\w{32}\.php', '/cache/wp-cache-\d{32}\.php', '/cache/page/\w{32}\.php_expire', '/cache/page/\w{32}-cache-page-\w{32}\.php', '\w{32}-cache-com_content-\w{32}\.php', '\w{32}-cache-mod_custom-\w{32}\.php', '\w{32}-cache-mod_templates-\w{32}\.php', '\w{32}-cache-_system-\w{32}\.php', '/cache/twig/\w{1,32}/\d+/\w{1,100}\.php', '/autoptimize/js/autoptimize_\w{32}\.js', '/bitrix/cache/\w{32}\.php', '/bitrix/cache/.{1,200}/\w{32}\.php', '/bitrix/cache/iblock_find/', '/bitrix/managed_cache/MYSQL/user_option/[^/]+/', '/bitrix/cache/s1/bitrix/catalog\.section/', '/bitrix/cache/s1/bitrix/catalog\.element/', '/bitrix/cache/s1/bitrix/menu/', '/catalog.element/[^/]+/[^/]+/\w{32}\.php', '/bitrix/managed\_cache/.{1,150}/\.\w{32}\.php', '/core/cache/mgr/smarty/default/.{1,100}\.tpl\.php', '/core/cache/resource/web/resources/[0-9]{1,50}\.cache\.php', '/smarty/compiled/SC/.{1,100}/%%.{1,200}\.php', '/smarty/.{1,150}\.tpl\.php', '/smarty/compile/.{1,150}\.tpl\.cache\.php', '/files/templates_c/.{1,150}\.html\.php', '/uploads/javascript_global/.{1,150}\.js', '/assets/cache/rss/\w{32}', 'сore/cache/resource/web/resources/\d+\.cache\.php', '/assets/cache/docid_\d+_\w{32}\.pageCache\.php', '/t3-assets/dev/t3/.{1,150}-cache-\w{1,20}-.{1,150}\.php', '/t3-assets/js/js-\w{1,30}\.js', '/temp/cache/SC/.{1,100}/\.cache\..{1,100}\.php', '/tmp/sess\_\w{32}$', '/assets/cache/docid\_.{1,100}\.pageCache\.php', '/stat/usage\_\w{1,100}\.html', '/stat/site\_\w{1,100}\.html', '/gallery/item/list/\w{1,100}\.cache\.php', '/core/cache/registry/.{1,100}/ext-.{1,100}\.php', '/core/cache/resource/shk\_/\w{1,50}\.cache\.php', '/cache/\w{1,40}/\w+-cache-\w+-\w{32,40}\.php', '/webstat/awstats.{1,150}\.txt', '/awstats/awstats.{1,150}\.txt', '/awstats/.{1,80}\.pl', '/awstats/.{1,80}\.html', '/inc/min/styles_\w+\.min\.css', '/inc/min/styles_\w+\.min\.js', '/logs/error\_log\.', '/logs/xferlog\.', '/logs/access_log\.', '/logs/cron\.', '/logs/exceptions/.{1,200}\.log$', '/hyper-cache/[^/]{1,50}/[^/]{1,50}/[^/]{1,50}/index\.html', '/mail/new/[^,]+,S=[^,]+,W=', '/mail/new/[^,]=,S=', '/application/logs/\d+/\d+/\d+\.php', '/sites/default/files/js/js_\w{32}\.js', '/yt-assets/\w{32}\.css', '/wp-content/cache/object/\w{1,5}/\w{1,5}/\w{32}\.php', '/catalog\.section/\w{1,5}/\w{1,5}/\w{32}\.php', '/simpla/design/compiled/[\w\.]{40,60}\.php', '/compile/\w{2}/\w{2}/\w{2}/[\w.]{40,80}\.php', '/sys-temp/static-cache/[^/]{1,60}/userCache/[\w\./]{40,100}\.php', '/session/sess_\w{32}', '/webstat/awstats\.[\w\./]{3,100}\.html', '/stat/webalizer\.current', '/stat/usage_\d+\.html' ]; private $ignoreExt = []; private $ignoreListPatterns = []; private $ignoreList = null; private $ignoreFilenameByRegexp = null; private $onlyFilepathRegexp = null; private $skipFilesOlder = null; private $initialDir = null; private $file_checkers = []; private $dir_checkers = []; private $excludes = []; private $check_is_not_root; private $check_is_not_system; private $check_is_file; private $ignore_quar; private $check_file_older; private $check_ignore_file; private $check_ignore_filename_template; private $check_only_filepath_template; private $check_scope; private $check_ext; private $ignore_ext; private $check_short_ext; private $ignore_path_pattern; private $skipRootOwner = false; private $skipSystemOwner = false; private $followSymlink = false; private $ignoreQuarantine = false; private $scanAllExt = false; private $smartScan = false; private $imunify_filters = false; private $ignored_av_admin = false; private $ignored_av_internal = false; private $admin_watched = false; private $ignore_symlink = true; private $match_patterns = []; private $no_match_patterns = []; private $ignored_av_admin_file = '/etc/sysconfig/imunify360/malware-filters-admin-conf/processed/ignored/av-admin.txt'; private $ignored_av_internal_file = '/etc/sysconfig/imunify360/malware-filters-admin-conf/processed/ignored/av-internal.txt'; private $admin_watched_file = '/etc/sysconfig/imunify360/malware-filters-admin-conf/admin/watched.txt'; private $basedirs_file = '/etc/sysconfig/imunify360/malware-filters-admin-conf/processed/basedirs-list.txt'; private function getIgnoredAVAdmin() { if (!$this->ignored_av_admin) { $this->ignored_av_admin = trim(file_get_contents($this->ignored_av_admin_file)); } return $this->ignored_av_admin; } private function getIgnoredAVInternal() { if (!$this->ignored_av_internal) { $this->ignored_av_internal = trim(file_get_contents($this->ignored_av_internal_file)); } return $this->ignored_av_internal; } private function getBaseDirs() { return file($this->basedirs_file, FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES); } private function fixTrailingSlash($path) { if ($path[0] !== '/') { $path = '/' . $path; } return $path; } private function resolveBaseDirs($basedirs, $path) { $result = []; $tmp = substr($path, 1); $tmp = $this->fixTrailingSlash($tmp); foreach ($basedirs as $dir) { $result [] = $dir . $tmp; } return $result; } private function processWatchedItems($basedirs, $paths) { $result = []; foreach ($paths as $item) { $item = trim($item); if ($item[0] === '#') { continue; } else if ($item[0] === '+') { $result = array_merge($result, $this->resolveBaseDirs($basedirs, $item)); } else { $result[] = $item; } } return $result; } private function getAdminWatched() { if (!$this->admin_watched) { $this->admin_watched = []; $basedirs = $this->getBaseDirs(); $paths = file($this->admin_watched_file, FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES); $this->admin_watched = $this->processWatchedItems($basedirs, $paths); } return $this->admin_watched; } public function setSmartScan() { $this->smartScan = true; } public function isSmartScan() { return $this->smartScan; } public function setImunifyFilters() { $this->imunify_filters = true; } public function setScanAll() { $this->scanAllExt = true; } public function setIgnoreExt($ext_list) { if (!$ext_list) { return; } $this->ignoreExt = explode(',', $ext_list); for ($i = 0, $iMax = count($this->ignoreExt); $i < $iMax; $i++) { $this->ignoreExt[$i] = trim($this->ignoreExt[$i]); } $this->ignoreExt = array_flip($this->ignoreExt); } public function setSensitiveExt($ext_list) { if (!$ext_list) { return; } $this->sensitiveExt = explode(",", $ext_list); for ($i = 0, $iMax = count($this->sensitiveExt); $i < $iMax; $i++) { if ($this->sensitiveExt[$i] == '.') { $this->sensitiveExt[$i] = ''; } } $this->sensitiveExt = array_flip($this->sensitiveExt); } public function getSensitiveExt() { return array_flip($this->sensitiveExt); } public function setIgnoreListPatterns($filepath) { if (!file_exists($filepath) || !is_file($filepath) || !is_readable($filepath)) { return; } $this->ignoreListPatterns = []; $content = file_get_contents($filepath); $list = explode("\n", $content); foreach ($list as $pattern) { if (trim($pattern) == '') { continue; } $this->ignoreListPatterns[] = $pattern; } } public function __construct() { $this->sensitiveExt = array_merge($this->sensitiveExt, self::SUSPICIOUS_EXT); $this->sensitiveExt = array_flip($this->sensitiveExt); $this->ignore_quar = function ($file) { if (strpos($file, '/.imunify.quarantined') !== false) { $st = stat($file); if (!$st) { return false; } return $st['uid'] !== 0; } return true; }; $this->ignore_excludes = function ($file) { $tree = $this->getTree($file); if ($this->pathRelatesTo($tree, $this->excludes)) { return false; } return true; }; $this->check_file_older = function ($file) { return (@filemtime($file) > $this->skipFilesOlder) || (@filectime($file) > $this->skipFilesOlder); }; $this->check_ignore_file = function ($file) { $tree = $this->getTree($file); if ($this->pathRelatesTo($tree, $this->ignoreList, true)) { return false; } return true; }; $this->check_ignore_filename_template = function ($file) { return !preg_match($this->ignoreFilenameByRegexp, basename($file)); }; $this->check_only_filepath_template = function ($file) { return preg_match($this->onlyFilepathRegexp, $file); }; $this->check_is_not_root = function ($file) { $stat = stat($file); return $stat['gid'] !== 0 && $stat['uid'] !== 0; }; $this->check_is_not_system = function ($file) { $stat = stat($file); return ($stat['uid'] >= $this->skipSystemOwner[0] && $stat['uid'] <= $this->skipSystemOwner[1]); }; $this->check_is_file = function ($file) { return is_file($file); }; $this->check_file_patterns = function ($file) { foreach($this->match_patterns as $pattern) { $match = fnmatch($pattern, $file); if ($match) { return $match; } } return false; }; $this->check_file_not_patterns = function ($file) { foreach($this->no_match_patterns as $pattern) { $match = fnmatch($pattern, $file); if ($match) { return !$match; } } return true; }; $this->ignore_symlink = function ($file) { return !is_link($file); }; $this->check_scope = function ($file) { return strpos($file, $this->initialDir) === 0; }; $this->ignore_dots = function ($file) { return !($file == '.' || $file == '..'); }; $this->check_ext = function ($file) { if ($this->scanAllExt) { return true; } $ext = strtolower(pathinfo($file, PATHINFO_EXTENSION)); return isset($this->sensitiveExt[$ext]); }; $this->ignore_ext = function ($file) { $ext = strtolower(pathinfo($file, PATHINFO_EXTENSION)); return !isset($this->ignoreExt[$ext]); }; $this->check_short_ext = function ($file) { $ext = strtolower(pathinfo($file, PATHINFO_EXTENSION)); return in_array($ext, self::SHORT_LIST_EXT); }; $this->ignore_path_pattern = function ($file) { foreach ($this->ignoreListPatterns as $pattern) { if (($pattern != '') && preg_match('#' . $pattern . '#', $file)) { return false; } } return true; }; $this->imunify_filter = function ($file) { if (preg_match('~' . $this->getIgnoredAVAdmin() . '~msi', $file)) { return false; } if (preg_match('~' . $this->getIgnoredAVInternal() . '~msi', $file)) { foreach ($this->getAdminWatched() as $rec_watched) { if (fnmatch($rec_watched, $file)) { return true; } } return false; } return true; }; $this->excludes = array_flip(self::IMUNIFY_DIRS); $this->file_checkers[] = $this->ignore_path_pattern; $this->file_checkers[] = $this->check_is_file; $this->file_checkers[] = $this->check_ext; $this->file_checkers[] = $this->ignore_excludes; $this->dir_checkers[] = $this->ignore_path_pattern; $this->dir_checkers[] = $this->ignore_excludes; $this->dir_checkers[] = $this->ignore_dots; } public function setIgnoreListFile($filepath) { if (!file_exists($filepath) || !is_file($filepath) || !is_readable($filepath)) { return; } $this->ignoreList = []; $content = file_get_contents($filepath); $list = explode("\n", $content); foreach ($list as $base64_filepath) { if ($base64_filepath !== '') { $this->ignoreList[$base64_filepath] = ''; } } } public function setIgnoreFilenames($templates) { if (!$templates) { return; } $this->no_match_patterns = explode(',', $templates); for ($i = 0, $iMax = count($this->no_match_patterns); $i < $iMax; $i++) { $this->no_match_patterns[$i] = trim($this->no_match_patterns[$i]); } } public function setOnlyFilepaths($templates) { if (empty($templates)) { return; } $this->match_patterns = explode(',', $templates); for ($i = 0, $iMax = count($this->match_patterns); $i < $iMax; $i++) { $this->match_patterns[$i] = trim($this->match_patterns[$i]); } } public function setSkipFilesOlder($unix_timestamp) { $this->skipFilesOlder = $unix_timestamp; } public function setSkipRootOwner() { $this->skipRootOwner = true; } public function setSkipSystemOwner($min_max_uid) { if (is_array($min_max_uid)) { $this->skipSystemOwner = $min_max_uid; } } public function setFollowSymlink() { $this->followSymlink = true; } public function isFollowSymlink() { return $this->followSymlink; } public function setIgnoreQuarantine() { $this->ignoreQuarantine = true; } public function generateCheckers() { $file_checkers = $this->file_checkers; if ($this->match_patterns) { $file_checkers[] = $this->check_file_patterns; } if ($this->no_match_patterns) { $file_checkers[] = $this->check_file_not_patterns; } if ($this->skipRootOwner) { $file_checkers[] = $this->check_is_not_root; } if ($this->skipSystemOwner && is_array($this->skipSystemOwner)) { $file_checkers[] = $this->check_is_not_system; } $dir_checkers = $this->dir_checkers; if(!$this->followSymlink) { $dir_checkers[] = $this->ignore_symlink; } if ($this->ignoreQuarantine) { $dir_checkers[] = $this->ignore_quar; } if ($this->skipFilesOlder) { $file_checkers[] = $this->check_file_older; } if ($this->ignoreFilenameByRegexp) { $file_checkers[] = $this->check_ignore_filename_template; } if (!empty($this->ignoreList)) { $file_checkers[] = $this->check_ignore_file; $dir_checkers[] = $this->check_ignore_file; } if ($this->onlyFilepathRegexp) { $file_checkers[] = $this->check_only_filepath_template; } if (!empty($this->ignoreExt)) { $file_checkers[] = $this->ignore_ext; } if ($this->imunify_filters) { $file_checkers[] = $this->imunify_filter; } $this->ignoreListPatterns = array_merge($this->ignoreListPatterns, self::IMUNIFY_LOG_PATTERN, self::LOG_AND_MAIL_PATTERN); if($this->smartScan) { $this->ignoreListPatterns = array_merge($this->ignoreListPatterns, self::SKIP_SMART_MASK); } $this->file_checkers = $file_checkers; $this->dir_checkers = $dir_checkers; } public function getFileCheckers() { return $this->file_checkers; } public function getDirCheckers() { return $this->dir_checkers; } private function check($file, $where, $stat = false) { if (!$file) { return false; } if (!$stat) { $stat = stat($file); } foreach ($where as $func) { if(empty($func)) { continue; } if (!$func($file, $stat)) { return false; } } return true; } public function needToScan($file, $stat = false, $only_dir = false) { if (!$file) { return false; } if (!$stat) { $stat = @stat($file); if (!$stat) { return false; } } if (!$only_dir && !$this->check($file, $this->getFileCheckers(), $stat)) { return false; } if (!$this->check($file, $this->getDirCheckers(), $stat)) { return false; } return true; } private function getTree($file) { $tree = []; $path = $file; $i = 1; while ($path !== '.' && $path !== '/') { $path = dirname($path, $i); $tree[] = $path; $i++; } $tree[] = $file; return $tree; } private function pathRelatesTo($tree, $pathes, $base64 = false) { foreach ($tree as $path) { if ($base64) { $path = base64_encode($path); } if (isset($pathes[$path])) { return true; } } return false; } public function checkShortExt($path) { return $this->check_short_ext->call($this, $path); } } class Scanner { private $addPrefix; private $noPrefix; private $finder; private $vars; private $debug; public function __construct($finder, $vars, $debug = null) { $this->addPrefix = isset($vars->options['addprefix']) ? $vars->options['addprefix'] : ''; $this->noPrefix = isset($vars->options['noprefix']) ? $vars->options['noprefix'] : '';; $this->finder = $finder; $this->vars = $vars; $this->suspicious = isset($vars->options['with-suspicious']); $this->debug = $debug; } private function CloudAssitedFilter($files_list) { $black_files = []; $white_files = []; try { $car = Factory::instance()->create(CloudAssistedRequest::class, [CLOUD_ASSIST_TOKEN]); $cloud_assist_files = new CloudAssistedFiles($car, $files_list, $this->vars); $white_files = $cloud_assist_files->getWhiteList(); $black_files = $cloud_assist_files->getBlackList(); unset($cloud_assist_files); } catch (\Exception $e) { fwrite(STDERR, 'Warning: [CAS] ' . $e->getMessage() . PHP_EOL); if (isset($this->debug)) { $this->debug->QCR_Debug($e->getMessage()); } } $this->vars->blackFiles = array_diff_assoc(array_merge($this->vars->blackFiles, $black_files), $white_files); return array_diff($files_list, array_keys($black_files), array_keys($white_files)); } public function QCR_ScanDirectories($l_RootDir) { static $l_Buffer = ''; if (isset($this->debug)) { $this->debug->QCR_Debug('Scan ' . $l_RootDir); } $listFiles = $this->finder->find($l_RootDir); foreach ($listFiles as $l_FileName) { if (ONE_PASS) { $this->QCR_ScanFile($l_FileName, $this->vars, null, $this->vars->counter++); } else { $l_Buffer .= FilepathEscaper::encodeFilepathByBase64($l_FileName) . "\n"; } $this->vars->counter++; if (strlen($l_Buffer) > 32000) { file_put_contents(QUEUE_FILENAME, $l_Buffer, FILE_APPEND) || die2("Cannot write to file " . QUEUE_FILENAME); $l_Buffer = ''; } } $this->vars->symLinks = $this->finder->getSymlinks(); $this->vars->doorway = $this->finder->getDoorways(); $this->vars->foundTotalDirs = $this->finder->getTotalDirs(); $this->vars->foundTotalFiles = $this->finder->getTotalFiles(); if (!empty($l_Buffer) && (isset($this->vars->options['use-template-in-path']) || $l_RootDir == ROOT_PATH ) ) { file_put_contents(QUEUE_FILENAME, $l_Buffer, FILE_APPEND) || die2("Cannot write to file " . QUEUE_FILENAME); $l_Buffer = ''; } unset($listFiles); } public function QCR_GoScan($s_file, $callback = null, $base64_encoded = true, $skip_first_line = false) { if (isset($this->debug)) { $this->debug->QCR_Debug('QCR_GoScan '); } try { $i = 0; $filesForCloudAssistedScan = []; foreach ($s_file as $index => $filepath_encoded) { if ($callback !== null) { $this->callCallback($callback); } if ($skip_first_line && $index == 0) { $i = 1; continue; } $filepath = $base64_encoded ? FilepathEscaper::decodeFilepathByBase64($filepath_encoded) : $filepath_encoded; if (!file_exists($filepath) || !is_file($filepath) || !is_readable($filepath)) { continue; } if (!empty($this->vars->maxMinUid)) { $stat = stat($filepath); if (!($stat['uid'] >= $this->vars->maxMinUid[0] && $this->stat['uid'] <= $this->vars->maxMinUid[1])) { continue; } } $filesize = filesize($filepath); if ($filesize > MAX_FILE_SIZE_FOR_CHECK || $filesize < MIN_FILE_SIZE_FOR_CHECK) { continue; } if (substr($filepath, -1) == DIR_SEPARATOR || !defined('CLOUD_ASSIST_TOKEN')) { $this->QCR_ScanFile($filepath, $this->vars, $callback, $i++); continue; } if ($this->isFileTooBigForCloudscan($filesize)) { $this->QCR_ScanFile($filepath, $this->vars, $callback, $i++); continue; } // collecting files to scan with Cloud Assistant $filesForCloudAssistedScan[] = $filepath; } if (count($filesForCloudAssistedScan) == 0) { return; } if (defined('RAPID_ACCOUNT_SCAN')) { $cloud_assited_storage = Factory::instance()->create(CloudAssistedStorage::class, [RAPID_ACCOUNT_SCAN]); $storage = Factory::instance()->create(RapidScanStorage::class, [RAPID_ACCOUNT_SCAN]); /** @var RapidAccountScan $scanner */ $scanner = Factory::instance()->create(RapidAccountScan::class, [$this, $storage, $cloud_assited_storage, &$this->vars, $i]); $scanner->scan($filesForCloudAssistedScan, $this->vars, constant('RapidAccountScan::RESCAN_' . RAPID_ACCOUNT_SCAN_TYPE)); if ($scanner->getStrError()) { if (isset($this->debug)) { $this->debug->QCR_Debug('Rapid scan log: ' . $scanner->getStrError()); } } $this->vars->rescanCount += $scanner->getRescanCount(); } else { $scan_bufer_files = function ($files_list, &$i) use ($callback) { $this->vars->hashtable = new HashTable(); $files_to_scan = $this->CloudAssitedFilter($files_list); foreach ($files_to_scan as $filepath) { $this->QCR_ScanFile($filepath, $this->vars, $callback, $i++); } $this->vars->hashtable = null; }; $files_bufer = []; foreach ($filesForCloudAssistedScan as $l_Filename) { $files_bufer[] = $l_Filename; if (count($files_bufer) >= CLOUD_ASSIST_LIMIT) { $scan_bufer_files($files_bufer, $i); $files_bufer = []; } } if (count($files_bufer)) { $scan_bufer_files($files_bufer, $i); } unset($files_bufer); } } catch (Exception $e) { if (isset($this->debug)) { $this->debug->QCR_Debug($e->getMessage()); } } } public function QCR_ScanFile($l_Filename, $vars, $callback = null, $i = 0, $show_progress = true) { $return = array(RapidScanStorageRecord::RX_GOOD, '', ''); $g_SkipNextCheck = false; /** @var CriticalFileSpecification $criticalFileSpecification */ $criticalFileSpecification = Factory::instance()->create(CriticalFileSpecification::class); if ($vars->fileinfo !== null) { if ($l_Filename !== $vars->fileinfo->getFilename()) { unset($file); $vars->fileinfo = null; } } if ($vars->fileinfo == null) { $file = new FileInfo($l_Filename, $i, $vars->hashtable); $vars->fileinfo = $file; } $file = $vars->fileinfo; $vars->crc = 0; $l_CriticalDetected = false; if (substr($l_Filename, -1) == DIR_SEPARATOR) { // FOLDER $vars->structure['n'][$i] = $l_Filename; $vars->totalFolder++; printProgress($vars->files_and_ignored, $l_Filename, $vars); unset($file); $vars->fileinfo = null; return null; } if (isset($this->debug)) { $this->debug->QCR_Debug('Scan file ' . $l_Filename); } if ($show_progress) { printProgress(++$vars->files_and_ignored, $l_Filename, $vars); } $l_Ext = strtolower(pathinfo($l_Filename, PATHINFO_EXTENSION)); $l_Content = ''; if ($file->isBinary()) { if(defined('USE_HEURISTICS') || defined('USE_HEURISTICS_SUSPICIOUS')) { $vars->crc = $file->getSha1file(); $this->AddResult($file, $i, $vars); if (defined('USE_HEURISTICS')) { $vars->criticalPHP[] = $i; $vars->criticalPHPFragment[] = 'SMW-HEUR-ELF'; $vars->criticalPHPSig[] = 'SMW-HEUR-ELF'; } if (defined('USE_HEURISTICS_SUSPICIOUS')) { $vars->warningPHP[] = $i; $vars->warningPHPFragment[] = 'SMW-HEUR-ELF'; $vars->warningPHPSig[] = 'SMW-HEUR-ELF'; } $return = array(RapidScanStorageRecord::HEURISTIC, 'SMW-HEUR-ELF', 'SMW-HEUR-ELF'); unset($file); $vars->fileinfo = null; return $return; } unset($file); $vars->fileinfo = null; return null; } // FILE $is_too_big = $this->isFileTooBigForScanWithSignatures($file->getSize()); $hash = $file->getSha1file(); $l_TSStartScan = microtime(true); if ($this->check_binmalware($hash)) { $vars->totalFiles++; $vars->crc = $hash; $this->AddResult($file, $i, $vars); $vars->criticalPHP[] = $i; $vars->criticalPHPFragment[] = "BIN-" . $vars->crc; $vars->criticalPHPSig[] = "bin_" . $vars->crc; $return = array(RapidScanStorageRecord::RX_MALWARE, "bin_" . $vars->crc, "BIN-" . $vars->crc); } elseif (!MAX_SIZE_SCAN_BYTES && $is_too_big) { $vars->bigFiles[] = $i; if (function_exists('aibolit_onBigFile')) { aibolit_onBigFile($l_Filename); } $this->AddResult($file, $i, $vars); if ((!AI_HOSTER) && $criticalFileSpecification->satisfiedBy($l_Ext, 'extensions')) { $vars->criticalPHP[] = $i; $vars->criticalPHPFragment[] = "BIG FILE. SKIPPED."; $vars->criticalPHPSig[] = "big_1"; } } else { $vars->totalFiles++; $file_type = filetype($l_Filename); if ($file_type == 'file' || (isset($vars->options['follow-symlink']) && $file_type == 'link')) { if ($is_too_big && MAX_SIZE_SCAN_BYTES) { $l_Content = $file->getContentBytes(MAX_SIZE_SCAN_BYTES); } else { $l_Content = $file->getContent(); } $l_Unwrapped = $file->getContentWithoutSpaces(MAX_SIZE_SCAN_BYTES); } if (($l_Content == '' || $l_Unwrapped == '') && $file->getSize() > 0) { $vars->notRead[] = $i; if (function_exists('aibolit_onReadError')) { aibolit_onReadError($l_Filename, 'io'); } $return = array(RapidScanStorageRecord::CONFLICT, 'notread',''); $this->AddResult('[io] ' . $l_Filename, $i, $vars); unset($file); $vars->fileinfo = null; return $return; } // ignore itself if (strpos($l_Content, '6dbb90dc4e81f3fc56e1396a8db92e5e') !== false) { unset($file); $vars->fileinfo = null; return false; } $vars->crc = $file->getHash(); $l_UnicodeContent = Encoding::detectUTFEncoding($l_Content); //$l_Unwrapped = $l_Content; // check vulnerability in files $l_CriticalDetected = $this->CheckVulnerability($l_Filename, $i, $l_Content, $vars); if ($l_UnicodeContent !== false) { if (Encoding::iconvSupported()) { $l_Unwrapped = Encoding::convertToCp1251($l_UnicodeContent, $l_Unwrapped); } else { $vars->notRead[] = $i; if (function_exists('aibolit_onReadError')) { aibolit_onReadError($l_Filename, 'ec'); } $return = array(RapidScanStorageRecord::CONFLICT, 'no_iconv', ''); $this->AddResult('[ec] ' . $l_Filename, $i, $vars); } } // critical $g_SkipNextCheck = false; if ((!AI_HOSTER) || AI_DEOBFUSCATE) { $l_DeobfObj = new Deobfuscator($l_Unwrapped, $l_Content); $l_DeobfType = $l_DeobfObj->getObfuscateType($l_Unwrapped); } if (isset($l_DeobfType) && $l_DeobfType != '') { $l_Unwrapped = $l_DeobfObj->deobfuscate(); $g_SkipNextCheck = $this->checkFalsePositives($l_Filename, $l_Unwrapped, $l_DeobfType, $vars); } else { if (DEBUG_MODE) { stdOut("\n...... NOT OBFUSCATED\n"); } } $l_Unwrapped = Normalization::normalize($l_Unwrapped); $precheck = function ($type, $content) use ($l_Ext, $criticalFileSpecification) { $critical_params = [ 'CriticalPHP' => ['extensions', 'critical_content'], 'CriticalPHP_2' => ['extensions', 'critical_content'], 'CriticalPHP_3' => ['extensions', 'critical_content'], 'CriticalPHP_4' => ['extensions', 'critical_content'], 'CriticalPHP_5' => ['extensions', 'critical_content'], 'CriticalPHPGIF' => ['extensions', 'critical_content'], 'CriticalPHPUploader' => ['extensions', 'critical_content'], 'CriticalJS' => ['js_extensions', 'critical_js_content'], 'CriticalJS_PARA' => ['js_extensions', 'critical_js_content'], 'Phishing' => ['phish_extensions', 'critical_phish_content'], ]; if (!SMART_SCAN || !isset($critical_params[$type])) { return true; } if (isset($check_params[$type])) { $this->satisfiedBySmartScan($criticalFileSpecification, $l_Ext, $content, $check_params[$type][0], $check_params[$type][1]); } }; $processResult = function ($checker, $content, $l_Pos, $l_SigId, &$return) use (&$vars, $l_Ext, $i) { $checkers = [ 'CriticalPHP' => ['criticalPHP', 'criticalPHPFragment', 'criticalPHPSig'], 'CriticalPHP_2' => ['criticalPHP', 'criticalPHPFragment', 'criticalPHPSig'], 'CriticalPHP_3' => ['criticalPHP', 'criticalPHPFragment', 'criticalPHPSig'], 'CriticalPHP_4' => ['criticalPHP', 'criticalPHPFragment', 'criticalPHPSig'], 'CriticalPHP_5' => ['criticalPHP', 'criticalPHPFragment', 'criticalPHPSig'], 'CriticalPHPGIF' => ['criticalPHP', 'criticalPHPFragment', 'criticalPHPSig'], 'CriticalPHPUploader' => ['criticalPHP', 'criticalPHPFragment', 'criticalPHPSig'], 'CriticalJS' => ['criticalJS', 'criticalJSFragment', 'criticalJSSig'], 'CriticalJS_PARA' => ['criticalJS', 'criticalJSFragment', 'criticalJSSig'], 'WarningPHP' => ['warningPHP', 'warningPHPFragment', 'warningPHPSig'], 'Phishing' => ['phishing', 'phishingFragment', 'phishingSigFragment'], 'Adware' => ['adwareList', 'adwareListFragment'], ]; if (strpos($checker, 'Critical') !== false) { if ($l_Ext == 'js') { $checker = 'CriticalJS'; } $return = array(RapidScanStorageRecord::RX_MALWARE, $l_SigId, $this->getFragment($content, $l_Pos)); } if ($checker == 'WarningPHP' || $checker == 'Phishing') { $return = array(RapidScanStorageRecord::RX_SUSPICIOUS, $l_SigId, $this->getFragment($content, $l_Pos)); } $vars->{$checkers[$checker][0]}[] = $i; $vars->{$checkers[$checker][1]}[] = $this->getFragment($content, $l_Pos); if (isset($checkers[$checker][2])) { $vars->{$checkers[$checker][2]}[] = $l_SigId; } }; $l_Pos = 0; $l_SigId = ''; if (!$g_SkipNextCheck) { $checkers['CriticalPHP'] = true; if (AI_EXPERT_MODE > 0) { $checkers['CriticalPHP_3'] = true; } if (AI_EXPERT_MODE > 1) { $checkers['CriticalPHP_2'] = true; } $checkers['CriticalPHP_4'] = true; if (AI_EXPERT_MODE > 0) { $checkers['CriticalPHP_5'] = true; } if (!AI_HOSTER && AI_EXPERT > 0 && $l_Ext == 'php') { $checkers['CriticalPHPGIF'] = true; } if (!AI_HOSTER && AI_EXPERT > 1 && strpos($l_Ext, 'ph') !== false) { $checkers['CriticalPHPUploader'] = true; } $checkers['CriticalJS'] = false; if (AI_EXPERT_MODE > 1) { $checkers['CriticalJS_PARA'] = false; } if ($this->suspicious) { $checkers['WarningPHP'] = false; $checkers['Phishing'] = true; $checkers['Adware'] = false; } $g_SkipNextCheck = ScanUnit::QCR_ScanContent($checkers, $l_Unwrapped, $l_Content, $vars->signs, $this->debug, $precheck, $processResult, $return); } if (!$g_SkipNextCheck && isset($checkers['Adware'])) { // articles if (stripos($l_Filename, 'article_index')) { $vars->adwareList[] = $i; $l_CriticalDetected = true; } } } // end of if (!$g_SkipNextCheck) { //printProgress(++$_files_and_ignored, $l_Filename); $this->delayWithCallback(SCAN_DELAY, $callback); $l_TSEndScan = microtime(true); if ($l_TSEndScan - $l_TSStartScan >= 0.5) { $this->delayWithCallback(SCAN_DELAY, $callback); } if ($g_SkipNextCheck || $l_CriticalDetected) { $this->AddResult($file, $i, $vars); } unset($file); $vars->fileinfo = null; unset($l_Unwrapped); unset($l_Content); return $return; } private function callCallback($callback) { if ($callback !== null) { call_user_func($callback); } } private function delayWithCallback($delay, $callback) { $delay *= 1000; $this->callCallback($callback); while ($delay > 500000) { $delay -= 500000; usleep(500000); $this->callCallback($callback); } usleep($delay); $this->callCallback($callback); } public function AddResult($file, $i, $vars) { if (is_string($file)) { $vars->structure['n'][$i] = $file; return; } $vars->structure['n'][$i] = $file->getFilename(); $vars->structure['s'][$i] = $file->getSize(); $vars->structure['c'][$i] = $file->getCreated(); $vars->structure['m'][$i] = $file->getModified(); $vars->structure['e'][$i] = time(); $vars->structure['crc'][$i] = $vars->crc; if (!$this->isFileTooBigForScanWithSignatures($file->getSize())) { $vars->structure['sha256'][$i] = $file->getSha256(); } } private function satisfiedBySmartScan($fs, $ext, $content, $ext_table, $content_table) { $skip = $fs->satisfiedBy($ext, $ext_table) && $fs->satisfiedByContent($content, $content_table); if ($skip && DEBUG_MODE) { echo "Skipped file, not critical.\n"; } return $skip; } /////////////////////////////////////////////////////////////////////////// private function CheckVulnerability($par_Filename, $par_Index, $par_Content, $vars) { global $g_CmsListDetector, $defaults; $use_cms_detector = ($g_CmsListDetector instanceof CmsVersionDetector); if (!$use_cms_detector && !$defaults['use_template_in_path']) { return false; } $l_Vuln = array(); $par_Filename = strtolower($par_Filename); if ((strpos($par_Filename, 'libraries/joomla/session/session.php') !== false) && (strpos($par_Content, '&& filter_var($_SERVER[\'HTTP_X_FORWARDED_FOR') === false)) { $l_Vuln['id'] = 'RCE : https://docs.joomla.org/Security_hotfixes_for_Joomla_EOL_versions'; $l_Vuln['ndx'] = $par_Index; $vars->vulnerable[] = $l_Vuln; return true; } if ($use_cms_detector && (strpos($par_Filename, 'administrator/components/com_media/helpers/media.php') !== false) && (strpos($par_Content, '$format == \'\' || $format == false ||') === false) ) { if ($g_CmsListDetector->isCms(CmsVersionDetector::CMS_JOOMLA, '1.5')) { $l_Vuln['id'] = 'AFU : https://docs.joomla.org/Security_hotfixes_for_Joomla_EOL_versions'; $l_Vuln['ndx'] = $par_Index; $vars->vulnerable[] = $l_Vuln; return true; } return false; } if ($use_cms_detector && (strpos($par_Filename, 'joomla/filesystem/file.php') !== false) && (strpos($par_Content, '$file = rtrim($file, \'.\');') === false) ) { if ($g_CmsListDetector->isCms(CmsVersionDetector::CMS_JOOMLA, '1.5')) { $l_Vuln['id'] = 'AFU : https://docs.joomla.org/Security_hotfixes_for_Joomla_EOL_versions'; $l_Vuln['ndx'] = $par_Index; $vars->vulnerable[] = $l_Vuln; return true; } return false; } if ((strpos($par_Filename, 'editor/filemanager/upload/test.html') !== false) || (stripos($par_Filename, 'editor/filemanager/browser/default/connectors/php/') !== false) || (stripos($par_Filename, 'editor/filemanager/connectors/uploadtest.html') !== false) || (strpos($par_Filename, 'editor/filemanager/browser/default/connectors/test.html') !== false)) { $l_Vuln['id'] = 'AFU : FCKEDITOR : http://www.exploit-db.com/exploits/17644/ & /exploit/249'; $l_Vuln['ndx'] = $par_Index; $vars->vulnerable[] = $l_Vuln; return true; } if ((strpos($par_Filename, 'inc_php/image_view.class.php') !== false) || (strpos($par_Filename, '/inc_php/framework/image_view.class.php') !== false)) { if (strpos($par_Content, 'showImageByID') === false) { $l_Vuln['id'] = 'AFU : REVSLIDER : http://www.exploit-db.com/exploits/35385/'; $l_Vuln['ndx'] = $par_Index; $vars->vulnerable[] = $l_Vuln; return true; } return false; } if (strpos($par_Filename, 'includes/database/database.inc') !== false) { if (strpos($par_Content, 'foreach ($data as $i => $value)') !== false) { $l_Vuln['id'] = 'SQLI : DRUPAL : CVE-2014-3704'; $l_Vuln['ndx'] = $par_Index; $vars->vulnerable[] = $l_Vuln; return true; } return false; } if (strpos($par_Filename, 'engine/classes/min/index.php') !== false) { if (strpos($par_Content, 'tr_replace(chr(0)') === false) { $l_Vuln['id'] = 'AFD : MINIFY : CVE-2013-6619'; $l_Vuln['ndx'] = $par_Index; $vars->vulnerable[] = $l_Vuln; return true; } return false; } if ((strpos($par_Filename, 'timthumb.php') !== false) || (strpos($par_Filename, 'thumb.php') !== false) || (strpos($par_Filename, 'cache.php') !== false) || (strpos($par_Filename, '_img.php') !== false)) { if (strpos($par_Content, 'code.google.com/p/timthumb') !== false && strpos($par_Content, '2.8.14') === false) { $l_Vuln['id'] = 'RCE : TIMTHUMB : CVE-2011-4106,CVE-2014-4663'; $l_Vuln['ndx'] = $par_Index; $vars->vulnerable[] = $l_Vuln; return true; } return false; } if (strpos($par_Filename, 'components/com_rsform/helpers/rsform.php') !== false) { if (preg_match('~define\s*\(\s*\'_rsform_version\'\s*,\s*\'([^\']+)\'\s*\)\s*;~msi', $par_Content, $version)) { $version = $version[1]; if (version_compare($version, '1.5.2') !== 1) { $l_Vuln['id'] = 'RCE : RSFORM : rsform.php, LINE 1605'; $l_Vuln['ndx'] = $par_Index; $vars->vulnerable[] = $l_Vuln; return true; } } return false; } if (strpos($par_Filename, 'fancybox-for-wordpress/fancybox.php') !== false) { if (strpos($par_Content, '\'reset\' == $_REQUEST[\'action\']') !== false) { $l_Vuln['id'] = 'CODE INJECTION : FANCYBOX'; $l_Vuln['ndx'] = $par_Index; $vars->vulnerable[] = $l_Vuln; return true; } return false; } if (strpos($par_Filename, 'cherry-plugin/admin/import-export/upload.php') !== false) { if (strpos($par_Content, 'verify nonce') === false) { $l_Vuln['id'] = 'AFU : Cherry Plugin'; $l_Vuln['ndx'] = $par_Index; $vars->vulnerable[] = $l_Vuln; return true; } return false; } if (strpos($par_Filename, 'tiny_mce/plugins/tinybrowser/tinybrowser.php') !== false) { $l_Vuln['id'] = 'AFU : TINYMCE : http://www.exploit-db.com/exploits/9296/'; $l_Vuln['ndx'] = $par_Index; $vars->vulnerable[] = $l_Vuln; return true; } if (strpos($par_Filename, '/bx_1c_import.php') !== false) { if (strpos($par_Content, '$_GET[\'action\']=="getfiles"') !== false) { $l_Vuln['id'] = 'AFD : https://habrahabr.ru/company/dsec/blog/326166/'; $l_Vuln['ndx'] = $par_Index; $vars->vulnerable[] = $l_Vuln; return true; } } if (strpos($par_Filename, 'scripts/setup.php') !== false) { if (strpos($par_Content, 'PMA_Config') !== false) { $l_Vuln['id'] = 'CODE INJECTION : PHPMYADMIN : http://1337day.com/exploit/5334'; $l_Vuln['ndx'] = $par_Index; $vars->vulnerable[] = $l_Vuln; return true; } return false; } if (strpos($par_Filename, '/uploadify.php') !== false) { if (strpos($par_Content, 'move_uploaded_file($tempFile,$targetFile') !== false) { $l_Vuln['id'] = 'AFU : UPLOADIFY : CVE: 2012-1153'; $l_Vuln['ndx'] = $par_Index; $vars->vulnerable[] = $l_Vuln; return true; } return false; } if (strpos($par_Filename, 'com_adsmanager/controller.php') !== false) { if (strpos($par_Content, 'move_uploaded_file($file[\'tmp_name\'], $tempPath.\'/\'.basename($file[') !== false) { $l_Vuln['id'] = 'AFU : https://revisium.com/ru/blog/adsmanager_afu.html'; $l_Vuln['ndx'] = $par_Index; $vars->vulnerable[] = $l_Vuln; return true; } return false; } if (strpos($par_Filename, 'wp-content/plugins/wp-mobile-detector/resize.php') !== false) { if (strpos($par_Content, 'file_put_contents($path, file_get_contents($_REQUEST[\'src\']));') !== false) { $l_Vuln['id'] = 'AFU : https://www.pluginvulnerabilities.com/2016/05/31/aribitrary-file-upload-vulnerability-in-wp-mobile-detector/'; $l_Vuln['ndx'] = $par_Index; $vars->vulnerable[] = $l_Vuln; return true; } return false; } if (strpos($par_Filename, 'core/lib/drupal.php') !== false) { $version = ''; if (preg_match('|VERSION\s*=\s*\'(8\.\d+\.\d+)\'|smi', $par_Content, $tmp_ver)) { $version = $tmp_ver[1]; } if (($version !== '') && (version_compare($version, '8.5.1', '<'))) { $l_Vuln['id'] = 'Drupageddon 2 : SA-CORE-2018–002'; $l_Vuln['ndx'] = $par_Index; $vars->vulnerable[] = $l_Vuln; return true; } return false; } if (strpos($par_Filename, 'changelog.txt') !== false) { $version = ''; if (preg_match('|Drupal\s+(7\.\d+),|smi', $par_Content, $tmp_ver)) { $version = $tmp_ver[1]; } if (($version !== '') && (version_compare($version, '7.58', '<'))) { $l_Vuln['id'] = 'Drupageddon 2 : SA-CORE-2018–002'; $l_Vuln['ndx'] = $par_Index; $vars->vulnerable[] = $l_Vuln; return true; } return false; } if (strpos($par_Filename, 'phpmailer.php') !== false) { $l_Detect = false; if (strpos($par_Content, 'PHPMailer') !== false) { $l_Found = preg_match('~Version:\s*(\d+)\.(\d+)\.(\d+)~', $par_Content, $l_Match); if ($l_Found) { $l_Version = $l_Match[1] * 1000 + $l_Match[2] * 100 + $l_Match[3]; if ($l_Version < 2520) { $l_Detect = true; } } if (!$l_Found) { $l_Found = preg_match('~Version\s*=\s*\'(\d+)\.*(\d+)\.(\d+)~i', $par_Content, $l_Match); if ($l_Found) { $l_Version = $l_Match[1] * 1000 + $l_Match[2] * 100 + $l_Match[3]; if ($l_Version < 5220) { $l_Detect = true; } } } if ($l_Detect) { $l_Vuln['id'] = 'RCE : CVE-2016-10045, CVE-2016-10031'; $l_Vuln['ndx'] = $par_Index; $vars->vulnerable[] = $l_Vuln; return true; } } return false; } } private function checkFalsePositives($l_Filename, $l_Unwrapped, $l_DeobfType, $vars) { if ($l_DeobfType != '') { if (DEBUG_MODE) { stdOut("\n-----------------------------------------------------------------------------\n"); stdOut("[DEBUG]" . $l_Filename . "\n"); stdOut("\n...... $l_DeobfType ...........\n"); var_dump($l_Unwrapped); stdOut("\n"); } switch ($l_DeobfType) { case 'Bitrix': foreach ($vars->signs->_DeMapper as $fkey => $fvalue) { if (DEBUG_MODE) { stdOut("[$fkey] => [$fvalue]\n"); } if ((strpos($l_Filename, $fkey) !== false) && (strpos($l_Unwrapped, $fvalue) !== false)) { if (DEBUG_MODE) { stdOut("\n[DEBUG] *** SKIP: False Positive\n"); } return true; } } break; } return false; } } private function getFragment($par_Content, $par_Pos) { $l_MaxChars = MAX_PREVIEW_LEN; $par_Content = preg_replace('/[\x00-\x1F\x80-\xFF]/', '~', $par_Content); $l_MaxLen = strlen($par_Content); $l_RightPos = min($par_Pos + $l_MaxChars, $l_MaxLen); $l_MinPos = max(0, $par_Pos - $l_MaxChars); $l_FoundStart = substr($par_Content, 0, $par_Pos); $l_FoundStart = str_replace("\r", '', $l_FoundStart); $l_LineNo = strlen($l_FoundStart) - strlen(str_replace("\n", '', $l_FoundStart)) + 1; $l_Res = '__AI_LINE1__' . $l_LineNo . "__AI_LINE2__ " . ($l_MinPos > 0 ? '…' : '') . substr($par_Content, $l_MinPos, $par_Pos - $l_MinPos) . '__AI_MARKER__' . substr($par_Content, $par_Pos, $l_RightPos - $par_Pos - 1); $l_Res = AibolitHelpers::makeSafeFn(Normalization::normalize($l_Res), $this->addPrefix, $this->noPrefix); $l_Res = str_replace('~', ' ', $l_Res); $l_Res = preg_replace('~[\s\t]+~', ' ', $l_Res); $l_Res = str_replace('' . '?php', '' . '?php ', $l_Res); return $l_Res; } /** * @return array */ public function whitelisting() { // whitelist $snum = 0; $list = $this->check_whitelist($this->vars->structure['crc'], $snum); $keys = array( 'criticalPHP', 'criticalJS', 'g_Iframer', 'g_Base64', 'phishing', 'adwareList', 'g_Redirect', 'warningPHP' ); foreach ($keys as $p) { if (empty($this->vars->{$p})) { continue; } $p_Fragment = $p . 'Fragment'; $p_Sig = $p . 'Sig'; if ($p == 'g_Redirect') { $p_Fragment = $p . 'PHPFragment'; } elseif ($p == 'g_Phishing') { $p_Sig = $p . 'SigFragment'; } $count = count($this->vars->{$p}); for ($i = 0; $i < $count; $i++) { $id = $this->vars->{$p}[$i]; if ($this->vars->structure['crc'][$id] !== 0 && in_array($this->vars->structure['crc'][$id], $list)) { unset($this->vars->{$p}[$i], $this->vars->{$p_Sig}[$i], $this->vars->{$p_Fragment}[$i]); } } $this->vars->{$p} = array_values($this->vars->{$p}); $this->vars->{$p_Fragment} = array_values($this->vars->{$p_Fragment}); if (!empty($this->vars->{$p_Sig})) { $this->vars->{$p_Sig} = array_values($this->vars->{$p_Sig}); } } return array($snum, $i); } public function check_whitelist($list, &$snum) { if (empty($list)) { return array(); } $avdb = ''; $file = dirname(__FILE__) . '/AIBOLIT-WHITELIST.db'; if ((isset($this->vars->options['avdb']) && !empty($this->vars->options['avdb']) && ($avdb = $this->vars->options['avdb'])) || (isset($this->vars->options['c']) && !empty($this->vars->options['c']) && ($avdb = $this->vars->options['c']))) { if (file_exists($avdb)) { $file = dirname($avdb) . '/AIBOLIT-WHITELIST.db'; } } try { $db = FileHashMemoryDb::open($file); } catch (Exception $e) { stdOut("\nAn error occurred while loading the white list database from " . $file . "\n"); return array(); } $snum = $db->count(); stdOut("\nLoaded " . ceil($snum) . " known files from " . $file . "\n"); return $db->find($list); } private function check_binmalware($hash) { if (isset($this->vars->blacklist)) { return count($this->vars->blacklist->find(array($hash))) > 0; } return false; } /////////////////////////////////////////////////////////////////////////// private function isFileTooBigForScanWithSignatures($filesize) { return (MAX_SIZE_TO_SCAN > 0 && $filesize > MAX_SIZE_TO_SCAN) || ($filesize < 0); } private function isFileTooBigForCloudscan($filesize) { return (MAX_SIZE_TO_CLOUDSCAN > 0 && $filesize > MAX_SIZE_TO_CLOUDSCAN) || ($filesize < 0); } } class ScanUnit { public static function QCR_ScanContent($checkers, $l_Unwrapped, $l_Content, $signs, $debug = null, $precheck = null, $processResult = null, &$return = null) { foreach ($checkers as $checker => $full) { $l_pos = 0; $l_SignId = ''; if (isset($precheck) && is_callable($precheck)) { if (!$precheck($checker, $l_Unwrapped) || ($full && !$precheck($checker, $l_Content))) { continue; } } $flag = ScanCheckers::{$checker}($l_Unwrapped, $l_pos, $l_SignId, $signs, $debug); if ($flag && isset($processResult) && is_callable($processResult)) { $processResult($checker, $l_Unwrapped, $l_pos, $l_SignId, $return); } if (!$flag && $full) { $flag = ScanCheckers::{$checker}($l_Content, $l_pos, $l_SignId, $signs, $debug); if ($flag && isset($processResult) && is_callable($processResult)) { $processResult($checker, $l_Content, $l_pos, $l_SignId, $return); } } if ($flag) { return true; } } return false; } } class ScanCheckers { const URL_GRAB = '~(?:https?:)?\/\/(?:www\.)?[-a-zA-Z0-9@:%._\+\~#=]{2,256}\.[a-z]{2,4}\b(?:[-a-zA-Z0-9@:%_\+.\~#?&/=]*)~msi'; public static function WarningPHP($l_Content, &$l_Pos, &$l_SigId, $signs, $debug = null) { foreach ($signs->_SusDB as $l_Item) { if (preg_match('~' . $l_Item . '~smiS', $l_Content, $l_Found, PREG_OFFSET_CAPTURE)) { if (!self::CheckException($l_Content, $l_Found, $signs)) { $l_Pos = $l_Found[0][1]; $l_SigId = LoadSignaturesForScan::getSigId($l_Found); return true; } } } return false; } /////////////////////////////////////////////////////////////////////////// public static function Adware($l_Content, &$l_Pos, &$l_SigId, $signs, $debug = null) { $l_Res = false; foreach ($signs->_AdwareSig as $l_Item) { $offset = 0; while (preg_match('~' . $l_Item . '~smi', $l_Content, $l_Found, PREG_OFFSET_CAPTURE, $offset)) { if (!self::CheckException($l_Content, $l_Found, $signs)) { $l_Pos = $l_Found[0][1]; $l_SigId = 'adware'; return true; } $offset = $l_Found[0][1] + 1; } } return $l_Res; } /////////////////////////////////////////////////////////////////////////// public static function CheckException(&$l_Content, &$l_Found, $signs, $debug = null) { $l_FoundStrPlus = substr($l_Content, max($l_Found[0][1] - 10, 0), 70); foreach ($signs->_ExceptFlex as $l_ExceptItem) { if (@preg_match('~' . $l_ExceptItem . '~smi', $l_FoundStrPlus, $l_Detected)) { return true; } } return false; } /////////////////////////////////////////////////////////////////////////// public static function Phishing($l_Content, &$l_Pos, &$l_SigId, $signs, $debug = null) { $l_Res = false; foreach ($signs->_PhishingSig as $l_Item) { $offset = 0; while (preg_match('~' . $l_Item . '~smi', $l_Content, $l_Found, PREG_OFFSET_CAPTURE, $offset)) { if (!self::CheckException($l_Content, $l_Found, $signs)) { $l_Pos = $l_Found[0][1]; $l_SigId = LoadSignaturesForScan::getSigId($l_Found); if (is_object($debug) && $debug->getDebugMode() == true) { echo "Phis: $l_Content matched [$l_Item] in $l_Pos\n"; } return $l_Pos; } $offset = $l_Found[0][1] + 1; } } return $l_Res; } /////////////////////////////////////////////////////////////////////////// public static function CriticalJS($l_Content, &$l_Pos, &$l_SigId, $signs, $debug = null) { $l_Res = false; foreach ($signs->_JSVirSig as $l_Item) { $offset = 0; if (is_object($debug) && $debug->getDebugPerfomance() == true) { $stat_start = microtime(true); } while (preg_match('~' . $l_Item . '~smi', $l_Content, $l_Found, PREG_OFFSET_CAPTURE, $offset)) { if (!self::CheckException($l_Content, $l_Found, $signs)) { $l_Pos = $l_Found[0][1]; $l_SigId = LoadSignaturesForScan::getSigId($l_Found); if (is_object($debug) && $debug->getDebugMode() == true) { echo "JS: $l_Content matched [$l_Item] in $l_Pos\n"; } $l_Res = true; break; } $offset = $l_Found[0][1] + 1; } if (is_object($debug) && $debug->getDebugPerfomance() == true) { $stat_stop = microtime(true); $debug->addPerfomanceItem($l_Item, $stat_stop - $stat_start); } } return $l_Res; } public static function CriticalJS_PARA($l_Content, &$l_Pos, &$l_SigId, $signs, $debug = null) { foreach ($signs->X_JSVirSig as $l_Item) { if (is_object($debug) && $debug->getDebugPerfomance() == true) { $stat_start = microtime(true); } if (preg_match('~' . $l_Item . '~smi', $l_Content, $l_Found, PREG_OFFSET_CAPTURE)) { if (!self::CheckException($l_Content, $l_Found, $signs)) { $l_Pos = $l_Found[0][1]; //$l_SigId = myCheckSum($l_Item); $l_SigId = LoadSignaturesForScan::getSigId($l_Found); if (is_object($debug) && $debug->getDebugMode() == true) { echo "JS PARA: $l_Content matched [$l_Item] in $l_Pos\n"; } return true; } } if (is_object($debug) && $debug->getDebugPerfomance() == true) { $stat_stop = microtime(true); $debug->addPerfomanceItem($l_Item, $stat_stop - $stat_start); } } return false; } /////////////////////////////////////////////////////////////////////////// public static function CriticalPHPGIF($l_Content, &$l_Pos, &$l_SigId, $signs, $debug = null) { if (strpos($l_Content, 'GIF89') === 0) { $l_Pos = 0; $l_SigId = 'GIF'; if (is_object($debug) && $debug->getDebugMode() == true) { echo "CRIT 6: $l_Content matched [GIF] in $l_Pos\n"; } return true; } return false; } public static function CriticalPHPUploader($l_Content, &$l_Pos, &$l_SigId, $signs, $debug = null) { // detect uploaders / droppers $l_Found = null; if ((strlen($l_Content) < 2048) && ((($l_Pos = strpos($l_Content, 'multipart/form-data')) > 0) || (($l_Pos = strpos($l_Content, '$_FILE[') > 0)) || (($l_Pos = strpos($l_Content, 'move_uploaded_file')) > 0) || (preg_match('|\bcopy\s*\(|smi', $l_Content, $l_Found, PREG_OFFSET_CAPTURE)))) { if ($l_Found != null) { $l_Pos = $l_Found[0][1]; $l_SigId = 'uploader'; } if (is_object($debug) && $debug->getDebugMode() == true) { echo "CRIT 7: $l_Content matched [uploader] in $l_Pos\n"; } return true; } } public static function CriticalPHP_3($l_Content, &$l_Pos, &$l_SigId, $signs, $debug = null) { foreach ($signs->X_FlexDBShe as $l_Item) { if (is_object($debug) && $debug->getDebugPerfomance() == true) { $stat_start = microtime(true); } if (preg_match('~' . $l_Item . '~smiS', $l_Content, $l_Found, PREG_OFFSET_CAPTURE)) { if (!self::CheckException($l_Content, $l_Found, $signs)) { $l_Pos = $l_Found[0][1]; $l_SigId = LoadSignaturesForScan::getSigId($l_Found); if (is_object($debug) && $debug->getDebugMode() == true) { echo "CRIT 3: $l_Content matched [$l_Item] in $l_Pos\n"; } return true; } } if (is_object($debug) && $debug->getDebugPerfomance() == true) { $stat_stop = microtime(true); $debug->addPerfomanceItem($l_Item, $stat_stop - $stat_start); } } return false; } public static function CriticalPHP_2($l_Content, &$l_Pos, &$l_SigId, $signs, $debug = null) { foreach ($signs->XX_FlexDBShe as $l_Item) { if (is_object($debug) && $debug->getDebugPerfomance() == true) { $stat_start = microtime(true); } if (preg_match('~' . $l_Item . '~smiS', $l_Content, $l_Found, PREG_OFFSET_CAPTURE)) { if (!self::CheckException($l_Content, $l_Found, $signs)) { $l_Pos = $l_Found[0][1]; $l_SigId = LoadSignaturesForScan::getSigId($l_Found); if (is_object($debug) && $debug->getDebugMode() == true) { echo "CRIT 2: $l_Content matched [$l_Item] in $l_Pos\n"; } return true; } } if (is_object($debug) && $debug->getDebugPerfomance() == true) { $stat_stop = microtime(true); $debug->addPerfomanceItem($l_Item, $stat_stop - $stat_start); } } return false; } public static function CriticalPHP_4($l_Content, &$l_Pos, &$l_SigId, $signs, $debug = null) { $l_Content_lo = strtolower($l_Content); foreach ($signs->_DBShe as $l_Item) { $l_Pos = strpos($l_Content_lo, $l_Item); if ($l_Pos !== false) { $l_SigId = AibolitHelpers::myCheckSum($l_Item); if (is_object($debug) && $debug->getDebugMode() == true) { echo "CRIT 4: $l_Content matched [$l_Item] in $l_Pos\n"; } return true; } } return false; } public static function CriticalPHP_5($l_Content, &$l_Pos, &$l_SigId, $signs, $debug = null) { $l_Content_lo = strtolower($l_Content); foreach ($signs->X_DBShe as $l_Item) { $l_Pos = strpos($l_Content_lo, $l_Item); if ($l_Pos !== false) { $l_SigId = AibolitHelpers::myCheckSum($l_Item); if (is_object($debug) && $debug->getDebugMode() == true) { echo "CRIT 5: $l_Content matched [$l_Item] in $l_Pos\n"; } return true; } } return false; } public static function CriticalPHP($l_Content, &$l_Pos, &$l_SigId, $signs, $debug = null) { foreach ($signs->_FlexDBShe as $l_Item) { $offset = 0; if (is_object($debug) && $debug->getDebugPerfomance() == true) { $stat_start = microtime(true); } while (preg_match('~' . $l_Item . '~smiS', $l_Content, $l_Found, PREG_OFFSET_CAPTURE, $offset)) { if (!self::CheckException($l_Content, $l_Found, $signs)) { $l_Pos = $l_Found[0][1]; //$l_SigId = myCheckSum($l_Item); $l_SigId = LoadSignaturesForScan::getSigId($l_Found); if (is_object($debug) && $debug->getDebugMode() == true) { echo "CRIT 1: $l_Content matched [$l_Item] in $l_Pos\n"; } return true; } $offset = $l_Found[0][1] + 1; } if (is_object($debug) && $debug->getDebugPerfomance() == true) { $stat_stop = microtime(true); $debug->addPerfomanceItem($l_Item, $stat_stop - $stat_start); } } return false; } public static function isOwnUrl($url, $own) { if (isset($own) && preg_match('~' . $own . '~msi', $url)) { return true; } return false; } public static function isUrlInList($url, $list) { if (isset($list)) { foreach ($list as $item) { if (preg_match('~' . $item . '~msiS', $url, $id, PREG_OFFSET_CAPTURE)) { return $id; } } } return false; } public static function UrlChecker($l_Content, &$l_Pos, &$l_SigId, $signs, $debug = null) { $l_Pos = []; $l_SigId = []; $offset = 0; while (preg_match(self::URL_GRAB, $l_Content, $l_Found, PREG_OFFSET_CAPTURE, $offset)) { if (!self::isOwnUrl($l_Found[0][0], $signs->getOwnUrl()) && (isset($signs->whiteUrls) && !self::isUrlInList($l_Found[0][0], $signs->whiteUrls->getDb()))) { if ($id = self::isUrlInList($l_Found[0][0], $signs->blackUrls->getDb())) { $l_Pos['black'][] = $l_Found[0][1]; $l_SigId['black'][] = $signs->blackUrls->getSig($id); } else { $l_Pos['unk'][] = $l_Found[0][1]; $l_SigId['unk'][] = $l_Found[0][0]; } } $offset = $l_Found[0][1] + strlen($l_Found[0][0]); } return !empty($l_Pos); } } class TemplateList { /** * ############# * # MAIN_PAGE # * ############# */ const MAIN_PAGE = << @@HEAD_TITLE@@
    @@MAIN_TITLE@@ @@PATH_URL@@ (@@MODE@@)
    @@CREDITS@@
    @@STAT@@
    @@SCANNED@@ @@MEMORY@@.
    @@WARN_QUICK@@
    @@SUMMARY@@
    @@OFFER@@
    @@OFFER_OUR_PRODUCTS@@
    @@MAIN_CONTENT@@ MAIN_PAGE; #region templates ru /** * ############# * # FOOTER_RU # * ############# */ const FOOTER_RU = <<