shell-detector looks like the malware it says it's scanning

[anarcat]

this code is problematic, to say the least:

    if (file_exists('shelldetect.db')) {
      $context = stream_context_create(array('http' => array('timeout' => 30)));
      $this->fingerprints = unserialize(base64_decode(file_get_contents('shelldetect.db', 0, $context)));
    }
    if ($this->remotefingerprint) {
      $this->fingerprints = unserialize(base64_decode(file_get_contents('https://raw.github.com/emposha/PHP-Shell-Detector/master/shelldetect.db')));
    }
  }

now not only does this look like the malware it's suppose to stop, it's actually vulnerable to remote code execution (if file_get_contents('https://...) can be broken, which I wouldn't be surprised - yay sslstrip) as unserialize will happily execute code it uncompresses: http://ca1.php.net/manual/en/function.unserialize.php#refsect1-function.unserialize-notes

seriously, why is this DB stored that way anyways? it's just a huge array... why not store it in a non-executable code format?

[anarcat]

i mean, do i read this properly? isn't this running eval on the malicious code it just detected?

https://github.com/emposha/PHP-Shell-Detector/blob/master/shelldetect.php#L470

wtf?

[DanielRuf]

And why is everything detected as Positive, its a 1405674947 (all files are clean on testserver)?
Even the language files are detected as shell.

[emposha]

@anarcat, @DanielRuf

1. first of all remote db is used only when you set proper flag, otherwise you can use local version.
2. the eval is running on replaced version of php code, and this try to encode decoded version. You probably miss the preg_replace part...

[emposha]

@DanielRuf about (Positive, its a 1405674947) probably some false positive, can you provide more info about thins

[DanielRuf]

I just run PHP Shell Detector on a normal WordPress website with full rights and got this positive detection on all files.

[DanielRuf]

But this does not describe why the db file is a huge base64 encoded string (which adds ~30% overhead).

[Varbin]

I might be wrong but isn't the database file world-writable after an update? So possibly a privilege escalation to the user running shell-detector would be possible.

[RameshMaharjan]

hi i got the error
Error: file_get_contents(): https:// wrapper is disabled in the server configuration by allow_url_fopen=0 line: 243
Error: file_get_contents(https://raw.github.com/emposha/PHP-Shell-Detector/master/version/app): failed to open stream: no suitable wrapper could be found line: 243
Cant connect to server! Application version check failed!
Error: file_get_contents(): https:// wrapper is disabled in the server configuration by allow_url_fopen=0 line: 251
Error: file_get_contents(https://raw.github.com/emposha/PHP-Shell-Detector/master/version/db): failed to open stream: no suitable wrapper could be found line: 251
Cant connect to server! Version check failed!

can someone tell me how do i solve this error ?

[DanielRuf]

Please check your php.ini and ask your hosting provider @RameshMaharjan

[6a6ak]

I know have problem with Backdoor:PHP/CryptInject.YA but not detected by scanner

[DanielRuf]

Hi @6a6ak,

I know have problem with Backdoor:PHP/CryptInject.YA but not detected by scanner

This project looks for files with specific file hashes. Backdoor:PHP/CryptInject.YA might not be part of the file hashes by default.

Did you manually create the file hashes for the scanner?

[DanielRuf]

See https://github.com/emposha/PHP-Shell-Detector/blob/master/shelldetect.db for the database file.

A file hash based approach is not very reliable as the smallest change will result in a completely different file hash.