Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Detect and remove PHP.Anuna #42
I just found your amazing software, thanks you for all this. That's great.
I'm currently working on a quick and efficient solution in order to remove PHP.Anuna from an infected Prestashop.
Your software only detect 2 infected files instead of hundred.
I would like to help you to improve your work.
How can i help ?
PS : To detect PHP.Anuna, you have to detect this sequence :
Here we go : http://pastebin.com/n6vjDVzZ
As you will quickly understand, it's a polymorph. I'm tracking it over this sequence :
It has infested absolutely all .php files of my customer (for the story, who contact me because of this, few days ago). I'm writing a repair tool to overwrite all .php files.
Currently, nor ClamAV nor ISPProtect detect it.
Full decrypted source code : http://magento.stackexchange.com/questions/28826/magento-website-hacked-encryption-code-in-all-php-files/72702#72702
Seems that it has been potentially created with this awesome one : http://pastebin.com/u9sz0s5K (which is completely useless for us) - We could at least detect this pure bullshit with a fingerprint and mark it as webshell (instead of "ObfuscatedPHP" as your software do)
Here is another potential webshell i found to manage files : http://pastebin.com/pfq8AuGj - your software didn't tell anything about it (it's not a blame since it can be a false positive)
And finally, this one, which seems to be crawler : http://pastebin.com/qTkhfZqf
J'ai cru comprendre que vous étiez français. J'aimerais intégrer nativement votre outils dans mon CMS, ainsi que vous aider, autant que je peux. La GPL ne me permet pas de l'utiliser. Serait il envisageable de le distribuer sous LGPL ? (Yara ne pose pas de soucis avec sa BSD light)
Cependant, je ne sais pas trop comment interpréter cela : "Of course it's trivial to bypass PMF, but its goal is to catch kiddies and idiots, not people with a working brain. If you report a stupid tailored bypass for PMF, you likely belong to one (or both) category, and should re-read the previous statement." ;)
A très bientôt j'espère
Thank you for your 3 samples. The first one is already detected, the second could be legit, and the last one doesn't exhibit a super-malicious behaviour.
We just changed the license of PMF to LGPL, feel free to include it (and to advertise about this) into whatever products you want :)
Let alone the fact that using a php script with credentials in it to check the integrity of your php setup doesn't sound like the best way to go.
Please do keep us in touch if you ever implement "automatic tampered files recovery", we'd love to see if/how we could leverage it as an arbitrary file overwrite.
Thank you very much.
Your command will break a lot of valid files, please don't provide such kind of commands on issues, because people will inevitably run them.
If a machine is compromised, you should do a complete forensic analyse, find the root cause of the compromission, trash the data, and redeploy a clean backup. Trying to disinfect files with
Why would it break valid files? It's only removing the first line if it has an opening and closing tag in it. and I already checked with maldet. Each PHP file has this virus on the first line.
I tested this on many regular PHP files and did a DIFF and it did nothing harmful.
This isn't obvious. Only a smart fraction of webmasters do have backups. You provided a command that you referred to as "neat", not as "this could (and will likely)" completely wreck your website, please do backup before."
Not everyone is running WordPress, and some CMS are using
Cool, but it breaks valid things here. Proving that something works on some cases doesn't meant that it'll work everywhere.
Or you could avoid throwing cryptic command on issues about disinfecting compromised website, and hoping that no one will run it without backup, on production. The statement about your command breaking things is actually helpful, since it will prevent people from nuking they compromised website by running non-trivial copy-pasted sed commands found on a random github issue.
Like something along the line of the second paragraph of my previous reply?
It is indeed the first link on Google when you type