-
Notifications
You must be signed in to change notification settings - Fork 31
Tutorial
This document explains how to use masc in different ways.
masc is a command line program to scan (and to clean up in some cases) malware and suspect content in websites. It also perform some cleaning up operations in specific websites like WordPress.
You can execute masc specifying the -h option to get some help:
santi@zenbook:$ ./masc.py -h
masc 0.2.2 (http://github.com/sfaci/masc)
usage: masc.py [-h] [--add-file FILENAME] [--add-word STRING] [--clean-cache]
[--clean-site] [--list-backups] [--make-backup] [--monitor]
[--name NAME] [--path PATH] [--rollback] [--scan]
[--site-type {wordpress,drupal,custom}]
optional arguments:
-h, --help show this help message and exit
--add-file FILENAME Add a suspect file to the dictionary
--add-word STRING Add a suspect content to the dictionary
--clean-cache Clean masc cache (cache and logs files, NO backups)
--clean-site Clean up the site to hide information to attackers
--list-backups List local backups
--make-backup Create a local backup of the current installation
--monitor Monitor site to detect changes
--name NAME Name assigned to the scanned installation
--path PATH Website installation path
--rollback Restore a local backup
--scan Scan website for malware
--site-type {wordpress,drupal,custom}
which type of web you want to scan:: wordpress,
drupal or a custom websiteAt this moment masc offers support for generic websites for malware scanning and it can perform several cleaning up operations for WordPress and an early support for Drupal.
If you want to scan your website (it doesn't matter its type) you have to pass which kind of website you have (with the --site-type option) and the path where it is installed (with the --scan option). If your website is not any of the specific CMS that masc support, you can choose custom site type.
For instance, you can perform a scan operation over a custom website:
santi@zenbook:$ ./masc.py --site-type custom --path /var/www/custom_site --scan
masc 0.2.2 (http://github.com/sfaci/masc)
Loading dictionaries and signatures. . .
Loading malware signature files |################################| 100%
Loaded 528746 malware signatures
Loading YARA rules . . . |################################| 100%
Loaded 717 YARA rules
done.
Loading web site . . .
done.
Making a backup . . .
done.
Searching for malware . . .
Scanning your website (Using ClamAV engine) |
Malware were found. Listing files . . .
/var/www/mysite.com/cmdasp.asp: DodgyStrings
/var/www/mysite.com/r57.php: Win.Trojan.R57-2
/var/www/mysite.com/classic/sosyete.php: WebShell CrystalShell v 1 sosyete stres
/var/www/mysite.com/classic/ajaxshell.php: DodgyStrings
done.Now, because it's a custom website, you have to delete manually these files. If you have an specific website and masc support it for cleaning up operation, see next section.
In the case you want to scan and clean up a specific site (at this moment this operation is only available for WordPress), you must specifiy --name (and provide a name for your website) and --clean-site options
santi@zenbook:$ ./masc.py --scan --clean-site --path /var/www/wordpress/ --site-type wordpress --name mysite.com
masc 0.2.2 (http://github.com/sfaci/masc)
Loading dictionaries and signatures. . .
Loading malware signature files |################################| 100%
Loaded 528746 malware signatures
Loading YARA rules . . . |################################| 100%
Loaded 717 YARA rules
done.
Loading web site . . .
done.
Making a backup . . .
done.
Let's search for malware and suspect files. Then, let's compare results with a clean installation
No clean installation for wordpress 4.9.1
Downloading a new one (it will be stored for later uses) |################################| 100%
Unzipping . . .
done.
Scanning your website (Using ClamAV engine) -
done.
Searching for suspect files . . .
done.
Comparing with a clean installation . . .
done.
Malware/suspect files were found. Removing . . .
done.
Cleaning site . . .
done.
Some changes can have occured. See log 'logs/wordpress-mysite.com-'{%date} for detailsNow, you can check a log file in logs directory in a file like this: _wordpress-mysite.com-{%date}.log. Also, because a clean up operation has been performed, masc has created a backup for your site in backups directory with the name wordpress_mysite.com
In the case you clean up your site, masc always create automatically a backup. Moreover, you can create manually a backup including the --make-backup option. You must provide too the path, type and name of your website.
santi@zenbook:$ ./masc.py --make-backup --path /var/www/drupal --site-type drupal --name mysite.com
masc 0.2.2 (http://github.com/sfaci/masc)
Making backup . . .
done.
You can list all the backups providing the --list-backups option:
santi@zenbook:$ ./masc.py --list-backups
masc 0.1 (http://github.com/sfaci/masc)
Listing local backups . . .
mysite.com : wordpress installation (02-12-2017 03:33)
sabado : wordpress installation (02-12-2017 11:17)
sabado.com : wordpress installation (02-12-2017 11:20)
done.If you want to restore a website, you have to include the --rollback option with the path, type and name of the website you want to restore. The name of the website must be the same as you provide when the backup was create (directly o automatically when you clean your website).
Notice that you can list all the backups with the _--list-backups-- options such as you can see in the previous section in this page.
santi@zenbook:$ ./masc.py --rollback --path /var/www/wordpress/ --site-type wordpress --name mysite.com
masc 0.2.2 (http://github.com/sfaci/masc)
Restoring backup . . .
done.
Monitoring a website you will be notified for every change in directories or files directly on the screen and in a log file.
santi@zenbook:$ ./masc.py --monitor --path /var/www/wordpress/ --site-type wordpress --name mysite.com
masc 0.2.2 (http://github.com/sfaci/masc)
Monitoring website . . .(Press CTRL+C to terminate)
Details at: logs/wordpress-mysite.com-monitor.log
directory modified /var/www/wordpress
file modified /var/www/wordpress/iamavirus
directory modified /var/www/wordpress
file modified /var/www/wordpress/iamanothervirus.php
directory modified /var/www/wordpress/wp-includes
file modified /var/www/wordpress/wp-includes/index.php
(c) 2017-2020 Santiago Faci