• Home
  •  > 
  • Adviсe
  •  > 
  • Malicious javascript scripts. How to search for malicious code without antiviruses and scanners

Malicious javascript scripts. How to search for malicious code without antiviruses and scanners

1. Unpack it into the site folder.
2. follow the link your_site/fscure/
3. everything

What can he do?

1. Automatic search for viruses by signatures.
2. Search for a string in files
3. Deleting files
4. Patch malicious code using regular expressions

The script will not do all the work for you and requires some minimal knowledge. It is recommended to make a backup of the site before work.

How does it work?

When first launched, it creates an index of files. The fscure.lst file is in the folder. Displays a list of files containing potentially malicious signatures. “Potentially malicious” means that you will have to decide whether it is a virus or not. The list of signatures is configured in the config.php file, constant SCAN_SIGN. With default settings, the script does not check js files and does not contain signatures for them.

Most common problems

1. does not create the fscure.lst index. Can happen if there are not enough rights. Put 777 on the fscure folder

2. 5xx error. Most often "504 Gateway Time-out". The script does not have time to complete and crashes due to a timeout. In this case, there are several ways to speed up its work. The speed primarily depends on the size of the index. It's in the fscure.lst file. Typically, a file up to 5MB can be processed in 90% of cases. If it doesn’t have time, you can reduce the “greed” of the script by prohibiting scanning *.jpg;*.png;*.css in the config.
In the config.php file.

// separator; define("FILES_EXCLUDE","*.js;*.jpg;*.png;*.css");

3. Hosting issues a warning like
(HEX)base64.inject.unclassed.6: u56565656: /var/www/u65656565/data/www/34535335353.ru/fscure/index.php

There is no virus in the script and there never was. And (HEX)base64.inject.unclassed.6 is a construction like "echo base64_decode(" , which is often encountered and in itself is quite harmless. However, in the latest version, I replaced this code.

What to do if you were unable to find the virus yourself?

You can contact me for help. My rates are modest. I guarantee my work for 6 months. The cost of work is 800 rubles. for 1 site. If there are several sites on your account, the price is determined individually.

If you managed to do everything yourself, I would be grateful for a financial reward or a link to my site.

My details:
yandex
41001151597934

webmoney
Z959263622242
R356304765617
E172301357329

WordPress is one of the most popular content management systems, used for a variety of purposes, from blogging to e-commerce. There is a wide selection of plugins and themes for WordPress. It happens that some of these extensions fall into the hands of webmasters after some attacker has worked on them.

For his own benefit, he could leave advertising links or code in them with which he will manage your site. Many WordPress users don't have much experience in web programming and don't know how to handle this situation.

For them, I reviewed nine of the most effective tools for detecting malicious changes in the code of a running website or installed add-ons.

1. Theme Authenticity Checker (TAC)

Theme Authenticity Checker (TAC) is a WordPress plugin that scans every installed theme for suspicious elements like invisible links or Base64 encrypted code.

Having detected such elements, TAC reports them to the WordPress administrator, allowing him to independently analyze and, if necessary, correct the source theme files:

2. Exploit Scanner

Exploit Scanner scans your entire site's source code and WordPress database contents for questionable inclusions. Just like TAC, this plugin does not prevent attacks or combat their consequences automatically.

It only shows detected symptoms of infection to the site administrator. If you want to remove malicious code, you will have to do it manually:

3. Sucuri Security

Sucuri is a well-known WordPress security solution. The Sucuri Security plugin monitors files uploaded to a WordPress site, maintains its own list of known threats, and also allows you to remotely scan the site using the free Sucuri SiteCheck Scanner. For a subscription fee, you can further strengthen your site’s protection by installing a powerful firewall Sucuri Website Firewall:

4. Anti-Malware

Anti-Malware is a plugin for WordPress that can find and remove Trojan scripts, backdoors and other malicious code.

Scanning and deletion settings can be customized. This plugin can be used after registering for free on gotmls.

The plugin regularly accesses the manufacturer’s website, transmitting malware detection statistics and receiving updates. Therefore, if you do not want to install plugins on your site that monitor its operation, then you should avoid using Anti-Malware:

5. WP Antivirus Site Protection

WP Antivirus Site Protection is a plugin that scans all files uploaded to a site, including WordPress themes.

The plugin has its own signature database, which is automatically updated via the Internet. It can remove threats automatically, notify the site administrator by email, and much more.

The plugin is installed and functions for free, but has several paid add-ons that are worth paying attention to:

6. AntiVirus for WordPress

AntiVirus for WordPress is an easy-to-use plugin that can scan your site regularly and notify you of security issues via email. The plugin has a customizable whitelist and other features:

7. Quterra Web Malware Scanner

Quterra's scanner checks a website for vulnerabilities, third-party code injections, viruses, backdoors, etc. The scanner has such interesting features as heuristic scanning and detection of external links.

Basic scanner features are free, while some additional services will cost you $60 per year:

8. Wordfence

If you're looking for a comprehensive solution to your website's security problems, look no further than Wordfence.

This plugin provides constant protection for WordPress against known types of attacks, two-factor authentication, support for a “blacklist” of IP addresses of computers and networks used by hackers and spammers, and scanning the site for known backdoors.

This plugin is free in its basic version, but it also has premium functionality, for which the manufacturer requests a modest subscription fee:

9.Wemahu

Wemahu monitors changes in your site's code and searches for malicious code.

The database on which malware is detected is replenished using the crowdsourcing method: users themselves replenish it by sending the results of scanning infected WordPress installations to the website of the plugin author. The plugin also supports sending reports by email and other useful features.

Malicious code gets onto the site through negligence or malicious intent. The purposes of malicious code vary, but essentially it harms or interferes with the normal operation of a website. To remove malicious code on WordPress, you must first find it.

What is malicious code on a WordPress site?

In appearance, most often, malicious code is a set of letters and symbols of the Latin alphabet. In fact, this is an encrypted code by which this or that action is performed. The actions can be very different, for example, your new posts are immediately published on a third-party resource. This is essentially stealing your content. Codes also have other “tasks,” for example, placing outgoing links on site pages. The tasks can be the most sophisticated, but one thing is clear: malicious codes need to be hunted and removed.

How do malicious codes get onto a website?

There are also many loopholes for codes to get into the site.

  • Most often, these are themes and plugins downloaded from “left” resources. Although, such penetration is typical for so-called encrypted links. Explicit code does not end up on the site.
  • The penetration of a virus when a site is hacked is the most dangerous. As a rule, hacking a site allows you to place not only a “one-time code”, but also install code with elements of malware (malicious program). For example, you find a code and delete it, but it is restored after some time. There are, again, many options.

    • Let me note right away that fighting such viruses is difficult, and manual removal requires knowledge. There are three solutions to the problem: the first solution is to use antivirus plugins, for example, a plugin called BulletProof Security.

    This solution gives good results, but takes time, albeit a little. There is a more radical solution to get rid of malicious codes, including complex viruses, which is to restore the site from previously made backup copies of the site.

    Since a good webmaster does this periodically, you can roll back to a non-infected version without any problems. The third solution is for the rich and lazy, just contact a specialized “office” or an individual specialist.

    How to Look for Malicious Code on WordPress

    It is important to understand that malicious code on WordPress can be in any file on the site, and not necessarily in the working theme. He can come up with a plugin, a theme, or “homemade” code taken from the Internet. There are several ways to try to find malicious code.

    Method 1: Manually. You scroll through all the site files and compare them with the files of an uninfected backup. If you find someone else's code, delete it.

    Method 2: Using WordPress Security Plugins. For example, . This plugin has a great feature, scanning site files for the presence of other people's code and the plugin copes with this task perfectly.

    Method 3. If you have reasonable support hosting, and it seems to you that there is someone else on the site, ask them to scan your site with their antivirus. Their report will list all infected files. Next, open these files in a text editor and remove the malicious code.

    Method 4. If you can work with SSH access to the site directory, then go ahead, it has its own kitchen.

    Important! No matter how you search for malicious code, before searching and then deleting the code, close access to the site files (turn on maintenance mode). Remember about codes that themselves are restored when they are deleted.

    Search for malicious codes using the eval function

    There is such a function in PHP called eval. It allows you to execute any code on its line. Moreover, the code can be encrypted. It is because of the encoding that the malicious code looks like a set of letters and symbols. Two popular encodings are:

  • Base64;
  • Rot13.

    • Accordingly, in these encodings the eval function looks like this:

    • eval(base64_decode(...))
    • eval (str_rot13 (...)) //in internal quotes, long, unclear sets of letters and symbols..

    The algorithm for searching for malicious code using the eval function is as follows (we work from the administrative panel):

    • go to the site editor (Appearance→Editor).
    • copy the functions.php file.
    • open it in a text editor (for example, Notepad++) and search for the word: eval.
    • If you find it, don’t rush to delete anything. You need to understand what this function “asks” to be performed. To understand this, the code needs to be decoded. For decoding there are online tools called decoders.
    Decoders/Encoders

    Decoders work simply. You copy the code you want to decrypt, paste it into the decoder field and decode.

    At the time of writing, I did not find a single encrypted code found in WordPress. I found the code from the Joomla website. In principle, there is no difference in understanding decoding. Let's look at the photo.

    As you can see in the photo, the eval function, after decoding, did not display a terrible code that threatens the security of the site, but an encrypted copyright link from the author of the template. It can also be removed, but it will come back after updating the template if you don't use .

    In conclusion, I would like to note in order not to get a virus on the site:

    • Malicious code on WordPress often comes with themes and plugins. Therefore, do not install templates and plugins from “left”, unverified resources, and if you do, check them carefully for the presence of links and executive functions of PHP. After installing plugins and themes from “illegal” resources, check the site with antivirus software.
    • Be sure to make periodic backups and perform others.
    Malicious JavaScript

    My opinion, which is that it is easier and more effective to protect against injected malicious browser scripts (stored XSS attacks) using browser tools, was stated earlier: . Browser protection against JavaScript, which consists of adding filtering code to the website's html pages, is presumably reliable; however, the presence of such protection does not negate the need to also use a server filter. For the same XSS attacks, you can organize an additional line of defense on the server. We must also remember about the possibility of an attacker introducing not browser-based, but server-side scripts (php) into an HTML message sent from a site, which the browser will not be able to recognize.

    An attacking script, whether browser-based or server-based, is a program; one must think that the program will always have some symbolic differences from “pure” html. Let's try to find such differences and use them to build an HTML filter on the server. Below are examples of malicious JavaScript.

    XSS:

    Some text


    Some text

    Encrypted XSS:

    Some text


    Some text

    Browsers recover text from character primitives not only located inside html containers (between the opening and closing tags), but also inside the tags themselves (between< и >). URL encoding is allowed in http addresses. This makes it difficult to recognize malicious code on the server side, since the same character sequence can be represented in different ways.

    XSS worms:

    "+innerHTML.slice(action= (method="post")+".php",155)))">





    alert("xss");with(new XMLHttpRequest)open("POST","post.php"),send("content="+_.outerHTML)

    The above XSS worms are just a few of the many submitted to Robert Hansen's (aka RSnake) January 2008 competition for the shortest malicious JavaScript worm (contest results).

    Signs of XSS attacks

    An XSS script is a program that accesses DOM (Document Object Model) objects and their methods. Otherwise it is unlikely to be in any way harmful. For example, JavaScript string
    onckick="var a = "xss""
    does not affect the document object model, so even if embedded in an html tag, such a string is harmless. Only by manipulating HTML document objects and their methods can a hacker cause significant harm to a site. For example, the line
    onmousemove="document.getElementsByTagName("body").innerHTML="XSS""
    already replaces the contents of the page.

    A sign of access to DOM methods is parentheses, as well as dots to the left of the equal sign. Parentheses can also be used in html to set a color in the rgb() format, however, the font and background colors in html are set in at least three more ways. Therefore, parentheses can be sacrificed without compromising the expressiveness of the html text. It is necessary to accept as a rule that the parentheses are inside the tag (that is, between< и >) - this is very dangerous, if we receive a message from a user on the server, this message contains brackets inside the tags, then the most appropriate thing we should do is block such a message.

    The dot can be contained in html tags: when specifying the link address (tag ); when setting the size of html elements (style="height:1.5in; width:2.5in;" ). But character sequences of the form
    letter point equals
    cannot be in html tags. If the specified sequence is present inside an html tag, the message from the user most likely contains a script and should be blocked.

    Another obvious danger sign is the "+" symbol inside the tag. There is no such thing in scriptless html. If we find pluses inside the tags, we mercilessly block the message.

    A well-intentioned site user who adds a comment using a visual editor will never resort to encryption with symbolic primitives inside html tags. The use of symbolic primitives in tags does not provide any benefits in the form of additional expressive means; it only requires additional writing time. In most cases, one would think that a well-meaning user does not even know that there are certain character primitives in HTML. Hence the rule: an ampersand inside a tag is evidence of an attack on the site. Accordingly, if we see this, we block the message.

    A similar rule should be adopted regarding the "%" symbol, which can be used in url encoding. However, percentages are also used in “pure” html to set the relative sizes of elements. Dangerous combinations are those in which the "%" sign is immediately followed by a letter or number.

    Neutralizing server scripts

    Unlike JavaScript interpreters in browsers, the PHP interpreter on the server does not allow liberties when writing program text. Therefore, to neutralize a possible server script, it is enough to completely replace in the user’s HTML message all the characters that are essential when writing a PHP program with their HTML primitives. The ones that need to be replaced are, first of all, the dollar and underscore signs, the period, parentheses, square and curly brackets, plus and minus signs, and the backslash sign.

    PHP filter for HTML messages

    $message is the html message received from the visual editor to the server.

    // remember the length of the message $lenmessage = strlen($message); // cut out the comment tag $message = preg_replace("//", "", $message); // cut out every tag in which the "src" attribute refers to an external resource $message = preg_replace("/]+?src[\w\W]+\/\/[^>]+?>/i", " ", $message); // cut out every tag that contains any character except: - a-z 0-9 / . : ; " = % # space $message = preg_replace("/]+[^->a-z0-9\/\.\:\;\"\=\%\#\s]+[^>]+?> /i", "", $message); // cut out every tag that contains the sequence ". a-z =" $message = preg_replace("/]+?\.+?\=[^>]+?>/i", "", $message); // cut out every tag that contains the sequence "% a-z" or "% 0-9" $message = preg_replace("/]+?\%+?[^>]+?>/i", "", $ message); // cut out every tag that contains the sequence "script" or "js:" $message = preg_replace("/]*?script[^>]*?>/i", "", $message); $message = preg_replace("/]*?js:[^>]*?>/i", "", $message); // cut out every tag that starts with a character other than "a-z" or "/" $message = preg_replace("/]*?>/i", "", $message); // check: if the message is shortened, then terminate the program $lenmessage2 = strlen($message); if ($lenmessage != $lenmessage2) ( print "The message cannot be added"; exit; ) // perform end-to-end replacement of dangerous characters with their corresponding primitives $message = str_replace("$", "$", $message); $message = str_replace("_", "_", $message); $message = str_replace(".", ".", $message); $message = str_replace(chr(92), "\", $message); // \ $message = str_replace("(", "(", $message); $message = str_replace()", ")", $message); $message = str_replace("[", "[", $message); $message = str_replace("]", "]", $message); $message = str_replace("(", "(", $message); $message = str_replace()", ")", $message); $message = str_replace("?", "?", $message); // now the message has been verified, the scripts in it have been neutralized

    It should be noted that the filter does not remove paired tags. Let's say we got
    Click here!
    The filter will only cut out the , but the paired (closing) tag will remain. If you send messages that contain tags without corresponding pairs to the browser, you may experience trouble in the form of a “skew” of the site. It is not known to which opening tag the browser will match the remaining unpaired closing tag. Therefore, and also for security reasons, messages in which something has been cut out by the filter should not be sent to the browser at all. It's better to print something like "The message could not be added" and exit the program.

    The message is expected to be written to a file (not to a database).

    Discussion

    I will be grateful for criticism. Write to the support forum, in the section