Monitor sites for exploits

2651852001_36b5df8a0d_z

We dislike dealing with exploited websites. A common cause is "the long forgotten outdated install from a web developer who left years ago. hoping works forever". Public facing services need to be kept updated in order to remain secure, so script-kiddies can't use your server for abuse, like selling dodgy medicinal products.

One would always try to enforce strong permissions and server settings to avoid these from happening, even use something like apparmor (which it is the way to do it), but there are other ways also to strengthen things a bit more. With the inotify feature in newer kernels, it is possible to monitor a file system location for changes and check those quickly with a scanner. We have made a script to help automate rapid notifications when possible issues are detected. This will work with a CMS or tomcat install. We also provide instructions on Maldetect ahead.

exploitwatch.sh cron script

This script it is intended to be setup as a cron to monitor an specific location and get notification when something gets detected. The drawback is that it can be slow and cumbersome, on busy servers can cause a lot of load, so be more or less careful and test when using it.

WARNING: even though the script can be setup as a user it can be susceptible to exploits, an exploit can be targeted to the scanner or the commands it depends on.

Installing

The script requires the common commands file, grep, egrep, find, inotifywatch, find, pkill, pgrep and recommended to have clamscan too. Also uses some /tmp temp files for processing so users that use the script need write access there.

Download and install the script at /usr/local/bin, script can be found at http://proj.ri.mu/exploitwatch.sh

# wget http://proj.ri.mu/exploitwatch.sh -O /usr/local/bin/exploitwatch.sh
# chmod +x /usr/local/bin/exploitwatch.sh
# exploitwatch.sh -h
 
Usage: exploitwatch.sh [OPTION...]
exploitwatch.sh test files for potential exploits, it is meant to be setup as a cron script
 
Options:
 -f <file> file containing the file list to be scanned
 
 -t                   truncate file list after processing, implies -f
 
 -m <directory>       launch inotifywait monitoring of a directory if not running, 
                      implies -f, inotifywait log will be written to the file list
 
 -k                   kill inotifywait monitoring, requires -m and -f
 
 -c                   run also ClamAV scan over the files
 
 -p <file|directory>  scan a file or directory recursively, good for testing scanfile 
                      function
 
 -s <file>            file containing scanfile function override, useful for different
                      configurations and tests required
 
 -e PATTERN           exclude files that match PATTERN regex, case insensitive
 
 -v                   verbose
 
 -h                   this help

to test a location for example you can use the following, that will also invoke clamav:

exploitwatch.sh -p /var/www/ -c

Configuring

When using the monitoring feature (-m and -f) script does the following:

It will launch if necessary a inotifywatch process that will monitor a location (-m param) and write the file list log (-f param). On next time it runs it will just process the file list. When the file list is processed, duplicates and non-existing files are skipped, each file in the list is processed with the scanfile function printing any warning found. If the clamav parameter has been specified will pass the file list to the scanner. If the truncate parameter has been specified it will empty the file list after processing it (required for cron)

The output by default it is just minimal, it is good for chaining to mailx. If -v is specified debug info is posted. A sample output would be:

/var/www/wordpress/exploit.php: WARNING php with long lines detected
/var/www/wordpress/exploit.php: WARNING exploit pattern detected
/var/www/wordpress/exploit.php: {HEX}php.cmdshell.rgod.346.UNOFFICIAL FOUND

Cron it as follows to receive notifications every hour of issues on different locations, few examples are:

15 * * * * www-data /usr/local/bin/exploitwatch.sh -f /tmp/exploitwatch-inotifywatch-var-www -t -m /var/www -c | mailx -E -s "Exploitwatch Alert!" email@domain.com
16 * * * * www-data /usr/local/bin/exploitwatch.sh -f /tmp/exploitwatch-inotifywatch-var-tmp -t -m /var/tmp -c | mailx -E -s "Exploitwatch Alert!" email@domain.com
17 * * * * user /usr/local/bin/exploitwatch.sh -f /tmp/exploitwatch-inotifywatch-home-user -t -m /home/user -c | mailx -E -s "Exploitwatch Alert!" email@domain.com

Notice that different users and locations can be specified, of course the location for the file list need to be writeable by the user setup for the cron.

Extra Notes

The script it is a WIP, a default scanfile function with few tests examples is provided, current one may have too many false positives, more improvements can be made for sure, eg: adding more signatures or tests.  For sure shows the potential it holds, eg: specific scans per extensions, etc. There is a feature that allows you to specify another file that contains scanfile function override (-s), so it is possible to have multiple configurations and tests for different locations instead of trying to do everything with one.

Also keep in mind that there may be a difference between what the scanfile function reports for a install path or the monitoring of a working site with strong permissions, eg: only allow images to be uploaded only to wp-uploads.

Maldetect

https://www.rfxn.com/projects/linux-malware-detect/

Maldetect it is a more complete scanner/monitor, with ton of options, such as quarantine and plenty of logging, it can use ClamAV as a scanner (and you should use it), but with a more trimmed down malware database they maintain, that increases the performance significantly during the scans.

WARNING: There is pitfall with this software, it runs as the root user as default, and potentially can lead to privilege escalation due an exploit targeted at the scanner, so you have been warned.

Installing

# cd /root
# wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
# tar xvfz maldetect-current.tar.gz
# cd /root/maldetect-1.5   # At the time of writting this
# ./install.sh

The install script will install the suite at /usr/local/maldetect. Install the distro packages for ClamAV (eg: apt-get install clamav clamav-freshclam ).

Configuring

There are few things you need to configure:

At file /usr/local/maldetect/conf.maldet you will want to get modified the following to get email alerts

email_alert="1"
email_addr="you@domain.com"

After that you will want to configure the paths that you want monitored, here we place the usual suspects, this is done at the file /usr/local/maldetect/monitor_paths

/var/www
/tmp
/dev/shm
/var/tmp

Get the monitor started with:

service maldet start

Maldet sets up a crons with different functions at /etc/cron.d/maldet_pub and /etc/cron.daily/maldet, the last keeps the database updated, the suite updated, and runs routine scans. You may want to disable the last part that causes it to scan all the websites for common panels when the monitoring it is not running:

# if we're running inotify monitoring, send daily hit summary
if [ "$(ps -A --user root -o "cmd" | grep maldetect | grep inotifywait)" ]; then
 /usr/local/maldetect/maldet --monitor-report >> /dev/null 2>&1
else
 if [ -d "/home/virtual" ] && [ -d "/usr/lib/opcenter" ]; then
 # ensim
 /usr/local/maldetect/maldet -b -r /home/virtual/?/fst/var/www/html/,/home/virtual/?/fst/home/?/public_html/ 1 >> /dev/null 2>&1
 elif [ -d "/etc/psa" ] &amp;&amp; [ -d "/var/lib/psa" ]; then
 # psa
 /usr/local/maldetect/maldet -b -r /var/www/vhosts/?/ 1 >> /dev/null 2>&1
 elif [ -d "/usr/local/directadmin" ]; then
 # DirectAdmin
 /usr/local/maldetect/maldet -b -r /home?/?/domains/?/public_html/,/var/www/html/?/ 1 >> /dev/null 2>&1
 elif [ -d "/var/www/clients" ]; then
 # ISPConfig
 /usr/local/maldetect/maldet -b -r /var/www/clients/?/web?/web 1 >> /dev/null 2>&1
 elif [ -d "/etc/webmin/virtual-server" ]; then
 # Virtualmin
 /usr/local/maldetect/maldet -b -r /home/?/public_html/,/home/?/domains/?/public_html/ 1 >> /dev/null 2>&1
 elif [ -d "/usr/local/ispmgr" ]; then
 # ISPmanager
 /usr/local/maldetect/maldet -b -r /var/www/?/data/,/home/?/data/ 1 >> /dev/null 2>&1
 elif [ -d "/var/customers/webs" ]; then
 # froxlor
 /usr/local/maldetect/maldet -b -r /var/customers/webs/ 1 >> /dev/null 2>&1
 else
 # cpanel, interworx and other standard home/user/public_html setups
 /usr/local/maldetect/maldet -b -r /home?/?/public_html/,/var/www/html/,/usr/local/apache/htdocs/ 1 >> /dev/null 2>&1
 fi
fi

If you need a hand with any of the topics discussed here, please open a support ticket and we can certainly help out.
http://rimuhosting.com/ticket/enterticketdetails.jsp?t_type=TT_SYSADMIN

Image Credit https://www.flickr.com/photos/jeff_kontur/2651852001

 

This entry was posted in HOWTO, Security and tagged , , , . Bookmark the permalink.

Comments are closed.