Skip to content

Commit

Permalink
Merge pull request #8 from Pilskalns/dev
Browse files Browse the repository at this point in the history 
Updated readme
  • Loading branch information
@Pilskalns
Pilskalns committed Aug 17, 2015
2 parents 8e5c23b + e5e291c commit c79b08e
Showing 1 changed file with 22 additions and 46 deletions.
68 changes: 22 additions & 46 deletions README.md
View file
Original file line number Diff line number Diff line change
@@ -1,25 +1,17 @@
*Hi everyone, I will be soon update Narnia with complete new version of Narnia - Narnia 2.0, it will feature a lot of new features and probably wont jump to 3.0, but will evolve in 2.1, 2.2 etc... but slowly. As I mentioned - this gets devoloped only in my free time. I keep this repro only to preserve knowledge and give back to learning-community!*

# Narnia Guardian - server backdoor killer
# Narnia Guardian 2.0 - server backdoor killer
#### N!B! Read everything before begin clean up
### Level - intermediate - there is manual work involved
### Level - intermediate - there is manual work involved, you should have some level of confidence of your written code and actions, as well as basic understanding of server enviroment

Maybe you are here because of [MailPoet](http://blog.sucuri.net/2014/10/wordpress-websites-continue-to-get-hacked-via-mailpoet-plugin-vulnerability.html) or [StackOverflow](http://stackoverflow.com/questions/25996752/removing-a-string-in-a-php-file-with-start-and-end/28430880)

This tool is created to clean infected PHP files which contains obfuscated code or contains dangerous server backdoor. There is code sample on StackOverflow for UNIX system's with root access, but not always you would have it + with those samples, you never know what modifications of bad code you have. With method below you can fine tune bad sample library to match your case.

If you got this bad code on your server, it could be triggered any time and could do anything on your server. In fact, purpose and content of this malware code also could be changed anytime. Code could be stealing passwords, sending spam e-mail from your IP or even hosting illegal copy of Torrent files and steal traffic you pay for. Once your IP is globally blacklisted, it is hard to get back SEO on Google etc.
This tool is created to clean infected PHP files which contains obfuscated code or contains dangerous server backdoor. If you got this bad code on your server, it could be triggered any time and could do anything on your server. In fact, purpose and content of this malware code also could be changed anytime. Code could be stealing passwords, sending spam e-mail from your IP or even hosting illegal copy of Torrent files and steal traffic you pay for. Once your IP is globally blacklisted, it is hard to get back SEO on Google etc.

**This tool is only helper to fix already broken things. You shouldn't rely on this as primary protection. Correctly set server environment is first thing to check after attack.**

## Lyrics before action
To create this, I have donated two workday's to clean up private server, please contribute with code comments, better descriptions in more fluent language and other suggestions.
So far, my motivation to update is anger on this malware, as I do not code for living and this malware code ruined our multiple site server for non-profit organisations, where I belong. I believe in open source software (OSS) and believe that OSS can be more safer than paid one, if public gives effort to it. There is so many great programmers amongst us, unfortunately, at least as much, there are ones, who use their skills for personal good doing bad things.
**This tool is only Helper to fix already broken things. You shouldn't rely on this as primary protection. Correctly set server environment is first thing to check after attack. I can not teach you complex algorithms, but I can give you a sample of what I have taught**

---

## How does malware code looks like?
It will be in begining of PHP file and begins and closes with `<?php` and `?>`. This is safest way to inject this code inside already existing code file. In future, malware could get smarter and hide between set of valid code. So, for example **you have**
## Where does malware code reside?
It will be in begining of PHP file and begins and closes with `<?php` and `?>`. This is safest way to inject this code inside already existing PHP file. In future, malware could get smarter and hide between set of valid code. So, for example if **you have**

``` PHP
<?php
Expand All @@ -39,43 +31,37 @@ etc.

**After malware injection file will look something like**
``` PHP
<?php if(!isset($GLOBALS["\x61\156\x75\156\x61"])) { $ua=strtolower($_SERVER["\x48\124\x54\120\x5f\125\x //etc. ending with ?> if you have turned off your editor line break
<?php if(!isset($GLOBALS["\x61\156\x75\156\x61"])) { $ua=strtolower($_SERVER["\x48\124\x54\120\x5f\125\x //etc. ending with ?>
<?php
/* Here comes my super-duper code */
/* Here comes my super-duper-legit code */
````

Even hackers have to respect correct syntax of code, he he...
Even hackers have to respect correct syntax of code... So it is easy to spot it by eye if you have turned on your editor word wrap, because in many cases bad code is prefixed with ton of spaces to hide it in code editor. Not like Python, additional spaces in PHP does not affect code execution...

## Patterns
You might say, `but wait, there must be way to see patterns and predict which is good or bad code!`. Yes there is, but then you have to dig deep into how this bad code is structured. I have given already my patterns, but you can easily add your in `index.php`, or ocen create complicated functions which tells if given code sample is good or not. Up to you my friend, Narnia 2.0 is about opening up easy adjusting to custom solutions.

## How does Narnia Guardian works?
It now becomes clear, why I told you all that -

1. NG will search for PHP files, which contain bad code samples from library (blacklist.txt)
2. Going off that exact location NG will search matching pair of PHP tags right before and right after sample location - the tag pair where bad code lives in
3. IF everything matches up - everything inside those matching pairs of PHP tags will be removed, including tags itself, to maintain clean code
2. For every case - malware samples are different - **You have to update them in order to clean up your code**

### What files does Narnia Guardian contains?
1. NG will search for PHP files and split those files up by matching portions of php code that looks like `<?php ... ?>`.
2. So, every matching sample get's checked against regex patterns I have developed or library samples in `blacklist.dat`
3. If something matches - everything inside those matching pairs of PHP tags will be removed, including tags itself, to maintain clean code

|File | Role
|-----------------------|---------------------------
|NarniaGuardian.php | Contains cleaner class
|blacklist.txt | Here insert library of malware samples
|uniquelist.txt | List of unique first lines of php files
|logs | Folder where logs will appear
N!B! For every attack case - malware code is different - **You have to update regex libraries and blacklist until you are confident**

---
## Order of actions
1. Download / Upload script to test location (strongly suggested)
2. Modify / copy index.php content between first section of `<?php ... ?>`
0. Create test copy of infected code + backup zip if anything goes wrong, so you can revert things (strongly suggested)
1. Download / Upload script to test location
2. Modify `index.php` to match your case
3. Run script by browsing location on browser
4. Inspect output of script - there will be block's of obfuscated code - right before it, there should be outputted location where it comes from
5. Inspect source of obfucated block file - if it is clear that this is not your code or other good minified code, search for string that could be as key string to recognize it, as example `if(!isset($GLOBALS["\x61\156\x75\156\x61"]))` or meaningless variables `$bmhqhhzolg` or `$pjro=22;$vnlpv=$pjro+42;` - copy these kind of strings to blacklist.txt library - one sample per one line
6. Clean uniquelist.txt content and run again script.
4. Open uniquelist.txt, search for malware code - copy typical sample of code to blaclklist.txt library - one sample per one line
5. Check logs folder for success. The one named root-error[..].log will contain list of files, which are suspicious, but could be some large class file. These should be checked and deleted manually.
1. Repeat steps 3 to 6. If output is much more shorter, it means it is working, don't stop until you are sure that your all of your files are clean.
5. Inspect source of obfucated block file - if it is clear that this is not your code or other good minified code, search for string that could be as key string to recognize it, as example `if(!isset($GLOBALS["\x61\156\x75\156\x61"]))` or meaningless variables `$bmhqhhzolg` or `$pjro=22;$vnlpv=$pjro+42;` - copy these kind of strings to `blacklist.dat` library - one sample per one line
1. Repeat steps 3 to 5. If output is much more shorter, it means it is working, don't stop until you are sure that your all of your files are clean. When you are confident, that test is not ruining good code, put it against original code, but anyways, keep backup of it.

## What You should do next?
* Do clean install as much as you can - Install clean wordpress, install clean theme etc.
* Copy this script to safe place, chmod it for safety. If in bad hands - it could do bad things out of the box.
* Change ALL passwords, I mean ALL - WordPress, databases, WordPress salt, user passwords, secret keys, everything - all paswords could be readed by malware code
* Update your OSS or paid software for latest versions, including WordPress, plugins, extensions, anything you have
Expand All @@ -87,16 +73,6 @@ It now becomes clear, why I told you all that -

---

## TODO:
**I have told all I know (what you should know to clean server). If this repro gets popular, I will update code so it could work as passive guard over server of ten's of thousand's of PHP files. For that and so in future I can remember all ideas, here goes my todo feature list:**

1. Silent mode to be run behind scenes not distracting with ugly output of numbers and codes
2. Email-notification if this code finds bad code.
3. Detection level / flags - whether to output on screen, to send warning email, to auto-delete
3. Auto - learn blacklist sample list (smarter detection).
4. Extend out-of-the-box blacklist library, but it shouldn't be too large as it increase script run time. Please send, your set of library samples.
5. **If this get's really popular:** Will create auto-updater for sample list from public commit repro, but this is dangerous action. In this case Guardian should be ran from hidden location, for example, if you host many PHP sites, and want passive protection against backdoors, because, you newer know, what site owner will do wrong.

## Why does `Narnia`?
Project names containing `Narnia` I give if the code is meant to be run into private / hidden locations, without public access. If you see my project containing `Narnia` and you don't have any idea why you see it, it means that you have run into wrong place or something is broken and now you see it. Just like in the movie, it is a real magic...

Expand Down

0 comments on commit c79b08e

Please sign in to comment.