Posts Tagged ‘virus’

Email alerts on new virus with Sophos

Friday, August 7th, 2009

Sophos's Linux antivirus product is an interesting beast, but I'll reserve opinion. We offer a web interface wherein the end-user may review alerts, though some also wish an email alert. This can be configured through savwebd, the web GUI provided with the Sophos antivirus client, or configured on the command line:

cd /opt/sophos-av/bin
./savconfig -v  # review current configuration settings
./savconfig set Email email@address.com  # recipient
./savconfig set EmailNotifier true
./savconfig set EmailDemandSummaryIfThreat true
./savconfig set EmailServer localhost
./savconfig set SendThreatEmail true
./savconfig set ThreatMessage "A virus has been detected and blocked.  Please contact your support team for more information."

Tags: ,
Posted in howto | No Comments »

Better way to scan for -- and clean up -- virus activity

Saturday, April 25th, 2009

**NOTE** The following only works with FTP daemons that log full paths in xferlog — ie, not vsftpd with its default configuration. Works like a charm on Plesk, fails terribly on non-Plesk. For non-Plesk, please scroll to the bottom of this post.

I made an earlier post about this subject, but there are too many holes in the script provided. Rather, I've found this simple awk recipe to do the trick quite well.

awk '$12 != prev {print $9; prev=$12}' xferlog | egrep "\.php|\.htm|\.shtm|\.js" | sort |uniq > ftp_modified.out

Note that the output it prints is not definitive, but it certainly gives you something to start with. Now, roll a grep:

cat ftp_modified.out |while read line; do grep -H iframe $line >> iframe.out ; done

**You will need to review this output to find the actual string and distinguish between legitimate iframes and the baddies.** The following sed will usually take care of about 80% of them:

cat iframe.out | awk -F\: '{print $1}' | while read line ; do sed -i 's/<iframe src=.*\/in\.cgi\?.*<\/iframe>//g' $line ; done

Of course, there are also JavaScript-obfuscated redirects to clean up:

cat ftp_modified.out | while read line; do grep -H eval $line >> eval.out ; done

This will catch *most* of them. Unfortunately with the JS ones, you need to develop a regex to match with sed on a per-exploit basis — and there are tons. Look over the results in eval.out and craft up a sed that is tailored enough for the JS exploits — that won't affect legit code. I usually end up with something like this:

cat eval.out | awk -F\: '{print $1}' | while read line ; do sed -i 's/function.*String.fromCharCode.*document\.write.*));//g' $line ; done

But of course, use your brain and — most importantly — *always* test the sed using the -e switch on one of the infected files first to ensure it works before running it with -i against the whole list! These cleanups are a good way to fine-tune your practical regex skills. Remember not to be too broad — or too specific!

If the server does not have Plesk or is doing chrooting, such that xferlog shows relative paths rather than absolute, we'll skip the xferlog bit and just look at our docroots for recently modified files.

grep DocumentRoot /etc/httpd/conf/httpd.conf |awk '{print $2}' > docroots.out
cat docroots.out |while read line ; do find $line -mtime -180 | egrep "\.php|\.htm|\.shtm|\.js" | sort |uniq > ftp_modified.out

To be quite honest, these aren't "ftp-modified" files, but you can drag'n'drop with the rest of my sniplets here. The entire purpose of generating these file lists is to narrow down the sheer amount of files we have to look through to make it more manageable, as opposed to grepping through everything in the server's DocumentRoots.

The above sniplets are the fastest ways I've developed to deal with this stuff — you'll spend most of your time reviewing the output and generating regexes with which to clean them up. Absolutely remember to change the FTP passwords for at least the FTP users exploited, and have the end user scan all computers that may have connected to the server via FTP for viruses and trojans.

I haven't the faintest how to deal with the new google analytics-esque variant yet… I hope that doesn't become more popular :(

Tags:
Posted in howto | 2 Comments »

Scan FTP xferlog for virus-like activity

Saturday, April 11th, 2009

I often see viruses spread through usually-legit sites — see more in my related post about malware one-liners. Finding which files are infected is usually a pain, though Paul hacked me up this script to identify virus-like behavior and pinpoint infected files:

#!/usr/bin/perl

use strict;
use warnings;

my $file = $ARGV[0];

my @iArray;
my @oArray;

open LOGFILE, "<", $file or die "Can't open my $file: $!";
while (<LOGFILE>) {
        my @line = split(/ /);
        if ($line[11] eq "o") {
            push(@oArray, $line[8]);
        }
        if ($line[11] eq "i") {
            push(@iArray, $line[8]);
        }
}
foreach (@oArray) {
    my $entry = $_;
    foreach (@iArray) {
        my $entry2 = $_;
        if ($entry2 eq $entry) {
            print "$entry\n";
            last;
        }
    }
}

Usage:

Download virus-parse.pl to server and execute against the xferlog.

wget http://tech.superhappykittymeow.com/src/virus-parse.pl
chmod +x virus-parse.pl
./virus-parse.pl /var/log/xferlog

This will output a list of files suspected of containing malicious iframes or javascript, from which you can clean up.

Tags:
Posted in howto | 1 Comment »

Removing 1-liner malware code in webpages

Wednesday, March 4th, 2009

More and more client workstations are being infected with keyloggers and trojans. In addition to stealing your WoW username and password (oh noes, my purpz!), they also have been stealing FTP logins.

This has manifested itself in the linux server world by seemingly legit users logging in over FTP, downloading a file, then uploading it a few seconds later with 100-ish bytes appended. A look at xferlog reveals this behavior, usually against a regex of pages (index.*, default.*, etc), and the connecting IP will often be foreign. A look at the secure log will reveal that the password was not brute-forced; rather, it was known.

The real solution is to change all passwords and force the end user to reformat their computer, since they're infected and do not realize it. Alas, this is not quite practical (though if someone could invent a remote formatter, I'll give you $10 for it). Rather, advise the end user of the situation and suggest reformatting — or, at the very least, using a collection of anti-spyware, anti-virus, and anti-everything software on their workstation. Change the affected user's password.

To clean up the leftover malicious code that was appended, find out the exact string (usually a `tail index.php' will reveal it) — it's often a <JavaScript> line or an <iframe>. Copy the string completely and we'll just sed it out:

sed -i "s#<script src='http:\/\/b\.adserv\.cn\/E\/J\.JS'>##g" *

sed's not very good at recursing, but luckily, grep is. Make a list of files that match:

grep -R "b.adserv.cn" * |awk -F\: '{print $1}' > filelist

And then feed it to sed:

cat filelist |while read line ; do sed -i"s#<script src='http:\/\/b\.adserv\.cn\/E\/J\.JS'>##g" $line ; done

It should also be noted that this user logged in as the FTP user with no failed password attempts — they knew the password. This situation most often occurs when a client workstation that has access to this FTP account is compromised with a virus, spyware, trojan horse or keylogger that transmits the login credentials to a third party attacker. I strongly recommend running anti-virus and anti-spyware software on all client workstations that have access to this account.

Tags: , ,
Posted in howto | 3 Comments »