From d3aea8543a95223f722a5d53704db251ec8263ab Mon Sep 17 00:00:00 2001 From: "brice.lopez" Date: Tue, 27 Oct 2020 18:08:06 +0100 Subject: [PATCH] new maldetect release --- CHANGELOG | 87 +- CHANGELOG.RELEASE | 67 +- README | 16 +- cron.daily | 4 +- debian/changelog | 6 + debian/patches/0001-10_maldetect-paths.patch | 287 +- .../0005-15_maldetect-no-autoupdate.patch | 21 +- files/VERSION.hash | 2 +- files/clean/base64.inject.unclassed | 3 +- files/clean/gzbase64.inject.unclassed | 3 +- files/clean/js.inject.VisitorTracker | 3 +- files/clean/js.inject.fakejquery02 | 3 +- files/clean/php.brute.bf1lic | 3 +- files/clean/php.malware.magentocore_ccskim | 6 + files/clean/php_malware_hexinject | 6 + files/conf.maldet | 54 +- files/internals/compat.conf | 8 + files/internals/functions | 372 +- files/internals/hexfifo.pl | 6 +- files/internals/hexstring.pl | 6 +- files/internals/importconf | 39 +- files/internals/internals.conf | 31 +- files/internals/scan.etpl | 5 + files/maldet | 21 +- files/maldet.1 | 6 +- files/service/maldet.service | 3 +- files/service/maldet.sysconfig | 6 +- files/sigs/appver/wordpress.ver | 23 + files/sigs/hex.dat | 2035 +++ files/sigs/maldet.sigs.ver | 1 + files/sigs/md5.dat | 12729 +++++++++++++++ files/sigs/md5v2.dat | 12729 +++++++++++++++ files/sigs/rfxn.hdb | 12735 ++++++++++++++++ files/sigs/rfxn.ndb | 2035 +++ files/sigs/rfxn.yara | 11468 ++++++++++++++ files/sigs/rfxn.yara.bk | 0 files/uninstall.sh | 2 +- install.sh | 18 +- 38 files changed, 54457 insertions(+), 392 deletions(-) create mode 100755 files/clean/php.malware.magentocore_ccskim create mode 100755 files/clean/php_malware_hexinject create mode 100644 files/sigs/appver/wordpress.ver create mode 100644 files/sigs/hex.dat create mode 100644 files/sigs/maldet.sigs.ver create mode 100644 files/sigs/md5.dat create mode 100644 files/sigs/md5v2.dat create mode 100644 files/sigs/rfxn.hdb create mode 100644 files/sigs/rfxn.ndb create mode 100644 files/sigs/rfxn.yara create mode 100644 files/sigs/rfxn.yara.bk diff --git a/CHANGELOG b/CHANGELOG index 2d36fd7..7a0ae89 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,3 +1,72 @@ +v1.6.4 | Mar 18 2019: +[New] add quarantine_on_error variable to control quarantine behavior when scanner engines such as ClamAV encounter an error +[New] add support for slack alerts; pr #240 mostafahussein +[New] add ability to disable cron via conf.maldet; issue #260 / pr #300 , #304 sporks5000 +[New] add cleaner rule for php.malware.magentocore_ccskim and an alias of as php_malware_hexinject for associated yara rule +[Change] update cron.daily for ispmanager5; pr #305 yogsottot +[Change] normalize variable naming of pr #300 , #304 +[Change] validate cron_daily_scan is set; otherwise default to 1 +[Change] update importconf for cron_daily_scan block +[Change] don't need "find" if given a file list; pr# 303 sporks5000 +[Change] rename ambiguous internal variables related to user signatures +[Change] removed clamscan_return code capture from piped logic of clam(d)scan execution; now always capture return code, even on good exits +[Change] scan results now explicitly exclude any occurrences of files related to 'no reply from clamd' errors +[Change] add backward compatibility for renamed internals.conf variables +[Change] removed legacy $verbose tagging at the end of eout() calls +[Change] modified cleaner rules to set their own PATH scoping +[Change] file_stat() has been renamed get_filestat to match associated quar_get_filestat function naming +[Change] get_file_stat() will now grab md5 hash of files to avoid superfluous md5sum calls +[Change] added inotify elapsed run time to scan report output +[Change] adjust '-e|--report' output for etime value and spacing +[Change] force email_ignore_clean=1 to stop the most common email requested issue +[Fix] hitname not logging to quarantine.hist on manual quarantine run against scanid; issue #319 +[Fix] typo in PR #300; missing '; then' on elif +[Fix] set default_monitor_mode to resolve issue #311 systemd service passing $default_monitor_mode as a literal string to the service +[Fix] sad mail/sendmail validation logic, fix issue #316 +[Fix] normalized scan start time output in scan reports when inotify monitoring is used +[Fix] scan report list summary to always display an etime value, even if null +[Fix] ad-hoc clean calls from clean_hitlist() was not executing sigignore and gensigs functions causing clean tasks to fail due to missing variables; issue #203 +[Fix] adjust semantics of comma and spaced variables being passed to '-co|--config-option'; pr #298 sporks5000 +[Fix] modified quarantine_hits to force disable if clamdscan explicitly encounters a 'no reply from clamd' fatal error +[Fix] modified install.sh 'ps' execution to be BSD compliant +[Fix] clean function was not properly stripping {CAV} and {YARA} prefixes from signature names when executing cleaner rules +[Fix] clean function was not properly handling signature names with both underscores and periods +[Fix] refactored clean_hitlist() & clean() functions to resolve pathing errors when cleaning previous session hits; issue #203 +[Fix] ignore_inotify file exist/empty file negative match; issue #330 +[Fix] operator issue cron.daily #331 +[Fix] install.sh $ver required major numbering; renamed to ver_major so that session preservation semantics continue to work + +v1.6.3 | Sep 01 2018: +[Fix] ensure clamscan_max_filesize is always set; pr #296 +[Fix] remove escaping from inotifywait exclude regexp; pr #246 issue #205 +[Fix] always set a value for monitor mode systemd unit; pr #257 +[Fix] quar_get_filestat variable collisions during restore operations +[Fix] quarantine files could be prematurely deleted, during 'cron.daily/maldet', on distributions where the 'mv' command + preserves origin file mtime; call 'touch' on quarantined files to set current mtime post-move to quarantine path; issue #294 +[Fix] update tlog inotify tracking file before trimming to prevent rescan loop; pr #292 +[Fix] revert pruning empty lines from signature files to 1.6.1 behavior +[Fix] usage semantics of cd'ing to a wildcard path on newer versions of Bash were causing version updates to fail; we now explicitly + 'cd' to maldetect-${upstreamver} +[Fix] spelling corrections; pr# 269 +[Change] update importconf text to reflect monitor mode on systemd behavior +[Change] on restore actions, reset restored files to original mtime value +[Change] increase default remote_uri timeout from 10s to 30s +[Change] increase default remote_uri tries from 3 to 4 +[Change] added base_domain variable to internals.conf +[Change] cleanup .tgz/.md5 files on version updates mid-flight to prevent potential 'cd: too many arguments' errors +[Change] trim inotify log from beginning instead of end of file; pr #292 +[Change] user mode scanning no longer scans system temporary paths; issue #283 +[Change] improve regexp of scan start time values for '-e|--list' output +[Change] added '--beta' flag to '-d|--update-ver' to support pulling down beta release of LMD +[Change] stage v1.6.3 release; update version and date stamps +[Kudos] Thank you to those that contributed pull requests and issues during this release cycle. PR contributions from: + sporks5000 + jsoref + Joshua-Snapp + mkubenka + jkronza + AnnopAlias + v1.6.2 | Jul 13 2017: [Fix] signature updates using get_remote_file() would incorrect write temporary update files into /; issue #242 [Fix] added 'which curl' and 'which wget' for variable scoping of binary locations into internals.conf; issue #237 @@ -32,7 +101,7 @@ v1.6.1 | May 28 2017: v1.6 | Mar 17 2017: [New] added curated set of YARA webshell & malware signatures for use with ClamAV >= 0.99b -[New] added cleaner rule 'VistorTracker.Mob' +[New] added cleaner rule 'VisitorTracker.Mob' [New] added cleaner rule 'js.inject.fakejquery02' [New] added support for 'froxlor' to cron.daily execution [New] added support for 'vestacp' to cron.daily execution @@ -58,7 +127,7 @@ v1.6 | Mar 17 2017: [Change] unified all clamav selection logic for data paths, running clamd processes, clam(d)scan CLI options etc... into a single function, clamselector(); this will make clam behavior more predictable across all functions [Change] added subdomains path for ISPConfig to cron.daily -[Change] corrected variable naming semantics for import_*_(md5|hex)_url paramters +[Change] corrected variable naming semantics for import_*_(md5|hex)_url parameters [Change] monitor mode now identifies inotifywait processes based on a string pattern unique to maldet to avoid conflicts with any other inotifywait processes [Change] added wget_proxy variable for us in sysconfig and conf.maldet options @@ -127,7 +196,7 @@ v1.6 | Mar 17 2017: [Fix] suppress error output to cli for customer user signature files when they do not exist [Fix] uninstall.sh now cleans up signature files from clamav data paths [Fix] corrected invalid matching against clamdscan binary when clamd was running as non-root user -[Fix] intofiywait on Ubuntu12 doesn't support the '-o' and '-d' option; modified to send stdout to logfile +[Fix] inotifywait on Ubuntu12 doesn't support the '-o' and '-d' option; modified to send stdout to logfile for better compatibility [Fix] conditionally test for vz container and disable use of ionice which is not support in vz containers [Fix] '-k|--kill-monitor' would under certain circumstances leave zombie processes @@ -183,7 +252,7 @@ v1.5 | Sep 19 2015: [New] added set of defined exit codes for errored exits(1), successful runs with hits(2), successful runs with no hits(0) [New] added uninstall.sh script to maldetect installation path [New] added md5 hash verification of signature and version update downloads -[New] added scan_cpunice option to control CPU priorty value of all scan operations such as find, clamscan etc.. (default 19) +[New] added scan_cpunice option to control CPU priority value of all scan operations such as find, clamscan etc.. (default 19) [New] added scan_ionice option to control IO priority value of all scan operations such as find, clamscan etc.. (default 6) [New] added autoupdate_signatures/autoupdate_version options to control daily cron based signature/version updates [New] added autoupdate_version_hashed option to control validating hash of maldet executable against upstream version @@ -216,7 +285,7 @@ v1.5 | Sep 19 2015: [Change] reordered configuration file, expanded on variable descriptions, overall attempt to simplify/streamline conf.maldet [Change] installer symlinks LMD signatures into known/existing ClamAV paths to ensure signatures are loaded into memory by clamd [Change] installer issues SIGUSR2 to any running clamd processes to force reload of signature databases -[Change] cron.daily signature updates issue SIGUSR2 to any running clamd processes to force reload of siganture databases +[Change] cron.daily signature updates issue SIGUSR2 to any running clamd processes to force reload of signature databases [Change] cron.daily signature/version updates sleep random interval 1-999 secs before contacting upstream rfxn.com servers to reduce cdn load [Change] modified clamscan database path checks to support cPanel >=11.40 RPM clamAV connector RPM's [Change] modified location of statistical data files from tmpdir to sessdir making tmpdir a stateless path that can be purged at anytime @@ -368,7 +437,7 @@ v1.4.0 | Apr 17th 2011: [Change] wget calls now use the --referer option to broadcast local LMD version [Fix] replaced stray references of absolute install path with the install path variable [New] stage2 (HEX) scanner now supports use of named pipe (FIFO) for passing file hex contents, - enabled by default, provides better performance with larger depth anlaysis of files + enabled by default, provides better performance with larger depth analysis of files [New] added hex_fifo_scan & hex_fifo_depth variables to conf.maldet for fifo hex scanning [Change] -c|--checkout now supports directory paths [Change] -r|--scan-recent and -a|--scan-all now supports single file scans @@ -458,7 +527,7 @@ v1.3.4 | May 16th 2010: [Fix] cleaner function was not properly executing under certain conditions [Change] additional error checking/output added to the cleaner function [Change] default status output of scans changed for better performance -[New] added ignore_intofiy for ignoring paths from the monitor service +[New] added ignore_inotify for ignoring paths from the monitor service [Change] updated ignore section of README [Fix] backreference errors kicking from scan_stage1 function [New] -d|--update-ver option added to update installed version from rfxn.com @@ -483,13 +552,13 @@ v1.3.3 | May 15th 2010: [New] added quar_susp_minuid option for suspend user minimum user id [Fix] inotify monitor now properly acts on MODIFY,MOVE_TO,MOVE_FROM states [Change] inotify monitor now can take a list of paths or file for path input -[Change] inotify monitor now has no default use, must specifiy USER|FILE|PATHS +[Change] inotify monitor now has no default use, must specify USER|FILE|PATHS [Change] revised short and long usage output for new options/usage changes [Change] inotify monitor now spawns only one process for all monitored paths [Change] inotify monitor sets max_user_instances to processors*2 [Change] inotify monitor sets max_user_watches to inotify_base_watches*users [Change] migrated all inotify options from internals.conf to conf.maldet -[New] added inotify_base_watches to conf.maldet for max file wathces multiplier +[New] added inotify_base_watches to conf.maldet for max file watches multiplier [New] added inotify_nice to conf.maldet for run-time prio of inotifywait [New] added inotify_webdir to conf.maldet for html/web root only monitoring [Change] extensive format change to README diff --git a/CHANGELOG.RELEASE b/CHANGELOG.RELEASE index 640ca63..3082bed 100644 --- a/CHANGELOG.RELEASE +++ b/CHANGELOG.RELEASE @@ -1,31 +1,38 @@ -v1.6.2 | Jul 13 2017: -[Fix] signature updates using get_remote_file() would incorrect write temporary update files into /; issue #242 -[Fix] added 'which curl' and 'which wget' for variable scoping of binary locations into internals.conf; issue #237 -[New] added support to send email through 'sendmail' binary as alternative to 'mail'; pr #241 & issue #238 +v1.6.4 | Mar 18 2019: +[New] add quarantine_on_error variable to control quarantine behavior when scanner engines such as ClamAV encounter an error +[New] add support for slack alerts; pr #240 mostafahussein +[New] add ability to disable cron via conf.maldet; issue #260 / pr #300 , #304 sporks5000 +[New] add cleaner rule for php.malware.magentocore_ccskim and an alias of as php_malware_hexinject for associated yara rule +[Change] update cron.daily for ispmanager5; pr #305 yogsottot +[Change] normalize variable naming of pr #300 , #304 +[Change] validate cron_daily_scan is set; otherwise default to 1 +[Change] update importconf for cron_daily_scan block +[Change] don't need "find" if given a file list; pr# 303 sporks5000 +[Change] rename ambiguous internal variables related to user signatures +[Change] removed clamscan_return code capture from piped logic of clam(d)scan execution; now always capture return code, even on good exits +[Change] scan results now explicitly exclude any occurrences of files related to 'no reply from clamd' errors +[Change] add backward compatibility for renamed internals.conf variables +[Change] removed legacy $verbose tagging at the end of eout() calls +[Change] modified cleaner rules to set their own PATH scoping +[Change] file_stat() has been renamed get_filestat to match associated quar_get_filestat function naming +[Change] get_file_stat() will now grab md5 hash of files to avoid superfluous md5sum calls +[Change] added inotify elapsed run time to scan report output +[Change] adjust '-e|--report' output for etime value and spacing +[Change] force email_ignore_clean=1 to stop the most common email requested issue +[Fix] hitname not logging to quarantine.hist on manual quarantine run against scanid; issue #319 +[Fix] typo in PR #300; missing '; then' on elif +[Fix] set default_monitor_mode to resolve issue #311 systemd service passing $default_monitor_mode as a literal string to the service +[Fix] sad mail/sendmail validation logic, fix issue #316 +[Fix] normalized scan start time output in scan reports when inotify monitoring is used +[Fix] scan report list summary to always display an etime value, even if null +[Fix] ad-hoc clean calls from clean_hitlist() was not executing sigignore and gensigs functions causing clean tasks to fail due to missing variables; issue #203 +[Fix] adjust semantics of comma and spaced variables being passed to '-co|--config-option'; pr #298 sporks5000 +[Fix] modified quarantine_hits to force disable if clamdscan explicitly encounters a 'no reply from clamd' fatal error +[Fix] modified install.sh 'ps' execution to be BSD compliant +[Fix] clean function was not properly stripping {CAV} and {YARA} prefixes from signature names when executing cleaner rules +[Fix] clean function was not properly handling signature names with both underscores and periods +[Fix] refactored clean_hitlist() & clean() functions to resolve pathing errors when cleaning previous session hits; issue #203 +[Fix] ignore_inotify file exist/empty file negative match; issue #330 +[Fix] operator issue cron.daily #331 +[Fix] install.sh $ver required major numbering; renamed to ver_major so that session preservation semantics continue to work -v1.6.1 | May 28 2017: -[New] added conf.maldet option cron_prune_days to configure cron.daily pruning max age of quar/sess/tmp data; issue #197 -[New] added curl support, as new default, into get_remote_file; wget support is preserved secondary to curl; issue #200 -[New] added --force option on -u|--update-sigs -[New] added --force option on -d|--update-ver -[New] added empty lines cleaner for runtime signatures and sorting of hdb for better performance; pr #223 -[Change] modified default prune interval of quarantine/sess/tmp data from older than 7d to 21d -[Change] set email alerts to disabled when -z $mail / issue verbose warning on CLI; issue #220 -[Change] scan_export_filelist feature had no real need to be limited to just cron runs; - modified so when set, it will export find results for all '-r|--recent' scans -[Change] updated help and README to reflect '--force' option on '-u|--update-sigs' and '-d|--update-ver' -[Change] post-change to get_remote_file(); signature version file was truncating with tmp file for maldet-clean -[Change] replaced all calls of wget with get_remote_file() -[Change] refactored get_remote_file() to be more generic / not depend on wget -[Change] increased default values for wget --timeout from 5 to 10 seconds -[Change] replace egrep with posix 'grep -E'; direct invocation of egrep/fgrep is deprecated; pr #214 -[Fix] modified sourcing of conf files and order of precedence in mald…et.sh init script to properly - treat default_monitor_mode being defined in conf.maldet; issue #224 -[Fix] escape quotes within eval md5sum command as fix for issues #230 and #216 -[Fix] test condition for systemd was generating unary errors on older versions of bash; pr #36 -[Fix] systemd based systems were skipping addition of sysconfig entry; pr #36 -[Fix] install.sh find operation to prune old install backups was generating error when no previous installs existed -[Fix] wgetopt was single quoted making the variables inside of it strings, set double quotes -[Fix] potential out of memory issue while scanning a large set of files on native LMD scanner; pr #223 -[Fix] -f option issue with relative path message; pr #223 -[Fix] issue with checkout of relative file path for non root user; pr #223 diff --git a/README b/README index 4947821..f7eb8b8 100644 --- a/README +++ b/README @@ -1,6 +1,6 @@ -Linux Malware Detect v1.6.2 - (C) 2002-2017, R-fx Networks - (C) 2017, Ryan MacDonald +Linux Malware Detect v1.6.4 + (C) 2002-2019, R-fx Networks + (C) 2019, Ryan MacDonald This program may be freely redistributed under the terms of the GNU GPL v2 :::::::::::::::::::::::::::::::::: @@ -196,7 +196,7 @@ project. The configuration of LMD is handled through /usr/local/maldetect/conf.maldet and all options are well commented for ease of configuration. -By default LMD has the auto-qurantine of files disabled, this will mean that +By default LMD has the auto-quarantine of files disabled, this will mean that YOU WILL NEED TO ACT on any threats detected or pass the SCANID to the '-q' option to batch quarantine the results. To change this please set quar_hits=1 in conf.maldet. @@ -206,7 +206,7 @@ in conf.maldet. There are four ignore files available and they break down as follows: /usr/local/maldetect/ignore_paths -A line spaced file for paths that are to be execluded from search results +A line spaced file for paths that are to be excluded from search results Sample ignore entry: /home/user/public_html/cgi-bin @@ -371,7 +371,7 @@ inotify processes. The support for HTTP upload scanning is provided through mod_security2's inspectFile hook. This feature allows for a validation script to be used in permitting or denying an upload. -The convenience script to faciliate this is called hookscan.sh and is located in the +The convenience script to facilitate this is called hookscan.sh and is located in the /usr/local/maldetect installation path. The default setup is to run a standard maldet scan with no clamav support, no cleaner rule executions and quarantining enabled; these options are set in the interest of performance vs accuracy which is a fair tradeoff. @@ -388,7 +388,7 @@ in single file scans by a wide margin. A single file scan using clamav takes rou To enable upload scanning with mod_security2 you must set enable the public_scan option in conf.maldet (public_scan=1) then add the following rules to your mod_security2 configuration. These rules are best placed in your modsec2.user.conf file on cpanel servers -or at the top of the appropraite rules file for your setup. +or at the top of the appropriate rules file for your setup. /usr/local/apache/conf/modsec2.user.conf (or similar mod_security2 rules file): SecRequestBodyAccess On @@ -437,7 +437,7 @@ cron will ensure new users have paths created no later than 10 minutes after cre All non-root scans, such as those performed under mod_security2, will be stored under the /usr/local/maldetect/pub/username directory tree. The quarantine paths are relative to the user -that exectues the scan, so user nobody would be under pub/nobody/quar/. The actual paths +that executes the scan, so user nobody would be under pub/nobody/quar/. The actual paths for where files are quarantined and the user which executed the scan, can be verified in the e-mail reports for upload hits. diff --git a/cron.daily b/cron.daily index 6ceb68a..5666139 100755 --- a/cron.daily +++ b/cron.daily @@ -66,7 +66,7 @@ fi # if we're running inotify monitoring, send daily hit summary if [ "$(ps -A --user root -o "cmd" | grep -E maldetect | grep -E inotifywait)" ]; then $inspath/maldet --monitor-report >> /dev/null 2>&1 -else +elif [ "$cron_daily_scan" == "1" ]; then if [ -d "/home/virtual" ] && [ -d "/usr/lib/opcenter" ]; then # ensim $inspath/maldet -b -r /home/virtual/?/fst/var/www/html/,/home/virtual/?/fst/home/?/public_html/ $scan_days >> /dev/null 2>&1 @@ -82,7 +82,7 @@ else elif [ -d "/etc/webmin/virtual-server" ]; then # Virtualmin $inspath/maldet -b -r /home/?/public_html/,/home/?/domains/?/public_html/ $scan_days >> /dev/null 2>&1 - elif [ -d "/usr/local/ispmgr" ]; then + elif [ -d "/usr/local/ispmgr" ] || [ -d "/usr/local/mgr5" ]; then # ISPmanager $inspath/maldet -b -r /var/www/?/data/,/home/?/data/ $scan_days >> /dev/null 2>&1 elif [ -d "/var/customers/webs" ]; then diff --git a/debian/changelog b/debian/changelog index 2162111..05893f5 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +maldetect (1.6.4-1) unstable; urgency=medium + + * New upstream version 1.6.4 + + -- Brice Lopez Tue, 27 Oct 2020 17:41:01 +0100 + maldetect (1.6.2-2) UNRELEASED; urgency=medium * diff --git a/debian/patches/0001-10_maldetect-paths.patch b/debian/patches/0001-10_maldetect-paths.patch index 2b6bd1f..1fb25d4 100644 --- a/debian/patches/0001-10_maldetect-paths.patch +++ b/debian/patches/0001-10_maldetect-paths.patch @@ -1,59 +1,8 @@ - .ca.def | 6 +++--- - README | 28 ++++++++++++++-------------- - cron.d.pub | 2 +- - cron.daily | 28 ++++++++++++++-------------- - files/conf.maldet | 6 +++--- - files/hookscan.sh | 2 +- - files/internals/functions | 12 ++++++------ - files/internals/hexfifo.pl | 2 +- - files/internals/internals.conf | 8 ++++---- - files/internals/scan.etpl | 2 +- - files/internals/tlog | 2 +- - files/maldet | 10 +++++----- - files/service/maldet.service | 6 +++--- - files/service/maldet.sh | 10 +++++----- - files/service/maldet.sysconfig | 2 +- - install.sh | 10 +++++----- - 16 files changed, 68 insertions(+), 68 deletions(-) - ---- a/files/internals/importconf -+++ b/files/internals/importconf -@@ -1,4 +1,4 @@ --cat > /usr/local/maldetect/conf.maldet < /etc/maldetect/maldetect.conf <=2.9, you should set 'SecTmpSaveUploadedFiles On' before the +@@ -407,7 +407,7 @@ configurations this is the modsec_audit. -@@ -430,13 +430,13 @@ + The log entry will appear similar to the following: + Message: Access denied with code 406 (phase 2). File "/tmp/20121120-....-file" rejected by +-the approver script "/usr/local/maldetect/hookscan.sh": 0 maldet: {HEX}php.cmdshell.r57.317 ++the approver script "/etc/maldetect/hookscan.sh": 0 maldet: {HEX}php.cmdshell.r57.317 + /tmp/20121120-....-file [file "/usr/local/apache/conf/modsec2.user.conf"] [line "3"] + [severity "CRITICAL"] + +@@ -430,13 +430,13 @@ Given that the maldetect installation pa path world writable (777) or populate the pub path with user owned paths. It was undesirable to set any path world writable and as such a feature to populate path data was created. This feature is controlled with the --mkpubpaths flag and is executed from cron every 10 minutes, @@ -145,10 +124,10 @@ All non-root scans, such as those performed under mod_security2, will be stored under the -/usr/local/maldetect/pub/username directory tree. The quarantine paths are relative to the user +/var/lib/maldetect/pub/username directory tree. The quarantine paths are relative to the user - that exectues the scan, so user nobody would be under pub/nobody/quar/. The actual paths + that executes the scan, so user nobody would be under pub/nobody/quar/. The actual paths for where files are quarantined and the user which executed the scan, can be verified in the e-mail reports for upload hits. -@@ -444,7 +444,7 @@ +@@ -444,7 +444,7 @@ e-mail reports for upload hits. To restore files quarantined under non-root users, you must pass the -U|--user option to LMD, for example if user nobody quarantined a file you would like to restore, it can be restored as follows: @@ -157,13 +136,17 @@ Or, as always the scan ID can be used to restore maldet --user nobody 112012-0032.13771 ---- a/cron.d.pub -+++ b/cron.d.pub +Index: maldetect-1.6.4/cron.d.pub +=================================================================== +--- maldetect-1.6.4.orig/cron.d.pub ++++ maldetect-1.6.4/cron.d.pub @@ -1 +1 @@ -*/5 * * * * root /usr/local/maldetect/maldet --mkpubpaths >> /dev/null 2>&1 +*/5 * * * * root /usr/bin/maldet --mkpubpaths >> /dev/null 2>&1 ---- a/cron.daily -+++ b/cron.daily +Index: maldetect-1.6.4/cron.daily +=================================================================== +--- maldetect-1.6.4.orig/cron.daily ++++ maldetect-1.6.4/cron.daily @@ -1,8 +1,7 @@ #!/usr/bin/env bash export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:$PATH @@ -174,10 +157,12 @@ if [ -f "$intcnf" ]; then source $intcnf ---- a/files/conf.maldet -+++ b/files/conf.maldet -@@ -54,7 +54,7 @@ - cron_prune_days="21" +Index: maldetect-1.6.4/files/conf.maldet +=================================================================== +--- maldetect-1.6.4.orig/files/conf.maldet ++++ maldetect-1.6.4/files/conf.maldet +@@ -76,7 +76,7 @@ cron_prune_days="21" + cron_daily_scan="1" # When defined, the import_config_url option allows a configuration file to be -# downloaded from a remote URL. The local conf.maldet and internals.conf are @@ -185,7 +170,7 @@ # parsed followed by the imported configuration file. As such, only variables # defined in the imported configuration file are overridden and a full set of # configuration options is not explicitly required in the imported file. -@@ -173,7 +173,7 @@ +@@ -195,7 +195,7 @@ scan_find_timeout="0" # user files. This 'find' operation can be especially resource intensive and it may # be desirable to persist the file list results so that other applications/tasks # may make use of the results. When scan_export_filelist is set enabled, the most @@ -194,20 +179,19 @@ # [ 0 = disabled, 1 = enabled ] scan_export_filelist="0" -@@ -205,9 +205,9 @@ - # The default startup option for monitor mode, either 'users' or path to line - # spaced file containing local paths to monitor. This option is used for the - # init based startup script. This value is ignored when '/etc/sysconfig/maldet' --# or '/etc/default/maldet' is present with a defined value for $MONITOR_MODE. -+# or '/etc/default/maldetect' is present with a defined value for $MONITOR_MODE. - # default_monitor_mode="users" --# default_monitor_mode="/usr/local/maldetect/monitor_paths" -+# default_monitor_mode="/etc/maldetect/monitor_paths" - - # The base number of files that can be watched under a path, - # this ends up being a relative value per-user in user mode. ---- a/files/hookscan.sh -+++ b/files/hookscan.sh +@@ -236,7 +236,7 @@ quarantine_on_error="1" + # spaced file containing local paths to monitor. + # + # This option is optional for the init based startup script, maldet.sh. This +-# value is ignored when '/etc/sysconfig/maldet' or '/etc/default/maldet' is ++# value is ignored when '/etc/sysconfig/maldet' or '/etc/default/maldetect' is + # present with a defined value for $MONITOR_MODE. + # + # This option is REQUIRED for the systemd maldet.service script. That script +Index: maldetect-1.6.4/files/hookscan.sh +=================================================================== +--- maldetect-1.6.4.orig/files/hookscan.sh ++++ maldetect-1.6.4/files/hookscan.sh @@ -1,8 +1,7 @@ #!/usr/bin/env bash file="$1" @@ -218,9 +202,11 @@ if [ -f "$intcnf" ]; then source $intcnf fi ---- a/files/internals/functions -+++ b/files/internals/functions -@@ -423,7 +423,7 @@ +Index: maldetect-1.6.4/files/internals/functions +=================================================================== +--- maldetect-1.6.4.orig/files/internals/functions ++++ maldetect-1.6.4/files/internals/functions +@@ -422,7 +422,7 @@ usage $0 [ OPTION ] If FILE is specified, paths will be extracted from file, line spaced If PATHS are specified, must be comma spaced list, NO WILDCARDS! e.g: maldet --monitor users @@ -229,9 +215,11 @@ e.g: maldet --monitor /home/mike,/home/ashton -k, --kill-monitor ---- a/files/internals/hexfifo.pl -+++ b/files/internals/hexfifo.pl -@@ -15,7 +15,7 @@ +Index: maldetect-1.6.4/files/internals/hexfifo.pl +=================================================================== +--- maldetect-1.6.4.orig/files/internals/hexfifo.pl ++++ maldetect-1.6.4/files/internals/hexfifo.pl +@@ -15,7 +15,7 @@ if ($#ARGV != "0") { $hexfile = $ARGV[0]; @@ -240,8 +228,10 @@ $timeout = "1"; if (-p $named_pipe_name) { ---- a/files/internals/internals.conf -+++ b/files/internals/internals.conf +Index: maldetect-1.6.4/files/internals/internals.conf +=================================================================== +--- maldetect-1.6.4.orig/files/internals/internals.conf ++++ maldetect-1.6.4/files/internals/internals.conf @@ -6,18 +6,18 @@ ## # @@ -270,7 +260,7 @@ datestamp=`date +"%y%m%d-%H%M"` utime=`date +"%s"` user=`whoami` -@@ -63,7 +63,7 @@ +@@ -64,7 +64,7 @@ quardir="$varlibpath/quarantine" sessdir="$varlibpath/sess" sigdir="$varlibpath/sigs" cldir="$varlibpath/clean" @@ -279,9 +269,9 @@ userbasedir="$varlibpath/pub" hits_history="$sessdir/hits.hist" quar_history="$sessdir/quarantine.hist" -@@ -108,20 +108,20 @@ - remote_uri_timeout="10" - remote_uri_retries="3" +@@ -111,20 +111,20 @@ fi + remote_uri_timeout="30" + remote_uri_retries="4" clamav_paths="/usr/local/cpanel/3rdparty/share/clamav/ /var/lib/clamav/ /var/clamav/ /usr/share/clamav/ /usr/local/share/clamav" -tlog="$libpath/tlog" +tlog="$libpath/inotify/tlog" @@ -305,9 +295,11 @@ compatcnf="$libpath/compat.conf" if [ "$OSTYPE" == "FreeBSD" ]; then ---- a/files/internals/scan.etpl -+++ b/files/internals/scan.etpl -@@ -28,7 +28,7 @@ +Index: maldetect-1.6.4/files/internals/scan.etpl +=================================================================== +--- maldetect-1.6.4.orig/files/internals/scan.etpl ++++ maldetect-1.6.4/files/internals/scan.etpl +@@ -33,7 +33,7 @@ EOF if [ "$quarantine_hits" == "0" ] && [ ! "$tot_hits" == "0" ]; then echo "WARNING: Automatic quarantine is currently disabled, detected threats are still accessible to users!" >> $tmpf echo "To enable, set quarantine_hits=1 and/or to quarantine hits from this scan run:" >> $tmpf @@ -316,9 +308,11 @@ fi if [ "$quarantine_clean" == "1" ]; then if [ "$type" == "scan" ] && [ -f "$sessdir/clean.$$" ] && [ ! -z "$(cat $sessdir/clean.$$)" ]; then ---- a/files/internals/tlog -+++ b/files/internals/tlog -@@ -24,7 +24,7 @@ +Index: maldetect-1.6.4/files/internals/tlog +=================================================================== +--- maldetect-1.6.4.orig/files/internals/tlog ++++ maldetect-1.6.4/files/internals/tlog +@@ -24,7 +24,7 @@ PATH=/sbin:/usr/sbin:/usr/bin:/usr/local # Base run path; no trailing slash @@ -327,12 +321,14 @@ if [ "$1" == "" ] && [ "$2" == "" ]; then echo "$0 usage: [file] [tlog]" ---- a/files/maldet -+++ b/files/maldet +Index: maldetect-1.6.4/files/maldet +=================================================================== +--- maldetect-1.6.4.orig/files/maldet ++++ maldetect-1.6.4/files/maldet @@ -9,12 +9,11 @@ # PATH=$PATH:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin - ver=1.6.2 + ver=1.6.4 -inspath='/usr/local/maldetect' -intcnf="$inspath/internals/internals.conf" +intcnf="/etc/maldetect/internals.conf" @@ -345,13 +341,15 @@ fi header() { ---- a/files/service/maldet.service -+++ b/files/service/maldet.service -@@ -3,9 +3,9 @@ - After=network.target +Index: maldetect-1.6.4/files/service/maldet.service +=================================================================== +--- maldetect-1.6.4.orig/files/service/maldet.service ++++ maldetect-1.6.4/files/service/maldet.service +@@ -4,9 +4,9 @@ After=network.target [Service] --ExecStart=/usr/local/maldetect/maldet --monitor /usr/local/maldetect/monitor_paths + EnvironmentFile=/usr/local/maldetect/conf.maldet +-ExecStart=/usr/local/maldetect/maldet --monitor $default_monitor_mode -ExecStop=/usr/local/maldetect/maldet --kill-monitor +ExecStart=/usr/bin/maldet --monitor /etc/maldetect/monitor_paths +ExecStop=/usr/bin/maldet --kill-monitor @@ -360,8 +358,10 @@ +PIDFile=/tmp/maldetect/inotifywait.pid [Install] WantedBy=multi-user.target ---- a/files/service/maldet.sh -+++ b/files/service/maldet.sh +Index: maldetect-1.6.4/files/service/maldet.sh +=================================================================== +--- maldetect-1.6.4.orig/files/service/maldet.sh ++++ maldetect-1.6.4/files/service/maldet.sh @@ -15,8 +15,7 @@ # X-Interactive: true # Short-Description: Start/stop maldet in monitor mode @@ -372,7 +372,7 @@ if [ -f "$intcnf" ]; then source $intcnf -@@ -35,8 +34,8 @@ +@@ -35,8 +34,8 @@ fi if [ -f "/etc/sysconfig/maldet" ]; then . /etc/sysconfig/maldet @@ -383,7 +383,7 @@ fi if [ "$default_monitor_mode" ]; then -@@ -55,7 +54,7 @@ +@@ -55,7 +54,7 @@ if [ -z "$MONITOR_MODE" ]; then if [ -f /etc/redhat-release ]; then echo "error no default monitor mode defined, set \$MONITOR_MODE in /etc/sysconfig/maldet, or \$default_monitor_mode in $cnf" elif [ -f /etc/debian_version ]; then @@ -392,16 +392,57 @@ else echo "error no default monitor mode defined, set \$MONITOR_MODE in /etc/sysconfig/maldet, or \$default_monitor_mode in $cnf" fi ---- a/files/service/maldet.sysconfig -+++ b/files/service/maldet.sysconfig +Index: maldetect-1.6.4/files/service/maldet.sysconfig +=================================================================== +--- maldetect-1.6.4.orig/files/service/maldet.sysconfig ++++ maldetect-1.6.4/files/service/maldet.sysconfig @@ -9,4 +9,4 @@ # PATH FILE | read path file, line spaced, for local paths to monitor #MONITOR_MODE="users" -#MONITOR_MODE="/usr/local/maldetect/monitor_paths" +#MONITOR_MODE="/etc/maldetect/monitor_paths" ---- a/files/cron/conf.maldet.cron -+++ b/files/cron/conf.maldet.cron +Index: maldetect-1.6.4/files/internals/importconf +=================================================================== +--- maldetect-1.6.4.orig/files/internals/importconf ++++ maldetect-1.6.4/files/internals/importconf +@@ -1,4 +1,4 @@ +-cat > /usr/local/maldetect/conf.maldet < /etc/maldetect/maldetect.conf <> /dev/null 2>&1 - cp -f $inspath.last/sigs/custom.* $sigdir/ 2> /dev/null diff --git a/files/VERSION.hash b/files/VERSION.hash index 60429fe..e7dd302 100644 --- a/files/VERSION.hash +++ b/files/VERSION.hash @@ -1 +1 @@ -04fed3b467889e049ea47d1059be755a22af67e38181aabf1a84c232a3757613 +d325f31d7dd908296bcd86e67081405827e6f3ee6688247a90041e6859966ba6 diff --git a/files/clean/base64.inject.unclassed b/files/clean/base64.inject.unclassed index 72d0131..0df2c0a 100755 --- a/files/clean/base64.inject.unclassed +++ b/files/clean/base64.inject.unclassed @@ -1,5 +1,6 @@ #!/usr/bin/env bash +export PATH=/sbin:/bin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin # $1 file path, $2 signature name, $3 file owner, $4 file mode, $5 file size (b), $6 file md5sum if [ -f "$1" ]; then - $sed -i -e 's///' -e 's///' -e 's/eval(base64_decode([^;]*;//' "$1" + sed -i -e 's///' -e 's///' -e 's/eval(base64_decode([^;]*;//' "$1" fi diff --git a/files/clean/gzbase64.inject.unclassed b/files/clean/gzbase64.inject.unclassed index 8ef2e8a..5ff87c1 100755 --- a/files/clean/gzbase64.inject.unclassed +++ b/files/clean/gzbase64.inject.unclassed @@ -1,5 +1,6 @@ #!/usr/bin/env bash +export PATH=/sbin:/bin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin # $1 file path, $2 signature name, $3 file owner, $4 file mode, $5 file size (b), $6 file md5sum if [ -f "$1" ]; then - $sed -i -e 's///' -e 's///' -e 's/eval(gzinflate(base64_decode(.*);//' "$1" + sed -i -e 's///' -e 's///' -e 's/eval(gzinflate(base64_decode(.*);//' "$1" fi diff --git a/files/clean/js.inject.VisitorTracker b/files/clean/js.inject.VisitorTracker index a6d4abb..467f345 100755 --- a/files/clean/js.inject.VisitorTracker +++ b/files/clean/js.inject.VisitorTracker @@ -1,5 +1,6 @@ #!/usr/bin/env bash +export PATH=/sbin:/bin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin # $1 file path, $2 signature name, $3 file owner, $4 file mode, $5 file size (b), $6 file md5sum if [ -f "$1" ]; then - $sed -i -e '/var visitortrackerin = setInterval(function(){/,/}\/\*visitorTracker\*\//d' -e '/\/\*visitorTracker\*\//d' "$1" + sed -i -e '/var visitortrackerin = setInterval(function(){/,/}\/\*visitorTracker\*\//d' -e '/\/\*visitorTracker\*\//d' "$1" fi diff --git a/files/clean/js.inject.fakejquery02 b/files/clean/js.inject.fakejquery02 index d0f9bae..f851d38 100755 --- a/files/clean/js.inject.fakejquery02 +++ b/files/clean/js.inject.fakejquery02 @@ -1,6 +1,7 @@ #!/bin/bash +export PATH=/sbin:/bin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin # $1 file path, $2 signature name, $3 file owner, $4 file mode, $5 file size (b), $6 file md5sum if [ -f "$1" ]; then - $sed -i -e '/" + condition: + all of them +} +rule FSO_s_EFSO_2_2 { + meta: + description = "Webshells Auto-generated - file EFSO_2.asp" + author = "Yara Bulk Rule Generator by Florian Roth" + hash = "a341270f9ebd01320a7490c12cb2e64c" + strings: + $s0 = ";!+/DRknD7+.\\mDrC(V+kcJznndm\\f|nzKuJb'r@!&0KUY@*Jb@#@&Xl\"dKVcJ\\CslU,),@!0KxD~mKV" + $s4 = "\\co!VV2CDtSJ'E*#@#@&mKx/DP14lM/nY{JC81N+6LtbL3^hUWa;M/OE-AXX\"b~/fAs!u&9|J\\grKp\"j" + condition: + all of them +} +rule byshell063_ntboot_2 { + meta: + description = "Webshells Auto-generated - file ntboot.dll" + author = "Yara Bulk Rule Generator by Florian Roth" + hash = "cb9eb5a6ff327f4d6c46aacbbe9dda9d" + strings: + $s6 = "OK,job was done,cuz we have localsystem & SE_DEBUG_NAME:)" + condition: + all of them +} +rule u_uay { + meta: + description = "Webshells Auto-generated - file uay.exe" + author = "Yara Bulk Rule Generator by Florian Roth" + hash = "abbc7b31a24475e4c5d82fc4c2b8c7c4" + strings: + $s1 = "exec \"c:\\WINDOWS\\System32\\freecell.exe" + $s9 = "SYSTEM\\CurrentControlSet\\Services\\uay.sys\\Security" + condition: + 1 of them +} +rule bin_wuaus { + meta: + description = "Webshells Auto-generated - file wuaus.dll" + author = "Yara Bulk Rule Generator by Florian Roth" + hash = "46a365992bec7377b48a2263c49e4e7d" + strings: + $s1 = "9(90989@9V9^9f9n9v9" + $s2 = ":(:,:0:4:8:C:H:N:T:Y:_:e:o:y:" + $s3 = ";(=@=G=O=T=X=\\=" + $s4 = "TCP Send Error!!" + $s5 = "1\"1;1X1^1e1m1w1~1" + $s8 = "=$=)=/=<=Y=_=j=p=z=" + condition: + all of them +} +rule pwreveal { + meta: + description = "Webshells Auto-generated - file pwreveal.exe" + author = "Yara Bulk Rule Generator by Florian Roth" + hash = "b4e8447826a45b76ca45ba151a97ad50" + strings: + $s0 = "*NetBios Name: \\\\\" & Snet.ComputerName &" + condition: + all of them +} +rule cmdShell { + meta: + description = "Webshells Auto-generated - file cmdShell.asp" + author = "Yara Bulk Rule Generator by Florian Roth" + hash = "8a9fef43209b5d2d4b81dfbb45182036" + strings: + $s1 = "if cmdPath=\"wscriptShell\" then" + condition: + all of them +} +rule ZXshell2_0_rar_Folder_nc { + meta: + description = "Webshells Auto-generated - file nc.exe" + author = "Yara Bulk Rule Generator by Florian Roth" + hash = "2cd1bf15ae84c5f6917ddb128827ae8b" + strings: + $s0 = "WSOCK32.dll" + $s1 = "?bSUNKNOWNV" + $s7 = "p@gram Jm6h)" + $s8 = "ser32.dllCONFP@" + condition: + all of them +} +rule portlessinst { + meta: + description = "Webshells Auto-generated - file portlessinst.exe" + author = "Yara Bulk Rule Generator by Florian Roth" + hash = "74213856fc61475443a91cd84e2a6c2f" + strings: + $s2 = "Fail To Open Registry" + $s3 = "f<-WLEggDr\"" + $s6 = "oMemoryCreateP" + condition: + all of them +} +rule SetupBDoor { + meta: + description = "Webshells Auto-generated - file SetupBDoor.exe" + author = "Yara Bulk Rule Generator by Florian Roth" + hash = "41f89e20398368e742eda4a3b45716b6" + strings: + $s1 = "\\BDoor\\SetupBDoor" + condition: + all of them +} +rule phpshell_3 { + meta: + description = "Webshells Auto-generated - file phpshell.php" + author = "Yara Bulk Rule Generator by Florian Roth" + hash = "e8693a2d4a2ffea4df03bb678df3dc6d" + strings: + $s3 = "

" + $s5 = " echo \"\\n\";" + condition: + all of them +} +rule BIN_Server { + meta: + description = "Webshells Auto-generated - file Server.exe" + author = "Yara Bulk Rule Generator by Florian Roth" + hash = "1d5aa9cbf1429bb5b8bf600335916dcd" + strings: + $s0 = "configserver" + $s1 = "GetLogicalDrives" + $s2 = "WinExec" + $s4 = "fxftest" + $s5 = "upfileok" + $s7 = "upfileer" + condition: + all of them +} +rule HYTop2006_rar_Folder_2006 { + meta: + description = "Webshells Auto-generated - file 2006.asp" + author = "Yara Bulk Rule Generator by Florian Roth" + hash = "c19d6f4e069188f19b08fa94d44bc283" + strings: + $s6 = "strBackDoor = strBackDoor " + condition: + all of them +} +rule r57shell_3 { + meta: + description = "Webshells Auto-generated - file r57shell.php" + author = "Yara Bulk Rule Generator by Florian Roth" + hash = "87995a49f275b6b75abe2521e03ac2c0" + strings: + $s1 = "\".$_POST['cmd']" + condition: + all of them +} +rule HDConfig { + meta: + description = "Webshells Auto-generated - file HDConfig.exe" + author = "Yara Bulk Rule Generator by Florian Roth" + hash = "7d60e552fdca57642fd30462416347bd" + strings: + $s0 = "An encryption key is derived from the password hash. " + $s3 = "A hash object has been created. " + $s4 = "Error during CryptCreateHash!" + $s5 = "A new key container has been created." + $s6 = "The password has been added to the hash. " + condition: + all of them +} +rule FSO_s_ajan_2 { + meta: + description = "Webshells Auto-generated - file ajan.asp" + author = "Yara Bulk Rule Generator by Florian Roth" + hash = "22194f8c44524f80254e1b5aec67b03e" + strings: + $s2 = "\"Set WshShell = CreateObject(\"\"WScript.Shell\"\")" + $s3 = "/file.zip" + condition: + all of them +} + +rule Webshell_and_Exploit_CN_APT_HK : Webshell +{ +meta: + author = "Florian Roth" + description = "Webshell and Exploit Code in relation with APT against Honk Kong protesters" + date = "10.10.2014" + score = 50 +strings: + $a0 = "" fullword + $ekr4 = "" + $string7 = "setTimeout(" + $string8 = "'about:blank' WIDTH" + $string9 = "mf.document.write(" + $string10 = "document.write(" + $string11 = "Kasper " +condition: + 11 of them +} +rule zerox88_js3 +{ +meta: + author = "Josh Berry" + date = "2016-06-26" + description = "0x88 Exploit Kit Detection" + hash0 = "9df0ac2fa92e602ec11bac53555e2d82" + sample_filetype = "js-html" + yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator" +strings: + $string0 = " new ActiveXObject(szHTTP); " + $string1 = " Csa2;" + $string2 = "var ADO " + $string3 = " new ActiveXObject(szOx88);" + $string4 = " unescape(" + $string5 = "/test.exe" + $string6 = " szEtYij;" + $string7 = "var HTTP " + $string8 = "%41%44%4F%44%42%2E" + $string9 = "%4D%65%64%69%61" + $string10 = "var szSRjq" + $string11 = "%43%3A%5C%5C%50%72%6F%67%72%61%6D" + $string12 = "var METHOD " + $string13 = "ADO.Mode " + $string14 = "%61%79%65%72" + $string15 = "%2E%58%4D%4C%48%54%54%50" + $string16 = " 7 - 6; HTTP.Open(METHOD, szURL, i-3); " +condition: + 16 of them +} +rule zeus_js : EK +{ +meta: + author = "Josh Berry" + date = "2016-06-26" + description = "Zeus Exploit Kit Detection" + hash0 = "c87ac7a25168df49a64564afb04dc961" + sample_filetype = "js-html" + yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator" +strings: + $string0 = "var jsmLastMenu " + $string1 = "position:absolute; z-index:99' " + $string2 = " -1)jsmSetDisplayStyle('popupmenu' " + $string3 = " ' -# (C) 2017, Ryan MacDonald +# Linux Malware Detect v1.6.4 +# (C) 2002-2019, R-fx Networks +# (C) 2019, Ryan MacDonald # This program may be freely redistributed under the terms of the GNU GPL v2 ## # PATH=$PATH:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin -ver=1.6 +ver=1.6.4 +ver_major=1.6 inspath=/usr/local/maldetect logf=$inspath/logs/event_log conftemp="$inspath/internals/importconf" @@ -39,11 +40,12 @@ if [ ! -d "$inspath" ] && [ -d "files" ]; then done killall -SIGUSR2 clamd 2> /dev/null else - if [ "$(ps -A --user root -o "cmd" 2> /dev/null | grep maldetect | grep inotifywait)" ]; then + if [ "$(ps -A --user root -o "command" 2> /dev/null | grep maldetect | grep inotifywait)" ]; then $inspath/maldet -k >> /dev/null 2>&1 monmode=1 fi $find ${inspath}.* -maxdepth 0 -type d -mtime +30 2> /dev/null | xargs rm -rf + chattr -ia $inspath/internals/internals.conf mv $inspath $inspath.bk$$ ln -fs $inspath.bk$$ $inspath.last mkdir -p $inspath @@ -56,7 +58,7 @@ else gzip -9 $inspath/maldet.1 ln -fs $inspath/maldet.1.gz /usr/local/share/man/man1/maldet.1.gz cp -f $inspath.bk$$/ignore_* $inspath/ >> /dev/null 2>&1 - if [ "$ver" == "1.5" ] || [ "$ver" == "1.6" ]; then + if [ "$ver_major" == "1.5" ] || [ "$ver_major" == "1.6" ]; then cp -f $inspath.bk$$/sess/* $inspath/sess/ >> /dev/null 2>&1 cp -f $inspath.bk$$/tmp/* $inspath/tmp/ >> /dev/null 2>&1 cp -f $inspath.bk$$/quarantine/* $inspath/quarantine/ >> /dev/null 2>&1 @@ -127,8 +129,8 @@ ln -fs $logf $inspath/event_log $inspath/maldet --alert-daily 2> /dev/null echo "Linux Malware Detect v$ver" -echo " (C) 2002-2017, R-fx Networks " -echo " (C) 2017, Ryan MacDonald " +echo " (C) 2002-2019, R-fx Networks " +echo " (C) 2019, Ryan MacDonald " echo "This program may be freely redistributed under the terms of the GNU GPL" echo "" echo "installation completed to $inspath"