Overview

Description

.
This app will monitor your forum and list all changes done to the files within a time frame set by the admin. It will also scan all folders and files inside your forum folder for any potential malicious code and/or backdoor scripts.

File Change Detection:

If the files that have been listed as modified, haven't been changed by you yourself and/or haven't been updated automatically by the system, it could indicate that your forum most likely has been tampered with. Those files might have been changed to include malicious code.

In addition to an existed file being changed/modified, the upload of new file(s) is detected too.

In that case it would be best to immediately check the file(s) in question and contact your host so they can look into the unauthorized file changes and take the necessary actions to plugin the point of entry.

Potential Backdoor Scanning:

What Is a Backdoor?

A backdoor is malicious code injected to valid file(s)  of whatever scripts one is running on their server space, as only one short line of code that looks rather innocent. Or, a backdoor can be a standalone file as well.

They are left behind by hackers once they breach the security of a website to make sure they can get back in even after you secure your website. i.e. it allows them unauthorized and often unrestricted access to a compromised site. Unless you can remove the backdoor(s), there's no stopping them.

Backdoors are hidden from view, and made to look like legitimate files and therefore it can be extremely difficult to find. And that's where this app comes in.

It will scan all lines of code on every single file inside your forum folder for exploitable PHP Functions, PHP Code Execution, Command Execution and Filesystem Functions.

A few Examples:

The mod scans for a very wide array of php&filesystem functions, code&command executions. Below are few of them along with how they can be exploited by hackers.

• Command Execution!

exec  - Returns last line of commands output
passthru - Passes commands output directly to the browser
system  - Passes commands output directly to the browser and returns last line
shell_exec - Returns commands output
popen - Opens read or write pipe to process of a command
proc_open  - Similar to popen() but greater degree of control
pcntl_exec - Executes a program

• PHP Code Execution!

Apart from eval there are other ways to execute PHP code: include/require can be used for remote code execution in the form of Local File Include and Remote File Include vulnerabilities.

assert()  - identical to eval()
preg_replace('/.*/e',...) - /e does an eval() on the match
create_function()
include()
include_once()
require()
require_once()

• Disguised Malicious Code

The use of eval(base64_decode(....)) or eval(gzinflate(base64_decode(..))) which are intended to disguise the nature of the malicious code.

The use of str_rot13 which is heavily used in pair with base64_decode. This too is used to disguise the nature of the malicious code.

False Positives:

All the aforementioned php functions, commands, executions etc are all legit. Ips and all the other php/mysql forum/cms scripts etc make use of them. But unfortunately they are also the most commonly used functions by the bad actors to inject malicious code. Therefore there will be false positives reports.

If you see your forum files mentioned as containing the aforementioned code, you can ignore it. But if any of the forum files is reported as recently modified file(s) by the app and you haven't touched the file(s) in question, then you should check it immediately as the chances are that it's foul play.