Maybe you are here because of MailPoet or StackOverflow
This tool is created to clean infected PHP files which contains obfuscated code or contains dangerous server backdoor. There is code sample on StackOverflow for UNIX system's with root access, but not always you would have it + with those samples, you never know what modifications of bad code you have. With method below you can fine tune bad sample library to match your case.
If you got this bad code on your server, it could be triggered any time and could do anything on your server. In fact, purpose and content of this malware code also could be changed anytime. Code could be stealing passwords, sending spam e-mail from your IP or even hosting illegal copy of Torrent files and steal traffic you pay for. Once your IP is globally blacklisted, it is hard to get back SEO on Google etc.
This tool is only helper to fix already broken things. You shouldn't rely on this as primary protection. Correctly set server environment is first thing to check after attack.
To create this, I have donated two workday's to clean up private server, please contribute with code comments, better descriptions in more fluent language and other suggestions. So far, my motivation to update is anger on this malware, as I do not code for living and this malware code ruined our multiple site server for non-profit organisations, where I belong. I believe in open source software (OSS) and believe that OSS can be more safer than paid one, if public gives effort to it. There is so many great programmers amongst us, unfortunately, at least as much, there are ones, who use their skills for personal good doing bad things.
It will be in begining of PHP file and begins and closes with <?php
and ?>
. This is safest way to inject this code inside already existing code file. In future, malware could get smarter and hide between set of valid code. So, for example you have
<?php
/* Here comes my super-duper code */
?> // May or may not contain ending tag
Or even plain HTML inside .php file
<!DOCTYPE html>
<html>
<title>Narnia Guardian</title>
etc.
After malware injection file will look something like
<?php if(!isset($GLOBALS["\x61\156\x75\156\x61"])) { $ua=strtolower($_SERVER["\x48\124\x54\120\x5f\125\x //etc. ending with ?> if you have turned off your editor line break
<?php
/* Here comes my super-duper code */
Even hackers have to respect correct syntax of code, he he...
It now becomes clear, why I told you all that -
- NG will search for PHP files, which contain bad code samples from library (blacklist.txt)
- Going off that exact location NG will search matching pair of PHP tags right before and right after sample location - the tag pair where bad code lives in
- IF everything matches up - everything inside those matching pairs of PHP tags will be removed, including tags itself, to maintain clean code
- For every case - malware samples are different - You have to update them in order to clean up your code
File | Role |
---|---|
NarniaGuardian.php | Contains cleaner class |
blacklist.txt | Here insert library of malware samples |
uniquelist.txt | List of unique first lines of php files |
logs | Folder where logs will appear |
- Download / Upload script to test location (strongly suggested)
- Modify / copy index.php content between first section of
<?php ... ?>
- Run script by browsing location on browser
- Inspect output of script - there will be block's of obfuscated code - right before it, there should be outputted location where it comes from
- Inspect source of obfucated block file - if it is clear that this is not your code or other good minified code, search for string that could be as key string to recognize it, as example
if(!isset($GLOBALS["\x61\156\x75\156\x61"]))
or meaningless variables$bmhqhhzolg
or$pjro=22;$vnlpv=$pjro+42;
- copy these kind of strings to blacklist.txt library - one sample per one line - Clean uniquelist.txt content and run again script.
- Open uniquelist.txt, search for malware code - copy typical sample of code to blaclklist.txt library - one sample per one line
- Check logs folder for success. The one named root-error[..].log will contain list of files, which are suspicious, but could be some large class file. These should be checked and deleted manually.
- Repeat steps 3 to 6. If output is much more shorter, it means it is working, don't stop until you are sure that your all of your files are clean.
- Copy this script to safe place, chmod it for safety. If in bad hands - it could do bad things out of the box.
- Change ALL passwords, I mean ALL - WordPress, databases, WordPress salt, user passwords, secret keys, everything - all paswords could be readed by malware code
- Update your OSS or paid software for latest versions, including WordPress, plugins, extensions, anything you have
- chmod correct file permissions for your project. It could be
755
for directory,644
for files. (please commit here!) - If it is your own code - walk OVER it ALL manually - check if it is escaped from form inputs, SQL injections etc.
- Ask your hosting provider to assign new public IP
- Pray God, that your super-secret files didn't got stolen
- google more about this issue
I have told all I know (what you should know to clean server). If this repro gets popular, I will update code so it could work as passive guard over server of ten's of thousand's of PHP files. For that and so in future I can remember all ideas, here goes my todo feature list:
- Silent mode to be run behind scenes not distracting with ugly output of numbers and codes
- Email-notification if this code finds bad code.
- Detection level / flags - whether to output on screen, to send warning email, to auto-delete
- Auto - learn blacklist sample list (smarter detection).
- Extend out-of-the-box blacklist library, but it shouldn't be too large as it increase script run time. Please send, your set of library samples.
- If this get's really popular: Will create auto-updater for sample list from public commit repro, but this is dangerous action. In this case Guardian should be ran from hidden location, for example, if you host many PHP sites, and want passive protection against backdoors, because, you newer know, what site owner will do wrong.
Project names containing Narnia
I give if the code is meant to be run into private / hidden locations, without public access. If you see my project containing Narnia
and you don't have any idea why you see it, it means that you have run into wrong place or something is broken and now you see it. Just like in the movie, it is a real magic...
I strongly suggest to test clean up script on localhost with corrupted files or at least on copy inside your host. Once I release this to public domain, script runs perfectly, but hackers don't sleep and they could affect their code, so my guardian won't clean it up any more or so that script will delete more than should.