EXPLOITSCANNER SCHEDULING USING A CRON JOB - May 30th, 2012


After some fits and starts trying to get the script to work in a shared hosting environment, here’s what I
discovered...

Most shared hosting plans do not allow command line access, so scanning from the web seems like the only choice.

Most hosts time out their php execution script at 90 seconds so it's likely that your script will time out, as noted in
the readme file.

However, if you can run your exploitScanner as a cron job, you may be able to run it using the cron manager command line
and get around the timeout issue.

Here’s how it worked for me at IXWebHosting. (there's more info on setting up cron jobs and scheduling in the recipe
CREATING A CRON JOB)

At the very top of the xs.php script, I inserted the line (NOTE: Your path will probably be different)

#!/hsphere/shared/php5/bin/php -q

to call the php interpreter

On the cron manager command line I used: (NOTE: Enter your own path information here)

/path_to_your_server/xs.php -p /path_to_your_server/ -l xs.log

To call the xs.php script, tell it to start in the site's root directory, and to create a log file called xs.log in the
root directory

Don't be fooled into thinking that scanning is a quick process, my meager site took between 25 and 30 minutes to execute
and then create the cron report and log file.

So, you might want to do your testing on a directory that has only a few files and change to the root after you get
everything working.

The only change that I made in the xs.php file other than the php interpreter call is to change the time zone.

GOING FURTHER

Dave Edis from Interactive Tools offered: To suppress the listing of the number of scanned files in each directory when
the scanner is run from a cronjob you can just comment this line:

print "Files Scanned: " .number_format($OPTIONS['filesScanned']). "\r";

the -p flag can be followed either by the full path to the directory that you want to scan, or by a "." (Without the
quotes). The "." means root directory. Don't forget to leave a space between the -p and the ".", IE: -p .

The -l flag only requires the file name of the log file after a space, IE: -l your_log_file.log

Your log file might look something like this.

Exploit Scanner v1.01 - Scans filesystem for web exploit patterns
--------------------------------------------------------------------------------
Matched Patterns: php(36), js(7), htaccess(6), filepath(2)
Scan started: Fri, 25 May 2012 09:35:01 -0400
Root dir: /hsphere/local/home/xyz/your_domain.com
Log file: your_log_file.log

/hsphere/local/home/xyz/your_domain.com/your_file.php (Score: 11)
- PHP Code Match (Score 10): PHP gzinflate(base64_decode()) function pairing previously seen in exploit code (matched
string: gzinflate(base64_decode($stuff2))));)
- PHP Code Match (Score 1): PHP variable being called as a function (matched string: " . $mysql_error()

Scanned: 235 dirs, 4,308 files (1 risks found)
Execute time: 127 minutes, 19 seconds

--------------------------------------------------------------------------------
* Note: Please send any files with false-positives or undetected-exploits to us.

An explanation of the various entries:

>Matched Patterns: php(36), js(7), htaccess(6), filepath(2)

These are the number of patterns being checked for different kinds of files. Note that often a single pattern will match
multiple exploits.

>Scan started: Thu, 24 May 2012 16:41:49 -0400

When the scan was started, useful if output is going to an email or log.

>Root dir: /hsphere/local/home/xyz/your_domain.com

The path being scanned, also useful for reference when output is going to an email or log.

If you scan from the command line you can output to a log file by adding -l yourlogfile.log in which case the filename
would be reflected here.

>Log file: your_log_file.log

>/hsphere/local/home/xyz/your_domain.com/your_file.php (Score: 11)
The path to a scanned file with possible exploit vulnerability and the total score of those vulnerabilities
> - PHP Code Match (Score 10): PHP gzinflate(base64_decode()) function pairing previously seen in exploit code (matched
string: gzinflate(base64_decode($stuff2))));)
> - PHP Code Match (Score 1): PHP variable being called as a function (matched string: " . $mysql_error()

These are the patterns that were discovered.

> Scanned: 235 dirs, 4,308 files (1 risks found)
> Execute time: 127 minutes, 19 seconds

The number of directories and files scanned, and the time that it took for the entire scan.



The materials on this web site have been created for use with CMS Builder content management software. CMS Builder software is published and licensed for use by InteractiveTools.com. Please contact Interactive Tools for information on the downloading of the software or the purchasing of licenses.


Terms of Service