Today we have released the beta version 1.30.0 of the ISPProtect Malware Scanner.

To update your ISPProtect instance to the beta version, use ispp_scan --update --channel=beta. Be aware that this beta version might still contain bugs.

Deep scan

Some attackers do not embed their malware into existing or new php files. Instead they are using files with non-PHP extensions like .txt and then included into PHP files using require() / include() etc. This makes it harder to recognize as during malware research the admins often look into PHP files and might overlook the suspect includes.

The new version of ISPProtect has a scan argument --deep-check. This argument enables ISPProtect to search for include/require statements in PHP files and then searches for those included files to scan them, too.

Let's have a look at an example.

Malware example

Here we have a file called "database.txt" that contains the malicious code:


This file is normally not executed by the PHP interpreter and can do no harm by itself, but now imagine the following PHP file:

/* some real harmless code here */
define('PTH', realpath(dirname(__FILE__)));
include PTH . "/" . "database.txt";

This makes the database.txt file everything but harmless. The Code includes the .txt file contents and interprets it as PHP code and such allows the attacker to execute any command he wants.

Of course, the new version also contains new malware and false positive signatures.

New BETA version 1.30.0 with deep scan feature