search

antimalware / manul

Antimalware tool for websites
348 stars 67 forks source link

Could not properly handle AJAX request {"readyState":4,"responseText":"XML path error filePath=/var/www/admin/www/xxx.ru//wp-signup.php #84

Open pavel-odintsov opened 9 years ago

pavel-odintsov commented 9 years ago

Hello!

I run toolkit on site builded with Wordpress and got error:

Could not properly handle AJAX request {"readyState":4,"responseText":"XML path error filePath=/var/www/admin/www/xxx.ru//wp-signup.php relativePath=./wp-signup.php projectRootDir=/var/www/admin/www/xxx.ru/manul/manul docRoot=/var/www/admin/www/xxxx.ru/","status":200,"statusText":"OK"}
pavel-odintsov commented 9 years ago

How I could fix it?

peter-volkov commented 9 years ago

Hi. Well, at the moment I cannot reproduce the issue, but have some ideas what happened - will implement soon. It would be great if you could provide some additional information about your environment - hosting, software versions etc.

pavel-odintsov commented 9 years ago

php -v PHP 5.4.39-0+deb7u2 (cli) (built: Mar 25 2015 08:33:29) Copyright (c) 1997-2014 The PHP Group Zend Engine v2.4.0, Copyright (c) 1998-2014 Zend Technologies

dpkg -l|grep fcg ii libapache2-mod-fcgid 1:2.3.6-1.2+deb7u1 amd64 an alternative module compat with mod_fastcgi

Wordpress up to date.

peter-volkov commented 9 years ago

Thanks. Could you please remove these https://github.com/antimalware/manul/blob/master/src/scanner/classes/MalwareDetector.inc.php#L264-L266 lines and start again ?

pavel-odintsov commented 9 years ago

I will try it shortly. Thanks!

pavel-odintsov commented 9 years ago

Well, it finished but nothing found.

pavel-odintsov commented 9 years ago

But there are bunch of files wilt malware which perfectly detected with clamav with maldet databases: https://github.com/FastVPSEestiOu/Antidoto/wiki/%D0%AD%D1%84%D1%84%D0%B5%D0%BA%D1%82%D0%B8%D0%B2%D0%BD%D0%BE%D0%B5-%D0%BE%D0%B1%D0%BD%D0%B0%D1%80%D1%83%D0%B6%D0%B5%D0%BD%D0%B8%D0%B5-Malware-%D1%81%D0%B8%D0%BB%D0%B0%D0%BC%D0%B8-ClamAv-%D0%B8-Maldet---%D0%BF%D0%BE%D0%B4%D0%BA%D0%BB%D1%8E%D1%87%D0%B5%D0%BD%D0%B8%D0%B5-%D0%B1%D0%B0%D0%B7-Maldet-%D0%BA-ClamAV

clamscan --infected -d /usr/local/maldetect/sigs/rfxn.ndb -d /usr/local/maldetect/sigs/rfxn.hdb -d /var/lib/clamav --exclude-dir='^/sys|^/proc|^/dev' -r /var/www/admin/www/san99.ru/
/var/www/admin/www/san99.ru/manul/manul.zip: {HEX}php.cmdshell.fx29.259.UNOFFICIAL FOUND
/var/www/admin/www/san99.ru/manul/manul/trojans/dump.php: {MD5}php.mailer.r42.6682.UNOFFICIAL FOUND
/var/www/admin/www/san99.ru/manul/manul/trojans/info.php: Php.Trojan.StopPost FOUND
/var/www/admin/www/san99.ru/manul/manul/trojans/option.php: Php.Malware.Mailbot-1 FOUND
/var/www/admin/www/san99.ru/manul/manul/trojans/dir.php: Php.Trojan.StopPost FOUND
/var/www/admin/www/san99.ru/manul/manul/trojans/phpini.php: {HEX}php.cmdshell.unclassed.357.UNOFFICIAL FOUND
/var/www/admin/www/san99.ru/manul/manul/trojans/files.php: Php.Trojan.StopPost FOUND
/var/www/admin/www/san99.ru/manul/manul/trojans/sql.php: Php.Malware.Mailbot-1 FOUND
/var/www/admin/www/san99.ru/manul/manul/trojans/model.php: Php.Trojan.StopPost FOUND
/var/www/admin/www/san99.ru/manul/manul/static/signatures/malware_db.xml: {HEX}php.cmdshell.fx29.259.UNOFFICIAL FOUND

----------- SCAN SUMMARY -----------
Known viruses: 3812110
Engine version: 0.98.5
Scanned directories: 380
Scanned files: 3979
Infected files: 10
Data scanned: 140.36 MB
Data read: 82.62 MB (ratio 1.70:1)
Time: 24.748 sec (0 m 24 s)
peter-volkov commented 9 years ago

Ok. Can you show me the log or its part?

pavel-odintsov commented 9 years ago 
cat scan_log.xml 
<?xml version="1.0" encoding="utf-8"?>
<website_info>
  <server_environment>
    <script_filename>/var/www/admin/www/xxxx.ru/manul/manul/index.php</script_filename>
    <document_root>/var/www/admin/www/xxxx.ru/</document_root>
    <http_host>san99.ru</http_host>
    <admin_email>admin@san99.ru</admin_email>
    <time>2015.05.06 00:17:52</time>
    <server_addr>127.0.0.1</server_addr>
    <software>Apache/2.2.22 (Debian)</software>
    <server_gateway>CGI/1.1</server_gateway>
    <server_signature>&lt;address&gt;Apache/2.2.22 (Debian) Server at xxxxx Port 80&lt;/address&gt;
</server_signature>
    <server_hostname>xxxxx</server_hostname>
    <platform_name>Linux 2.6.32-042stab104.1 #1 SMP Thu Jan 29 12:58:41 MSK 2015</platform_name>
    <server_architecture>x86_64</server_architecture>
    <username>uid: 1001, gid: 1001</username>
    <path>/var/www/admin/www/xxxxx.ru/manul/manul</path>
    <phpinfo>Version: 5.4.39-0+deb7u2&lt;br/&gt;System Version: Linux san99 2.6.32-042stab104.1 #1 SMP Thu Jan 29 12:58:41 MSK 2015 x86_64 &lt;br/&gt;PHP API: CGI/FastCGI &lt;br/&gt;allow_url_fopen: On&lt;br/&gt;allow_url_include: Off&lt;br/&gt;disable_functions: -?-&lt;br/&gt;display_errors: On&lt;br/&gt;error_reporting: 0&lt;br/&gt;expose_php: On&lt;br/&gt;log_errors: Off&lt;br/&gt;magic_quotes_gpc: &lt;br/&gt;magic_quotes_runtime: &lt;br/&gt;register_globals: &lt;br/&gt;open_basedir: -?-&lt;br/&gt;Ini Path: /var/www/admin/php-bin/php.ini &lt;br/&gt;CGI.FixPathInfo: 1&lt;br/&gt;safe_mode: &lt;br/&gt;
List of enabled functions: popen exec ftp_exec system passthru get_current_user proc_open shell_exec ini_restore getmygid symlink chgrp ini_set putenv extension_loaded getmyuid fsockopen posix_setuid posix_setsid posix_setpgid posix_kill apache_child_terminate chmod chdir pcntl_exec phpinfo proc_close proc_get_status proc_terminate proc_nice proc_close escapeshellcmd escapeshellarg show_source pclose ini_restore chown chgrp mysql_list_dbs get_current_user pfsockopen &lt;br/&gt;List of disabled functions: dl virtual proc_getstatus safe_dir dl shown_source getmyid leak </phpinfo>
  </server_environment>
  <cms_list>
    <cms name="Wordpress" version="4.2.1"/>
  </cms_list>
  <files/>
</website_info>
peter-volkov commented 9 years ago

Thanks. Nothing scanned, see empty files node - it's a bug actually. I will work on it.

pavel-odintsov commented 9 years ago

And zip file looks very strange. It uncompresses to same file again and again.

strange zip