Closed mpingu closed 6 years ago
I remember adding this rule a year or more ago, and it revealed a lot more sites infected with credit card hijack at the time. Is there a way to refine the rules so they don't hit your false positive?
On Thu, 28 Jun 2018, 15:15 Carsten Bohuslav, notifications@github.com wrote:
Moved the the rule because of false positives for the Node Module node-forge
You can view, comment on, or merge this pull request online at:
https://github.com/gwillem/magento-malware-scanner/pull/213 Commit Summary
- moved JS_Encoded_CC_Hijack because false positive for node-forge
File Changes
- M rules/custom.yar https://github.com/gwillem/magento-malware-scanner/pull/213/files#diff-0 (14)
- M rules/suspicious.yar https://github.com/gwillem/magento-malware-scanner/pull/213/files#diff-1 (13)
Patch Links:
- https://github.com/gwillem/magento-malware-scanner/pull/213.patch
- https://github.com/gwillem/magento-malware-scanner/pull/213.diff
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/gwillem/magento-malware-scanner/pull/213, or mute the thread https://github.com/notifications/unsubscribe-auth/AWjyNH5LK3FaRspBPAkdNZkjkhlX7n82ks5uBOTpgaJpZM4U7eFQ .
I am not that good with Yara Rules it hits for the following file $webroot/node_modules/node-forge/nodejs/ui/test.min.js: JS_Encoded_CC_Hijack it is for the Node Module Node-Forge https://www.npmjs.com/package/node-forge
@mpingu perhaps you can determine which part of the test.min.js file is affected and post that section here? Then we can figure out (together with @Mooey28) if there's way to refine the regex.
@gwillem i will try to find that part of the file, but i only got it in a minified version and my JS is not good. So i think it will be mostly up to you guys :(
I'll try and take a look if I can, probably Saturday, if not found before. I am not in the hack investigation game for last 6 months but happy to support where to can still!
On Thu, 28 Jun 2018, 16:01 Carsten Bohuslav, notifications@github.com wrote:
@gwillem https://github.com/gwillem i will try to find that part of the file, but i only got it in a minified version and my JS is not good. So i think it will be mostly up to you guys :(
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/gwillem/magento-malware-scanner/pull/213#issuecomment-401065667, or mute the thread https://github.com/notifications/unsubscribe-auth/AWjyNBzwjrXctbqTTo6fGZdkXQjNsuUVks5uBO_KgaJpZM4U7eFQ .
@mpingu you can try a service like https://regex101.com/ and see which regex / which targets are flagged?
PS Learning regex will be a valuable skill for the rest of your life ;)
I also had a false positive. Just whitelisted it, see #214 In that commit I also added instructions to Contributing.md how to whitelist.
Closed in favor of #214. Thanks @mpingu for finding this and your contribution!
Sorry never got round to checking myself. If I can continue further I'll try!
On Sun, 8 Jul 2018, 10:36 Willem de Groot, notifications@github.com wrote:
Closed #213 https://github.com/gwillem/magento-malware-scanner/pull/213.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/gwillem/magento-malware-scanner/pull/213#event-1721778453, or mute the thread https://github.com/notifications/unsubscribe-auth/AWjyNKCV0QDIdc_l7x73Eqj1UFaMNLShks5uEdK6gaJpZM4U7eFQ .
Moved the the rule because of false positives for the Node Module node-forge