search

gwillem / magento-malware-scanner

Scanner, signatures and the largest collection of Magento malware
GNU General Public License v3.0
679 stars 153 forks source link

moved JS_Encoded_CC_Hijack because false positive for node-forge #213

Closed mpingu closed 6 years ago

mpingu commented 6 years ago

Moved the the rule because of false positives for the Node Module node-forge

Mooey28 commented 6 years ago

I remember adding this rule a year or more ago, and it revealed a lot more sites infected with credit card hijack at the time. Is there a way to refine the rules so they don't hit your false positive?

On Thu, 28 Jun 2018, 15:15 Carsten Bohuslav, notifications@github.com wrote:

Moved the the rule because of false positives for the Node Module node-forge

You can view, comment on, or merge this pull request online at:

https://github.com/gwillem/magento-malware-scanner/pull/213 Commit Summary

  • moved JS_Encoded_CC_Hijack because false positive for node-forge

File Changes

Patch Links:

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/gwillem/magento-malware-scanner/pull/213, or mute the thread https://github.com/notifications/unsubscribe-auth/AWjyNH5LK3FaRspBPAkdNZkjkhlX7n82ks5uBOTpgaJpZM4U7eFQ .

mpingu commented 6 years ago

I am not that good with Yara Rules it hits for the following file $webroot/node_modules/node-forge/nodejs/ui/test.min.js: JS_Encoded_CC_Hijack it is for the Node Module Node-Forge https://www.npmjs.com/package/node-forge

gwillem commented 6 years ago

@mpingu perhaps you can determine which part of the test.min.js file is affected and post that section here? Then we can figure out (together with @Mooey28) if there's way to refine the regex.

mpingu commented 6 years ago

@gwillem i will try to find that part of the file, but i only got it in a minified version and my JS is not good. So i think it will be mostly up to you guys :(

Mooey28 commented 6 years ago

I'll try and take a look if I can, probably Saturday, if not found before. I am not in the hack investigation game for last 6 months but happy to support where to can still!

On Thu, 28 Jun 2018, 16:01 Carsten Bohuslav, notifications@github.com wrote:

@gwillem https://github.com/gwillem i will try to find that part of the file, but i only got it in a minified version and my JS is not good. So i think it will be mostly up to you guys :(

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/gwillem/magento-malware-scanner/pull/213#issuecomment-401065667, or mute the thread https://github.com/notifications/unsubscribe-auth/AWjyNBzwjrXctbqTTo6fGZdkXQjNsuUVks5uBO_KgaJpZM4U7eFQ .

gwillem commented 6 years ago

@mpingu you can try a service like https://regex101.com/ and see which regex / which targets are flagged?

PS Learning regex will be a valuable skill for the rest of your life ;)

jeroenvermeulen commented 6 years ago

I also had a false positive. Just whitelisted it, see #214 In that commit I also added instructions to Contributing.md how to whitelist.

gwillem commented 6 years ago

Closed in favor of #214. Thanks @mpingu for finding this and your contribution!

Mooey28 commented 6 years ago

Sorry never got round to checking myself. If I can continue further I'll try!

On Sun, 8 Jul 2018, 10:36 Willem de Groot, notifications@github.com wrote:

Closed #213 https://github.com/gwillem/magento-malware-scanner/pull/213.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/gwillem/magento-malware-scanner/pull/213#event-1721778453, or mute the thread https://github.com/notifications/unsubscribe-auth/AWjyNKCV0QDIdc_l7x73Eqj1UFaMNLShks5uEdK6gaJpZM4U7eFQ .