I get malware warnings on the file SasXmlParser.php

lengthofrope commented 7 years ago

Malware found: {HEX}php.base64.v23au.185

I think it is a false positive, but I cannot find out what is causing the issue in this file.

Ocramius commented 7 years ago

Which antivirus is that?

On 29 Aug 2016 14:45, "Bas de Kort" notifications@github.com wrote:

Malware found: {HEX}php.base64.v23au.185

I think it is a false positive, but I cannot find out what is causing the issue in this file.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/phptal/PHPTAL/issues/56, or mute the thread https://github.com/notifications/unsubscribe-auth/AAJakCXmGWVEfDOrJulNf9VObRCfc5dZks5qktRvgaJpZM4JvcE- .

Potherca commented 7 years ago

A quick run through an online scanner gives all clear.

Could you please answer the following questions:

Is the content of the file equal to the repository version? (You can run a diff here)
Which antivirus tools reports the Malware?
Where did you get the code from? (PEAR/Composer/etc.)
Have other files in the same server also been reported infected? (The malware might "move around", restoring older versions of infected files in order to remain infected).

@brammittendorff Did I miss anything?

brammittendorff commented 7 years ago

@Potherca I think you summed it up nicely. The most important thing is said by @Ocramius we need to know which antivirus / scanning tool this is. And maybe after that we can reproduce the same error / message.

lengthofrope commented 7 years ago

Hi there,

Yes, I've checked the md5 hashes of the file with the repository file. They are the same.
It is some serverside malware scanning tool. Still trying to find out which one (I will get back to that, since I have to request this information somewhere else)
The code comes from the repository here on GitHub
Nope, none of the other files have been reported infected. I've seen this behaviour a while back on another server as well (another server/hosting company)

In short: I will get back to you on the malware scanning tool

lengthofrope commented 7 years ago

Hi there, the malware scanner used is maldet: https://www.rfxn.com/projects/linux-malware-detect/

brammittendorff commented 7 years ago

@lengthofrope Could you please provide us the signature version e.g. (201608309492) and version e.g. (v1.5) of maldet?

Updating to the latest signature:

bram@ubuntu:~$ sudo maldet -u
Linux Malware Detect v1.5
            (C) 2002-2016, R-fx Networks <proj@rfxn.com>
            (C) 2016, Ryan MacDonald <ryan@rfxn.com>
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(19098): {sigup} performing signature update check...
maldet(19098): {sigup} local signature set is version 201608309492
maldet(19098): {sigup} latest signature set already installed

Running maldet on the latest version of PHPTAL:

sudo maldet -a /home/bram/PHPTAL/
Linux Malware Detect v1.5
            (C) 2002-2016, R-fx Networks <proj@rfxn.com>
            (C) 2016, Ryan MacDonald <ryan@rfxn.com>
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(19192): {scan} signatures loaded: 10906 (8988 MD5 / 1918 HEX / 0 USER)
maldet(19192): {scan} building file list for /home/bram/PHPTAL/, this might take awhile...
maldet(19192): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6
maldet(19192): {scan} file list completed in 0s, found 495 files...
maldet(19192): {scan} scan of /home/bram/PHPTAL/ (495 files) in progress...
maldet(19192): {scan} 495/495 files scanned: 0 hits 0 cleaned
maldet(19192): {scan} scan completed on /home/bram/PHPTAL/: files 495, malware hits 0, cleaned hits 0, time 13s
maldet(19192): {scan} scan report saved, to view run: maldet --report 160831-0952.19192

Saved report:

HOST:      ubuntu
SCAN ID:   160831-0952.19192
STARTED:   Aug 31 2016 09:52:42 +0200
COMPLETED: Aug 31 2016 09:52:55 +0200
ELAPSED:   13s [find: 0s]

PATH:          /home/bram/PHPTAL/
TOTAL FILES:   495
TOTAL HITS:    0
TOTAL CLEANED: 0

===============================================
Linux Malware Detect v1.5 < proj@rfxn.com >

Potherca commented 7 years ago

I am also leaning toward think its a false positive, but it would be nice if we could reproduce it. 😄

@brammittendorff

lengthofrope commented 7 years ago

Hi there,

here is the full maldet output:

Linux Malware Detect v1.5
            (C) 2002-2016, R-fx Networks <proj@rfxn.com>
            (C) 2016, Ryan MacDonald <ryan@rfxn.com>
This program may be freely redistributed under the terms of the GNU GPL v2

signature set: 201608309492
usage maldet [-h|--help] [-a|--scan-all PATH] [-r|--scan-recent PATH DAYS]
      [-f|--file-list PATH] [-i|--include-regex] [-x|--exclude-regex]
      [-b|--background] [-m|--monitor] [-k|--kill-monitor] [-c|--checkout]
      [-q|--quarantine] [-s|--restore] [-n|--clean] [-l|--log] [-e|--report]
      [-u|--update-sigs] [-d|--update-ver]

lengthofrope commented 7 years ago

When running maldet it reports it is using the clamav binary as scanner engine.

Also here is the report:

HOST:      *********
SCAN ID:   160829-1142.6553
STARTED:   Aug 29 2016 11:42:58 +0200
COMPLETED: Aug 29 2016 12:14:08 +0200
ELAPSED:   1870s [find: 1s]

PATH:          /var/www/
TOTAL FILES:   66304
TOTAL HITS:    2
TOTAL CLEANED: 0

WARNING: Automatic quarantine is currently disabled, detected threats are still$
To enable, set quarantine_hits=1 and/or to quarantine hits from this scan run:
/usr/local/sbin/maldet -q 160829-1142.6553

FILE HIT LIST:
{HEX}php.base64.v23au.185  :  /****/PHPTAL/Dom/SaxXmlParser.php

===============================================
Linux Malware Detect v1.5 < proj@rfxn.com >

brammittendorff commented 7 years ago

@lengthofrope Could you give us the code of the file:

{HEX}php.base64.v23au.185  :  /****/PHPTAL/Dom/SaxXmlParser.php

lengthofrope commented 7 years ago

Sure.

<?php
/**
 * PHPTAL templating engine
 *
 * PHP Version 5
 *
 * @category HTML
 * @package  PHPTAL
 * @author   Laurent Bedubourg <lbedubourg@motion-twin.com>
 * @author   Kornel Lesiński <kornel@aardvarkmedia.co.uk>
 * @license  http://www.gnu.org/licenses/lgpl.html GNU Lesser General Public License
 * @version  SVN: $Id$
 * @link     http://phptal.org/
 */

/**
 * Simple sax like xml parser for PHPTAL
 * ("Dom" in the class name comes from name of the directory, not mode of operation)
 *
 * At the time this parser was created, standard PHP libraries were not suitable
 * (could not retrieve doctypes, xml declaration, problems with comments and CDATA).
 *
 * There are still some problems: XML parsers don't care about exact format of enties
 * or CDATA sections (PHPTAL tries to preserve them),
 * <?php ?> blocks are not allowed in attributes.
 *
 * This parser failed to enforce some XML well-formedness constraints,
 * and there are ill-formed templates "in the wild" because of this.
 *
 * @package PHPTAL
 * @subpackage Dom
 * @see PHPTAL_DOM_DocumentBuilder
 */
class PHPTAL_Dom_SaxXmlParser
{
    private $_file;
    private $_line;
    private $_source;

    // available parser states
    const ST_ROOT = 0;
    const ST_TEXT = 1;
    const ST_LT   = 2;
    const ST_TAG_NAME = 3;
    const ST_TAG_CLOSE = 4;
    const ST_TAG_SINGLE = 5;
    const ST_TAG_ATTRIBUTES = 6;
    const ST_TAG_BETWEEN_ATTRIBUTE = 7;
    const ST_CDATA = 8;
    const ST_COMMENT = 9;
    const ST_DOCTYPE = 10;
    const ST_XMLDEC = 11;
    const ST_PREPROC = 12;
    const ST_ATTR_KEY = 13;
    const ST_ATTR_EQ = 14;
    const ST_ATTR_QUOTE = 15;
    const ST_ATTR_VALUE = 16;

    const BOM_STR = "\xef\xbb\xbf";

    static $state_names = array(
      self::ST_ROOT => 'root node',
      self::ST_TEXT => 'text',
      self::ST_LT   => 'start of tag',
      self::ST_TAG_NAME => 'tag name',
      self::ST_TAG_CLOSE => 'closing tag',
      self::ST_TAG_SINGLE => 'self-closing tag',
      self::ST_TAG_ATTRIBUTES => 'tag',
      self::ST_TAG_BETWEEN_ATTRIBUTE => 'tag attributes',
      self::ST_CDATA => 'CDATA',
      self::ST_COMMENT => 'comment',
      self::ST_DOCTYPE => 'doctype',
      self::ST_XMLDEC => 'XML declaration',
      self::ST_PREPROC => 'preprocessor directive',
      self::ST_ATTR_KEY => 'attribute name',
      self::ST_ATTR_EQ => 'attribute value',
      self::ST_ATTR_QUOTE => 'quoted attribute value',
      self::ST_ATTR_VALUE => 'unquoted attribute value',
    );

    private $input_encoding;
    public function __construct($input_encoding)
    {
        $this->input_encoding = $input_encoding;
        $this->_file = "<string>";
    }

    public function parseFile(PHPTAL_Dom_DocumentBuilder $builder, $src)
    {
        if (!file_exists($src)) {
            throw new PHPTAL_IOException("file $src not found");
        }
        return $this->parseString($builder, file_get_contents($src), $src);
    }

    public function parseString(PHPTAL_Dom_DocumentBuilder $builder, $src, $filename = '<string>')
    {
        try
        {
            $builder->setEncoding($this->input_encoding);
            $this->_file = $filename;

            $this->_line = 1;
            $state = self::ST_ROOT;
            $mark  = 0;
            $len   = strlen($src);

            $quoteStyle = '"';
            $tagname    = "";
            $attribute  = "";
            $attributes = array();

            $customDoctype = false;

            $builder->setSource($this->_file, $this->_line);
            $builder->onDocumentStart();

            $i=0;
            // remove BOM (UTF-8 byte order mark)...
            if (substr($src, 0, 3) === self::BOM_STR) {
                $i=3;
            }
            for (; $i<$len; $i++) {
                $c = $src[$i]; // Change to substr($src, $i, 1); if you want to use mb_string.func_overload

                if ($c === "\n") $builder->setSource($this->_file, ++$this->_line);

                switch ($state) {
                    case self::ST_ROOT:
                        if ($c === '<') {
                            $mark = $i; // mark tag start
                            $state = self::ST_LT;
                        } elseif (!self::isWhiteChar($c)) {
                            $this->raiseError("Characters found before beginning of the document! (wrap document in < tal:block > to avoid this error)");
                        }
                        break;

                    case self::ST_TEXT:
                        if ($c === '<') {
                            if ($mark != $i) {
                                $builder->onElementData($this->sanitizeEscapedText($this->checkEncoding(substr($src, $mark, $i-$mark))));
                            }
                            $mark = $i;
                            $state = self::ST_LT;
                        }
                        break;

                    case self::ST_LT:
                        if ($c === '/') {
                            $mark = $i+1;
                            $state = self::ST_TAG_CLOSE;
                        } elseif ($c === '?' and strtolower(substr($src, $i, 5)) === '?xml ') {
                            $state = self::ST_XMLDEC;
                        } elseif ($c === '?') {
                            $state = self::ST_PREPROC;
                        } elseif ($c === '!' and substr($src, $i, 3) === '!--') {
                            $state = self::ST_COMMENT;
                        } elseif ($c === '!' and substr($src, $i, 8) === '![CDATA[') {
                            $state = self::ST_CDATA;
                            $mark = $i+8; // past opening tag
                        } elseif ($c === '!' and strtoupper(substr($src, $i, 8)) === '!DOCTYPE') {
                            $state = self::ST_DOCTYPE;
                        } elseif (self::isWhiteChar($c)) {
                            $state = self::ST_TEXT;
                        } else {
                            $mark = $i; // mark node name start
                            $attributes = array();
                            $attribute = "";
                            $state = self::ST_TAG_NAME;
                        }
                        break;

                    case self::ST_TAG_NAME:
                        if (self::isWhiteChar($c) || $c === '/' || $c === '>') {
                            $tagname = substr($src, $mark, $i-$mark);
                            if (!$this->isValidQName($tagname)) $this->raiseError("Invalid tag name '$tagname'");

                            if ($c === '/') {
                                $state = self::ST_TAG_SINGLE;
                            } elseif ($c === '>') {
                                $mark = $i+1; // mark text start
                                $state = self::ST_TEXT;
                                $builder->onElementStart($tagname, $attributes);
                            } else /* isWhiteChar */ {
                                $state = self::ST_TAG_ATTRIBUTES;
                            }
                        }
                        break;

                    case self::ST_TAG_CLOSE:
                        if ($c === '>') {
                            $tagname = rtrim(substr($src, $mark, $i-$mark));
                            $builder->onElementClose($tagname);
                            $mark = $i+1; // mark text start
                            $state = self::ST_TEXT;
                        }
                        break;

                    case self::ST_TAG_SINGLE:
                        if ($c !== '>') {
                            $this->raiseError("Expected '/>', but found '/$c' inside tag < $tagname >");
                        }
                        $mark = $i+1;   // mark text start
                        $state = self::ST_TEXT;
                        $builder->onElementStart($tagname, $attributes);
                        $builder->onElementClose($tagname);
                        break;

                    case self::ST_TAG_BETWEEN_ATTRIBUTE:
                    case self::ST_TAG_ATTRIBUTES:
                        if ($c === '>') {
                            $mark = $i+1;   // mark text start
                            $state = self::ST_TEXT;
                            $builder->onElementStart($tagname, $attributes);
                        } elseif ($c === '/') {
                            $state = self::ST_TAG_SINGLE;
                        } elseif (self::isWhiteChar($c)) {
                            $state = self::ST_TAG_ATTRIBUTES;
                        } elseif ($state === self::ST_TAG_ATTRIBUTES && $this->isValidQName($c)) {
                            $mark = $i; // mark attribute key start
                            $state = self::ST_ATTR_KEY;
                        } else $this->raiseError("Unexpected character '$c' between attributes of < $tagname >");
                        break;

                    case self::ST_COMMENT:
                        if ($c === '>' && $i > $mark+4 && substr($src, $i-2, 2) === '--') {

                            if (preg_match('/^-|--|-$/', substr($src, $mark +4, $i-$mark+1 -7))) {
                                $this->raiseError("Ill-formed comment. XML comments are not allowed to contain '--' or start/end with '-': ".substr($src, $mark+4, $i-$mark+1-7));
                            }

                            $builder->onComment($this->checkEncoding(substr($src, $mark+4, $i-$mark+1-7)));
                            $mark = $i+1; // mark text start
                            $state = self::ST_TEXT;
                        }
                        break;

                    case self::ST_CDATA:
                        if ($c === '>' and substr($src, $i-2, 2) === ']]') {
                            $builder->onCDATASection($this->checkEncoding(substr($src, $mark, $i-$mark-2)));
                            $mark = $i+1; // mark text start
                            $state = self::ST_TEXT;
                        }
                        break;

                    case self::ST_XMLDEC:
                        if ($c === '?' && substr($src, $i, 2) === '?>') {
                            $builder->onXmlDecl($this->checkEncoding(substr($src, $mark, $i-$mark+2)));
                            $i++; // skip '>'
                            $mark = $i+1; // mark text start
                            $state = self::ST_TEXT;
                        }
                        break;

                    case self::ST_DOCTYPE:
                        if ($c === '[') {
                            $customDoctype = true;
                        } elseif ($customDoctype && $c === '>' && substr($src, $i-1, 2) === ']>') {
                            $customDoctype = false;
                            $builder->onDocType($this->checkEncoding(substr($src, $mark, $i-$mark+1)));
                            $mark = $i+1; // mark text start
                            $state = self::ST_TEXT;
                        } elseif (!$customDoctype && $c === '>') {
                            $customDoctype = false;
                            $builder->onDocType($this->checkEncoding(substr($src, $mark, $i-$mark+1)));
                            $mark = $i+1; // mark text start
                            $state = self::ST_TEXT;
                        }
                        break;

                    case self::ST_PREPROC:
                        if ($c === '>' and substr($src, $i-1, 1) === '?') {
                            $builder->onProcessingInstruction($this->checkEncoding(substr($src, $mark, $i-$mark+1)));
                            $mark = $i+1; // mark text start
                            $state = self::ST_TEXT;
                        }
                        break;

                    case self::ST_ATTR_KEY:
                        if ($c === '=' || self::isWhiteChar($c)) {
                            $attribute = substr($src, $mark, $i-$mark);
                            if (!$this->isValidQName($attribute)) {
                                $this->raiseError("Invalid attribute name '$attribute' in < $tagname >");
                            }
                            if (isset($attributes[$attribute])) {
                                $this->raiseError("Attribute $attribute in < $tagname > is defined more than once");
                            }

                            if ($c === '=') $state = self::ST_ATTR_VALUE;
                            else /* white char */ $state = self::ST_ATTR_EQ;
                        } elseif ($c === '/' || $c==='>') {
                            $attribute = substr($src, $mark, $i-$mark);
                            if (!$this->isValidQName($attribute)) {
                                $this->raiseError("Invalid attribute name '$attribute'");
                            }
                            $this->raiseError("Attribute $attribute does not have value (found end of tag instead of '=')");
                        }
                        break;

                    case self::ST_ATTR_EQ:
                        if ($c === '=') {
                            $state = self::ST_ATTR_VALUE;
                        } elseif (!self::isWhiteChar($c)) {
                            $this->raiseError("Attribute $attribute in < $tagname > does not have value (found character '$c' instead of '=')");
                        }
                        break;

                    case self::ST_ATTR_VALUE:
                        if (self::isWhiteChar($c)) {
                        } elseif ($c === '"' or $c === '\'') {
                            $quoteStyle = $c;
                            $state = self::ST_ATTR_QUOTE;
                            $mark = $i+1; // mark attribute real value start
                        } else {
                            $this->raiseError("Value of attribute $attribute in < $tagname > is not in quotes (found character '$c' instead of quote)");
                        }
                        break;

                    case self::ST_ATTR_QUOTE:
                        if ($c === $quoteStyle) {
                            $attributes[$attribute] = $this->sanitizeEscapedText($this->checkEncoding(substr($src, $mark, $i-$mark)));

                            // PHPTAL's code generator assumes input is escaped for double-quoted strings. Single-quoted attributes need to be converted.
                            // FIXME: it should be escaped at later stage.
                            $attributes[$attribute] = str_replace('"',"&quot;", $attributes[$attribute]);
                            $state = self::ST_TAG_BETWEEN_ATTRIBUTE;
                        }
                        break;
                }
            }

            if ($state === self::ST_TEXT) // allows text past root node, which is in violation of XML spec
            {
                if ($i > $mark) {
                    $text = substr($src, $mark, $i-$mark);
                    if (!ctype_space($text)) $this->raiseError("Characters found after end of the root element (wrap document in < tal:block > to avoid this error)");
                }
            } else {
                if ($state === self::ST_ROOT) {
                    $msg = "Document does not have any tags";
                } else {
                    $msg = "Finished document in unexpected state: ".self::$state_names[$state]." is not finished";
                }
                $this->raiseError($msg);
            }

            $builder->onDocumentEnd();
        }
        catch(PHPTAL_TemplateException $e)
        {
            $e->hintSrcPosition($this->_file, $this->_line);
            throw $e;
        }
        return $builder;
    }

    private function isValidQName($name)
    {
        $name = $this->checkEncoding($name);
        return preg_match('/^([a-z_\x80-\xff]+[a-z0-9._\x80-\xff-]*:)?[a-z_\x80-\xff]+[a-z0-9._\x80-\xff-]*$/i', $name);
    }

    private function checkEncoding($str)
    {
        if ($str === '') return '';

        if ($this->input_encoding === 'UTF-8') {

            // $match expression below somehow triggers quite deep recurrency and stack overflow in preg
            // to avoid this, check string bit by bit, omitting ASCII fragments.
            if (strlen($str) > 200) {
                $chunks = preg_split('/(?>[\x09\x0A\x0D\x20-\x7F]+)/',$str,null,PREG_SPLIT_NO_EMPTY);
                foreach ($chunks as $chunk) {
                    if (strlen($chunk) < 200) {
                        $this->checkEncoding($chunk);
                    }
                }
                return $str;
            }

            // http://www.w3.org/International/questions/qa-forms-utf-8
            $match = '[\x09\x0A\x0D\x20-\x7F]'        // ASCII
               . '|[\xC2-\xDF][\x80-\xBF]'            // non-overlong 2-byte
               . '|\xE0[\xA0-\xBF][\x80-\xBF]'        // excluding overlongs
               . '|[\xE1-\xEC\xEE\xEE][\x80-\xBF]{2}' // straight 3-byte (exclude FFFE and FFFF)
               . '|\xEF[\x80-\xBE][\x80-\xBF]'        // straight 3-byte
               . '|\xEF\xBF[\x80-\xBD]'               // straight 3-byte
               . '|\xED[\x80-\x9F][\x80-\xBF]'        // excluding surrogates
               . '|\xF0[\x90-\xBF][\x80-\xBF]{2}'     // planes 1-3
               . '|[\xF1-\xF3][\x80-\xBF]{3}'         // planes 4-15
               . '|\xF4[\x80-\x8F][\x80-\xBF]{2}';    // plane 16

            if (!preg_match('/^(?:(?>'.$match.'))+$/s',$str)) {
                $res = preg_split('/((?>'.$match.')+)/s',$str,null,PREG_SPLIT_DELIM_CAPTURE);
                for($i=0; $i < count($res); $i+=2)
                {
                    $res[$i] = self::convertBytesToEntities(array(1=>$res[$i]));
                }
                $this->raiseError("Invalid UTF-8 bytes: ".implode('', $res));
            }
        }
        if ($this->input_encoding === 'ISO-8859-1') {

            // http://www.w3.org/TR/2006/REC-xml11-20060816/#NT-RestrictedChar
            $forbid = '/((?>[\x00-\x08\x0B\x0C\x0E-\x1F\x7F-\x84\x86-\x9F]+))/s';

            if (preg_match($forbid, $str)) {
                $str = preg_replace_callback($forbid, array('self', 'convertBytesToEntities'), $str);
                $this->raiseError("Invalid ISO-8859-1 characters: ".$str);
            }
        }

        return $str;
    }

    /**
     * preg callback
     * Changes all bytes to hexadecimal XML entities
     *
     * @param array $m first array element is used for input
     *
     * @return string
     */
    private static function convertBytesToEntities(array $m)
    {
        $m = $m[1]; $out = '';
        for($i=0; $i < strlen($m); $i++)
        {
            $out .= '&#X'.strtoupper(dechex(ord($m[$i]))).';';
        }
        return $out;
    }

    /**
     * This is where this parser violates XML and refuses to be an annoying bastard.
     */
    private function sanitizeEscapedText($str)
    {
        $str = str_replace('&apos;', '&#39;', $str); // PHP's html_entity_decode doesn't seem to support that!

        /* <?php ?> blocks can't reliably work in attributes (due to escaping impossible in XML)
           so they have to be converted into special TALES expression
        */
        $types = ini_get('short_open_tag')?'php|=|':'php';
        $str = preg_replace_callback("/<\?($types)(.*?)\?>/", array('self', 'convertPHPBlockToTALES'), $str);

        // corrects all non-entities and neutralizes potentially problematic CDATA end marker
        $str = strtr(preg_replace('/&(?!(?:#x?[a-f0-9]+|[a-z][a-z0-9]*);)/i', '&amp;', $str), array('<'=>'&lt;', ']]>'=>']]&gt;'));

        return $str;
    }

    private static function convertPHPBlockToTALES($m)
    {
        list(, $type, $code) = $m;
        if ($type === '=') $code = 'echo '.$code;
        return '${structure phptal-internal-php-block:'.rawurlencode($code).'}';
    }

    public function getSourceFile()
    {
        return $this->_file;
    }

    public function getLineNumber()
    {
        return $this->_line;
    }

    public static function isWhiteChar($c)
    {
        return strpos(" \t\n\r\0", $c) !== false;
    }

    protected function raiseError($errStr)
    {
        throw new PHPTAL_ParserException($errStr, $this->_file, $this->_line);
    }
}

brammittendorff commented 7 years ago

This is so strange, when I scan your file there is no problem...

What kind of host OS are you using debian/ubuntu/centos?

You can find the linux version with the release file:

1 cat /etc/*-release file.

Mine is:

DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.04
DISTRIB_CODENAME=xenial
DISTRIB_DESCRIPTION="Ubuntu 16.04.1 LTS"
NAME="Ubuntu"
VERSION="16.04.1 LTS (Xenial Xerus)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 16.04.1 LTS"
VERSION_ID="16.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
UBUNTU_CODENAME=xenial

The result when I scan it on a ubuntu machine:

bram@ubuntu:~$ ls test/
SaxXmlParser.php
bram@ubuntu:~$ sudo maldet -a /home/bram/test/
Linux Malware Detect v1.5
            (C) 2002-2016, R-fx Networks <proj@rfxn.com>
            (C) 2016, Ryan MacDonald <ryan@rfxn.com>
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(12014): {scan} signatures loaded: 10906 (8988 MD5 / 1918 HEX / 0 USER)
maldet(12014): {scan} building file list for /home/bram/test/, this might take awhile...
maldet(12014): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6
maldet(12014): {scan} file list completed in 0s, found 1 files...
maldet(12014): {scan} scan of /home/bram/test/ (1 files) in progress...
maldet(12014): {scan} 1/1 files scanned: 0 hits 0 cleaned
maldet(12014): {scan} scan completed on /home/bram/test/: files 1, malware hits 0, cleaned hits 0, time 0s
maldet(12014): {scan} scan report saved, to view run: maldet --report 160901-0925.12014
bram@ubuntu:~$

brammittendorff commented 7 years ago

Finally i got the same result, but this time on a centos machine. And the strange thing is because i run clamav on that machine it will use that engine:

maldet(9234): {scan} found clamav binary at /bin/clamscan, using clamav scanner engine...

My CentOS Version:

CentOS Linux release 7.2.1511 (Core) 
DISTRIB_ID=CentOS
DISTRIB_RELEASE=7
DISTRIB_CODENAME=
DISTRIB_DESCRIPTION=
NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"

CENTOS_MANTISBT_PROJECT="CentOS-7"
CENTOS_MANTISBT_PROJECT_VERSION="7"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="7"

CentOS Linux release 7.2.1511 (Core) 
CentOS Linux release 7.2.1511 (Core)

The latest clamav:

[root@nerd bram]# freshclam
ClamAV update process started at Thu Sep  1 09:30:00 2016
main.cvd is up to date (version: 57, sigs: 4218790, f-level: 60, builder: amishhammer)
daily.cld is up to date (version: 22164, sigs: 570438, f-level: 63, builder: neo)
bytecode.cld is up to date (version: 283, sigs: 53, f-level: 63, builder: neo)

The scan result:


HOST:      nerd.host
SCAN ID:   160901-0928.9234
STARTED:   Sep  1 2016 09:28:46 +0200
COMPLETED: Sep  1 2016 09:28:52 +0200
ELAPSED:   6s [find: 0s]

PATH:          /home/bram/test/
TOTAL FILES:   20
TOTAL HITS:    1
TOTAL CLEANED: 0

WARNING: Automatic quarantine is currently disabled, detected threats are still accessible to users!
To enable, set quarantine_hits=1 and/or to quarantine hits from this scan run:
/usr/local/sbin/maldet -q 160901-0928.9234

FILE HIT LIST:
{HEX}php.base64.v23au.186  :  /home/bram/test/SaxXmlParser.php
===============================================
Linux Malware Detect v1.5 < proj@rfxn.com >

The scan with maldet:

[root@nerd bram]# maldet -a /home/bram/test/
Linux Malware Detect v1.5
            (C) 2002-2016, R-fx Networks <proj@rfxn.com>
            (C) 2016, Ryan MacDonald <ryan@rfxn.com>
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(9234): {scan} signatures loaded: 10906 (8988 MD5 / 1918 HEX / 0 USER)
maldet(9234): {scan} building file list for /home/bram/test/, this might take awhile...
maldet(9234): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6
maldet(9234): {scan} file list completed in 0s, found 20 files...
maldet(9234): {scan} found clamav binary at /bin/clamscan, using clamav scanner engine...
maldet(9234): {scan} scan of /home/bram/test/ (20 files) in progress...
maldet(9234): {scan} processing scan results for hits: 1 hits 0 cleaned
maldet(9234): {scan} scan completed on /home/bram/test/: files 20, malware hits 1, cleaned hits 0, time 6s
maldet(9234): {scan} scan report saved, to view run: maldet --report 160901-0928.9234
maldet(9234): {scan} quarantine is disabled! set quarantine_hits=1 in conf.maldet or to quarantine results run: maldet -q 160901-0928.9234
[root@nerd bram]# maldet -q 160901-0928.9234
Linux Malware Detect v1.5
            (C) 2002-2016, R-fx Networks <proj@rfxn.com>
            (C) 2016, Ryan MacDonald <ryan@rfxn.com>
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(9487): {quar} malware quarantined from '/home/bram/test/SaxXmlParser.php' to '/usr/local/maldetect/quarantine/SaxXmlParser.php.1119017691'

brammittendorff commented 7 years ago

So to reproduce this issue, please install clamav:

apt-get install clamav

Update clamav to the latest signatures:

freshclam

Download and install maldetect: https://www.rfxn.com/projects/linux-malware-detect/

Update maldetect:

maldet -u && maldet -d

And run maldetect on PHPTAL:

maldet -a /home/bram/PHPTAL/

This will result in:


HOST:      ubuntu
SCAN ID:   160901-0947.13098
STARTED:   Sep  1 2016 09:47:35 +0200
COMPLETED: Sep  1 2016 09:47:43 +0200
ELAPSED:   8s [find: 0s]

PATH:          /home/bram/PHPTAL/
TOTAL FILES:   496
TOTAL HITS:    1
TOTAL CLEANED: 0

WARNING: Automatic quarantine is currently disabled, detected threats are still accessible to user$
To enable, set quarantine_hits=1 and/or to quarantine hits from this scan run:
/usr/local/sbin/maldet -q 160901-0947.13098

FILE HIT LIST:
{HEX}php.base64.v23au.186  :  /home/bram/PHPTAL/classes/PHPTAL/Dom/SaxXmlParser.php
===============================================
Linux Malware Detect v1.5 < proj@rfxn.com >

lengthofrope commented 7 years ago

Here is my release info:

PRETTY_NAME="Debian GNU/Linux 8 (jessie)"
NAME="Debian GNU/Linux"
VERSION_ID="8"
VERSION="8 (jessie)"
ID=debian
HOME_URL="http://www.debian.org/"
SUPPORT_URL="http://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

brammittendorff commented 7 years ago

Thanks @lengthofrope I will now look in to what causes this problem in / with that file.

Potherca commented 7 years ago

@brammittendorff and @lengthofrope Thanks for your effort thus far. It is good to have details on this. If anyone else ever has a similar issue, we have a thread to point them to.

Potherca commented 7 years ago

I've taken the liberty of reporting this to ClamAV as a false-positive. I'll report back if/when I get a response.

Potherca commented 7 years ago

No response from ClamAV thus far. Closing this as an "upstream" problem out of scope for this project.

iman61 commented 7 years ago

there is a method you should change the line $out = ''; to $out = ""; and then it will not be recognized as virus

    private static function convertBytesToEntities(array $m)
    {
        $m = $m[1];
    $out = '';
        for($i=0; $i < strlen($m); $i++)
        {
            $out .= '&#X'.strtoupper(dechex(ord($m[$i]))).';';
        }
        return $out;
    }

brammittendorff commented 7 years ago

@iman61 You are absolutely right sir, ill open a PR.

Potherca commented 7 years ago

PR looks good, reopening until it has been merged.

@Ocramius If this is merge, should we release a v1.3.1?

(This is assuming we merge this to both master and 1.3.x branches.)

Ocramius commented 6 years ago

@Potherca this would be a patch release, and yes, it needs to be merged to 1.3.x for a v1.3.1 release, as well as master.

Potherca commented 6 years ago

Merged into master (#59) and 1.4.x (#60) branches and released as v1.3.1

Potherca commented 6 years ago

Thanks again @lengthofrope for reporting and @brammittendorff for fixing! :tada:

phptal / PHPTAL

I get malware warnings on the file SasXmlParser.php #56