search

rfxn / linux-malware-detect

Linux Malware Detection (LMD)
http://www.rfxn.com/projects/linux-malware-detect/
GNU General Public License v2.0
1.18k stars 228 forks source link

c99.php is not detected. Signatures out of date? #411

Open VicDeo opened 1 year ago

VicDeo commented 1 year ago 
root@testserver:~# mkdir -p c99test && cd c99test/
root@testserver:~/c99test# wget https://www.r57shell.net/shells/c99.rar
--2023-03-14 10:42:06--  https://www.r57shell.net/shells/c99.rar
Resolving www.r57shell.net (www.r57shell.net)... 172.67.166.66, 104.21.58.238, 2606:4700:3033::ac43:a642, ...
Connecting to www.r57shell.net (www.r57shell.net)|172.67.166.66|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 115844 (113K) [application/x-rar-compressed]
Saving to: ‘c99.rar’

c99.rar                                              100%[====================================================================================================================>] 113.13K   460KB/s    in 0.2s    

2023-03-14 10:42:06 (460 KB/s) - ‘c99.rar’ saved [115844/115844]

root@testserver:~/c99test# unrar e c99.rar 

UNRAR 5.61 beta 1 freeware      Copyright (c) 1993-2018 Alexander Roshal

Extracting from c99.rar

Extracting  c99.php                                                   OK 
All OK
root@testserver:~/c99test# maldet -a /root/c99test/
Linux Malware Detect v1.6.4
            (C) 2002-2019, R-fx Networks <proj@rfxn.com>
            (C) 2019, Ryan MacDonald <ryan@rfxn.com>
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(1336597): {scan} signatures loaded: 17370 (14533 MD5 | 2054 HEX | 783 YARA | 0 USER)
maldet(1336597): {scan} building file list for /root/c99test/, this might take awhile...
maldet(1336597): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6
maldet(1336597): {scan} file list completed in 0s, found 3476 files...
maldet(1336597): {scan} found clamav binary at /usr/bin/clamdscan, using clamav scanner engine...
maldet(1336597): {scan} scan of /root/c99test/ (3476 files) in progress...

maldet(1336597): {scan} scan completed on /root/c99test/: files 3476, malware hits 0, cleaned hits 0, time 4s
maldet(1336597): {scan} scan report saved, to view run: maldet --report 230314-1042.1336597

malware hits 0, cleaned hits 0, time 4s

For example r57 is successfully detected even in rar archive so the scanner configuration is ok, something is wrong with the signatures :

root@testserver:~/c99test# wget https://github.com/dangerover/r57c99/raw/main/r57shell.rar
--2023-03-14 10:46:39--  https://github.com/dangerover/r57c99/raw/main/r57shell.rar
Resolving github.com (github.com)... 140.82.112.4
Connecting to github.com (github.com)|140.82.112.4|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://raw.githubusercontent.com/dangerover/r57c99/main/r57shell.rar [following]
--2023-03-14 10:46:39--  https://raw.githubusercontent.com/dangerover/r57c99/main/r57shell.rar
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.109.133, 185.199.110.133, 185.199.111.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.109.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 64759 (63K) [application/octet-stream]
Saving to: ‘r57shell.rar’

r57shell.rar                                         100%[====================================================================================================================>]  63.24K  --.-KB/s    in 0.001s  

2023-03-14 10:46:39 (114 MB/s) - ‘r57shell.rar’ saved [64759/64759]

root@testserver:~/c99test# maldet -a /root/c99test/
Linux Malware Detect v1.6.4
            (C) 2002-2019, R-fx Networks <proj@rfxn.com>
            (C) 2019, Ryan MacDonald <ryan@rfxn.com>
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(1337058): {scan} signatures loaded: 17370 (14533 MD5 | 2054 HEX | 783 YARA | 0 USER)
maldet(1337058): {scan} building file list for /root/c99test/, this might take awhile...
maldet(1337058): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6
maldet(1337058): {scan} file list completed in 0s, found 3477 files...
maldet(1337058): {scan} found clamav binary at /usr/bin/clamdscan, using clamav scanner engine...
maldet(1337058): {scan} scan of /root/c99test/ (3477 files) in progress...
maldet(1337058): {scan} processing scan results for hits: 1 hits 0 cleaned
maldet(1337058): {scan} scan completed on /root/c99test/: files 3477, malware hits 1, cleaned hits 0, time 4s
maldet(1337058): {scan} scan report saved, to view run: maldet --report 230314-1046.1337058
maldet(1337058): {scan} quarantine is disabled! set quarantine_hits=1 in conf.maldet or to quarantine results run: maldet -q 230314-1046.1337058

malware hits 1, cleaned hits 0, time 4s

Gazoo commented 1 year ago

By default maldet will ignore files owned as root as to prevent system damage from automatic quarantine. So change the ownership of the files before the scan or change the scan_ignore_root setting in the maldet config.

VicDeo commented 1 year ago

@Gazoo thanks. but this is non-default setup.... See the log above, r57 shell is detected on the same server (as well as the other malware). c99 is not. Obviously something is wrong with the signatures.