Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

c99.php is not detected. Signatures out of date? #411

Open
VicDeo opened this issue Mar 14, 2023 · 2 comments
Open

c99.php is not detected. Signatures out of date? #411

VicDeo opened this issue Mar 14, 2023 · 2 comments

Comments

@VicDeo
Copy link

VicDeo commented Mar 14, 2023 

root@testserver:~# mkdir -p c99test && cd c99test/
root@testserver:~/c99test# wget https://www.r57shell.net/shells/c99.rar
--2023-03-14 10:42:06--  https://www.r57shell.net/shells/c99.rar
Resolving www.r57shell.net (www.r57shell.net)... 172.67.166.66, 104.21.58.238, 2606:4700:3033::ac43:a642, ...
Connecting to www.r57shell.net (www.r57shell.net)|172.67.166.66|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 115844 (113K) [application/x-rar-compressed]
Saving to: ‘c99.rar’

c99.rar                                              100%[====================================================================================================================>] 113.13K   460KB/s    in 0.2s    

2023-03-14 10:42:06 (460 KB/s) - ‘c99.rar’ saved [115844/115844]

root@testserver:~/c99test# unrar e c99.rar 

UNRAR 5.61 beta 1 freeware      Copyright (c) 1993-2018 Alexander Roshal


Extracting from c99.rar

Extracting  c99.php                                                   OK 
All OK
root@testserver:~/c99test# maldet -a /root/c99test/
Linux Malware Detect v1.6.4
            (C) 2002-2019, R-fx Networks <[email protected]>
            (C) 2019, Ryan MacDonald <[email protected]>
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(1336597): {scan} signatures loaded: 17370 (14533 MD5 | 2054 HEX | 783 YARA | 0 USER)
maldet(1336597): {scan} building file list for /root/c99test/, this might take awhile...
maldet(1336597): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6
maldet(1336597): {scan} file list completed in 0s, found 3476 files...
maldet(1336597): {scan} found clamav binary at /usr/bin/clamdscan, using clamav scanner engine...
maldet(1336597): {scan} scan of /root/c99test/ (3476 files) in progress...

maldet(1336597): {scan} scan completed on /root/c99test/: files 3476, malware hits 0, cleaned hits 0, time 4s
maldet(1336597): {scan} scan report saved, to view run: maldet --report 230314-1042.1336597

malware hits 0, cleaned hits 0, time 4s

For example r57 is successfully detected even in rar archive so the scanner configuration is ok, something is wrong with the signatures :

root@testserver:~/c99test# wget https://github.com/dangerover/r57c99/raw/main/r57shell.rar
--2023-03-14 10:46:39--  https://github.com/dangerover/r57c99/raw/main/r57shell.rar
Resolving github.com (github.com)... 140.82.112.4
Connecting to github.com (github.com)|140.82.112.4|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://raw.githubusercontent.com/dangerover/r57c99/main/r57shell.rar [following]
--2023-03-14 10:46:39--  https://raw.githubusercontent.com/dangerover/r57c99/main/r57shell.rar
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.109.133, 185.199.110.133, 185.199.111.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.109.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 64759 (63K) [application/octet-stream]
Saving to: ‘r57shell.rar’

r57shell.rar                                         100%[====================================================================================================================>]  63.24K  --.-KB/s    in 0.001s  

2023-03-14 10:46:39 (114 MB/s) - ‘r57shell.rar’ saved [64759/64759]

root@testserver:~/c99test# maldet -a /root/c99test/
Linux Malware Detect v1.6.4
            (C) 2002-2019, R-fx Networks <[email protected]>
            (C) 2019, Ryan MacDonald <[email protected]>
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(1337058): {scan} signatures loaded: 17370 (14533 MD5 | 2054 HEX | 783 YARA | 0 USER)
maldet(1337058): {scan} building file list for /root/c99test/, this might take awhile...
maldet(1337058): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6
maldet(1337058): {scan} file list completed in 0s, found 3477 files...
maldet(1337058): {scan} found clamav binary at /usr/bin/clamdscan, using clamav scanner engine...
maldet(1337058): {scan} scan of /root/c99test/ (3477 files) in progress...
maldet(1337058): {scan} processing scan results for hits: 1 hits 0 cleaned
maldet(1337058): {scan} scan completed on /root/c99test/: files 3477, malware hits 1, cleaned hits 0, time 4s
maldet(1337058): {scan} scan report saved, to view run: maldet --report 230314-1046.1337058
maldet(1337058): {scan} quarantine is disabled! set quarantine_hits=1 in conf.maldet or to quarantine results run: maldet -q 230314-1046.1337058

malware hits 1, cleaned hits 0, time 4s
@Gazoo
Copy link
Contributor

Gazoo commented Mar 21, 2023

By default maldet will ignore files owned as root as to prevent system damage from automatic quarantine. So change the ownership of the files before the scan or change the scan_ignore_root setting in the maldet config.

@VicDeo
Copy link
Author

VicDeo commented Mar 22, 2023
edited
Loading

@Gazoo thanks. but this is non-default setup....
See the log above, r57 shell is detected on the same server (as well as the other malware).
c99 is not.
Obviously something is wrong with the signatures.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Gazoo @VicDeo