22

Exploit Scanner

By Anant Garg  /  PHP  /  2 Responses

The Problem

As your site grows, so do your chances of getting hacked. Most of these hacks are due to known exploits in existing open/closed source software. One of the biggest worries is a user getting full access to your site using a simple PHP upload.

So what’s the solution?

This is no silver bullet but if a user uploads any malicious files to your server, you should be able to quickly check what files have been modified/added.

PHP Exploit Scanner

The Exploit Scanner is a single PHP file which generates MD5 hash for all files of a particular software and then allows you to compare that with software you think has been modified.

Sample Usage

Lets say you want to check for any exploits in your WordPress installation

1. Download a fresh copy of WordPress from the official site (make sure you download correct version)
2. Upload WordPress to your server/localhost
3. Run exploitscanner.php?action=generate in the new WordPress folder (you do not need to install WordPress)
4. Check filehashes.php and verify output is correct (i.e. an array of files with their hashes)
5. Now upload exploitscanner.php and filehashes.php to your live WordPress folder
6. Run exploitscanner.php?action=scan to generate a list of modified/added files
7. Check output of scanresults.txt

Generating Hashes

Upload exploitscanner.php to the folder for which you want to generate file hashes and then point your browser to:

http://www.yoursite.com/untouchedsoftware/exploitscanner.php?action=generate

Only output is filehashes.php

Note: Be sure that the software is not already exploited. Ideally use a fresh copy from the software creators (make sure you check the version)

Scanning For Exploits

Upload exploitscanner.php to the folder for which you want to check file hashes and then point your browser to:

http://www.yoursite.com/hackedsoftware/exploitscanner.php?action=scan

Only output is scanresults.txt
Legend- F: New file | M: Modified file

First search for all .php files to see what is changed. If the file is tagged M, you can use a difference tool like WinMerge to find out what has changed.

Download

Download PHP Exploit Scanner free

License

Exploit Scanner is licensed under MIT license. Let me know if you make any interesting use of the script.

Comments/Suggestions?

If you would like to assist in creating a community where users can quickly download filehashes.php for their software then feel free to contact me using the form below.

Do let me know your suggestions on how we can improve this code or any other features you would like to add.

Future Updates

1. Improve recursive function to avoid time out on shared servers
2. Create a community where users can upload hashes for known software like phpBB, vBulletin etc.
3. Add GUI
4. Database integrity
5. Malicious code insertion in template files

Spread The Word

If you like what you are reading, then please help spread the word by re-tweeting, blogging or using the ShareThis button below. Thank you.


465 Words
23948 Views