{"id":960,"date":"2015-07-20T10:47:42","date_gmt":"2015-07-20T08:47:42","guid":{"rendered":"http:\/\/www.ayhanarda.com\/blog\/?p=960"},"modified":"2015-07-20T10:49:40","modified_gmt":"2015-07-20T08:49:40","slug":"cryptophp-php-malware-tespiti-ve-temizleme","status":"publish","type":"post","link":"https:\/\/www.ayhanarda.com\/blog\/2015\/07\/cryptophp-php-malware-tespiti-ve-temizleme\/","title":{"rendered":"CryptoPHP PHP malware tespiti ve temizleme"},"content":{"rendered":"

CryptoPHP malware i , komut ve kontrol sunucular\u0131 ile public key \u015fifrelemesi kullanarak ileti\u015fime ge\u00e7en bir zararl\u0131d\u0131r ve bilindik i\u00e7erik kontrol sistemleri olan wordpress , joomla , drupal gibi sistemler ile kolayl\u0131kla entegre olabilir. Yasad\u0131\u015f\u0131 arama motoru optimizasyonu yapanlar taraf\u0131ndan kullan\u0131l\u0131r. Bu script genellikle kendini g\u00fcncelleyecek \u015fekilde yap\u0131land\u0131r\u0131l\u0131r ve sahibi diler ise onu uzaktan g\u00fcncelleyebilir ya da yeni \u00f6zellikler ekleyebilir.<\/p>\n

Fox it , bununla ilgili detayl\u0131 bir analiz yapm\u0131\u015ft\u0131r ve https:\/\/foxitsecurity.files.wordpress.com\/2014\/11\/cryptophp-whitepaper-foxsrt-v4.pdf<\/a> adresinden inceleyebilirsiniz.<\/p>\n

Tespiti i\u00e7in yine fox it in haz\u0131rlad\u0131\u011f\u0131 phyton scriptini kullanabiliriz. S\u0131ras\u0131yla \u00f6nce scripti indiriyoruz , \u00e7al\u0131\u015fma hakk\u0131 tan\u0131yoruz ve \/home dizinimizin alt\u0131ndaki dosyalar\u0131 taramas\u0131n\u0131 istiyoruz.<\/p>\n

<\/a>Source code<\/a><\/td><\/a> <\/a> <\/a> <\/td><\/tr><\/table><\/div>
root@<\/span>ayhanarda.<\/span>com:<\/span>~# wget https:\/\/raw.githubusercontent.com\/fox-it\/cryptophp\/master\/scripts\/check_filesystem.py\n<\/span>root@<\/span>ayhanarda.<\/span>com:<\/span>~# chmod +x check_filesystem.py\n<\/span>root@<\/span>ayhanarda.<\/span>com:<\/span>~# .\/check_filesystem.py \/home<\/span><\/pre><\/div><\/div>\n
 <\/p>\n
Sonu\u00e7lara g\u00f6z atmak gerekirse \u00e7\u0131kt\u0131 a\u015fa\u011f\u0131dakine benzer olacakt\u0131r.<\/p>\n
<\/a>Source code<\/a><\/td><\/a> <\/a> <\/a> <\/td><\/tr><\/table><\/div>
File<\/span><\/a> matching patterns:<\/span> [<\/span>'*.png'<\/span>,<\/span> '*.gif'<\/span>,<\/span> '*.jpg'<\/span>,<\/span> '*.bmp'<\/span>]<\/span>\nRecursively scanning directory:<\/span> \/<\/span>home\n \/<\/span>home\/<\/span>guvenlikgeregigizlenmistir1.<\/span>com\/<\/span>httpdocs\/<\/span>wp-<\/span>content\/<\/span>themes\/<\/span>VideoThemeRes\/<\/span>images\/<\/span>social.<\/span>png:<\/span> CRYPTOPHP DETECTED!<\/span> (<\/span>version:<\/span> 0.2<\/span>)<\/span>\n \/<\/span>home\/<\/span>guvenlikgeregizlenmistir2.<\/span>com\/<\/span>httpdocs\/<\/span>wp-<\/span>content\/<\/span>plugins\/<\/span>_revslider\/<\/span>images\/<\/span>social.<\/span>png:<\/span> CRYPTOPHP DETECTED!<\/span> (<\/span>version:<\/span> 0.2<\/span>)<\/span><\/pre><\/div><\/div>\n
Tespit ettikten sonra silmek i\u00e7in a\u015fa\u011f\u0131daki silme komutunu kullanabilirsiniz.<\/p>\n
<\/a>Source code<\/a><\/td><\/a> <\/a> <\/a> <\/td><\/tr><\/table><\/div>
root@<\/span>ayhanarda.<\/span>com:<\/span>~# rm -rf \/home\/guvenlikgeregigizlenmistir1.com\/httpdocs\/wp-content\/themes\/VideoThemeRes\/images\/social.png<\/span><\/pre><\/div><\/div>\n
Bu phyton scriptini kullanmak istemiyor iseniz a\u015fa\u011f\u0131da belirtti\u011fim beti\u011fi de kullanabilirsiniz.<\/p>\n
<\/a>Source code<\/a><\/td><\/a> <\/a> <\/a> <\/td><\/tr><\/table><\/div>
root@<\/span>ayhanarda.<\/span>com:<\/span>~# find \/home\/ -name "social*.png" -exec grep -E -o 'php.{0,80}' {} \\; -print<\/span><\/pre><\/div><\/div>\n
Sunucunuza \u00fccretli tarama ve temizleme yapt\u0131rmak i\u00e7in bu gibi i\u015flemleri yapan Cpanel G\u00fcvenlik<\/a> sitesi ile ileti\u015fime ge\u00e7ebilirsiniz.<\/p>\n
Ayhan ARDA<\/p>\n
 <\/p>\n
\"Share<\/a>