Server Side Scans and File Integrity Monitoring
2021-05-14 04:01:00 Author: blog.sucuri.net(查看原文) 阅读量:207 收藏

When it comes to the ABCs of website security server side scans and file integrity monitoring are the “A” and “B”. In fact, our server side scanner is one of the most crucial tools in Sucuri’s arsenal. It’s paramount in maintaining an effective security product for our customers and analysts alike.

This crucial tool handles tasks like issuing security warnings and alerts to our clients, notifying them that they have been compromised, and assisting our analysts in detecting new and emerging variants of malware.

Remote Scanner vs. Server Side Scanner

Not all malware displays outwardly in a website environment. Our remote website scanner SiteCheck tool (free for anybody to use) is responsible for flagging this type of outward facing (usually javascript or database) malware that appears in the source code. On the other hand, our server side scanner is responsible for alerting clients for backend, PHP malware.

If you’ve ever faced a website compromise and our SiteCheck tool shows that your website is totally clean there’s a good chance that the payload is in the PHP files. As a remote scanner SiteCheck simply cannot see that compromise.

All Sucuri clients have server side scans included in their security plans with us. When this service is enabled if a website is compromised you should receive a security alert for any known malware. If the server side scanner is not enabled, the user would only find out about a compromise after the fact – once their website starts exhibiting symptoms of the compromise (malicious redirect, stolen credit card details in e-commerce environments, etc). Definitely get this configured when you are setting up your Sucuri plan.

File Integrity Monitoring

File integrity monitoring is a crucial piece of the remediation process. We rely on it when we are responding to incidents for our clients, particularly when we are looking for new, undetected malware samples.

Put on your Sherlock hat and grab your monocle, folks, because we’re going to take a look at some real world examples of investigating compromised websites!

Examples of New Credit Card Swipers on Ecommerce Websites

Attackers often target the Magento ecommerce CMS platform. Since it’s an ecommerce platform, all Magento websites handle credit card and payment information in some capacity, so any attackers looking to steal credit card numbers are going to be trying to compromise these environments.

Example 1

Some time ago, a client of ours was reporting compromised credit card details on their Magento website. However, our initial scans showed everything was clean. So we knew that this must be some new malware that was as-of-yet undetectable. Parsing through the server side scanner logs, we found the following entry:

Old Mage installation
Information redacted to protect our client’s information.

The size of a particular file had changed substantially in size. But why?

Once we inspect the file and compare it to a fresh copy of the file from the Magento repository we can see that a credit card swiper was added to the file once the attackers compromised the environment:

Diffchecker

The swiper takes the information like the credit card number and expiration date and spirits it away to a malicious exfiltration IP address (big ups to DiffChecker for their very useful tool that I use almost daily!)

Example 2

Let’s take another example – this time with a more subtle size change:

Downloader

Magento Notice of License

In this case a backdoor was added to the ./downloader/index.php file in this environment. Astute readers will also notice that ccard.js and other files pictured had a lot of code added to it as well, and yes, there was a swiper there too!

Both of these first two examples were not yet detectable by our automated tools or monitoring: The attacks were brand new malicious samples with no signature written yet.

Remember, there are people whose full time job it is to compromise websites and sell stolen credit card details on the dark web. They have a vested interest in regularly writing new malware that evades detection.

As analysts, it’s our job to find the new malware and then ensure our monitoring tools are able to see it. Once the tools can detect it any other clients affected by the same type of malicious code can be alerted.

Even small, subtle changes are logged in the server side scanner. It’s an absolutely crucial component of our security product and amazingly useful when working on investigations like the type above.

Example 3

Here’s another clue that we need to do some digging:

Error message

Here, you can see that we performed a cleanup of a client’s website and removed two backdoors.

However, attackers do not place backdoors without connection to anything else: They do so with the express intent of delivering their malicious payload. This could be for any number of reasons from stealing credit card numbers, delivering spam or redirecting the visitors to malware websites, or phishing for credentials.

In the above example, we can see that on the same day that those backdoors were added a functions.php file was also modified:

Errors default 500

Let’s take a look at this file, shall we?

Credit card swiper snippet

There’s the credit card swiper!

By cross-referencing the modified dates of the backdoors with the modified dates of other files around the same time we can find new payloads that the attackers have written. Sometimes these are obfuscated with things like concatenation and other techniques to avoid detection. Other times, they are sitting out in the open like the above example.

Example 4

One more, while we’re at it:

Server side scanner warning

Malware snippet

In this case the scan itself did catch some malware but that doesn’t tell the whole story. In the same way that a backdoor indicates the presence of a malicious payload the existence of some malware can indicate the presence of more.

On a closer look at this example we actually find a credit card swiper placed into the environment as well.

More investigation is always necessary to ensure that we haven’t missed anything. Sometimes we have signatures written for some of the malicious files but not others, so when performing an investigation it’s always good practice to be as thorough as possible.

Why are server side scanners important?

In conclusion, the server side scanner is an indispensable tool for both our monitoring and remediation process. It can both directly find compromises as well as provide our teams the information needed to discover others.

In addition to that, Sucuri founder Daniel Cid also wrote a very helpful extension for VPS hosting environments that runs on the server itself (rather than from within the website files) called OSSECHIDS which, among many other features, includes robust file integrity monitoring.

If you’re a Sucuri client already and haven’t yet set up this monitoring service please see this article for some helpful steps. If you’re still unsure how to get it configured, that’s ok! You can always submit a ticket with our product support team and we’re happy to help you get it set up!

If you’re not a Sucuri client and would like to employ file integrity monitoring to your website environment, there are some security plugins for WordPress, Magento and other environments that can help. (Of course, you can become a Sucuri client, too!)

Ben Martin is Sucuri’s Security Analyst who joined the company in 2013. Ben's main responsibilities include finding new undetected malware, identifying trends in the website security world, and, of course, cleaning websites. His professional experience covers more than six years of working with infected websites, writing blog posts, and taking escalated tickets. When Ben isn't slaying malware, you might find him editing audio, producing music, playing video games, or cuddling with his cat. Connect with him on Twitter

Reader Interactions


文章来源: https://blog.sucuri.net/2021/05/server-side-scans-and-file-integrity-monitoring.html
如有侵权请联系:admin#unsafe.sh