Malware Prophylaxis

After last week’s malware outbreak at Irreal I’ve been thinking about ways to prevent another episode. For those who haven’t been following along, someone managed to add a line of obfuscated PHP to the index.php file that gets things going when someone visits the Irreal blog. For the technically inclined, the details are in my Anatomy of an Exploit post.

The number one thing I’ve resolved to do is keep WordPress up to date. Although I can’t be sure, I suspect that the attacker gained access to index.php through a WP vulnerability so it makes sense to keep up with the latest patches. I’d been lax about that because irrational paranoia requires me to back up the database whenever I do an upgrade and that’s a bit of a pain with my setup. It’s not, however, nearly as big a pain as trying to get the site clean and convincing Google that they should stop flagging it as a malware purveyor.

One of the difficulties I had when scrubbing the site was looking for infected files. As it turns out, only index.php had been affected but I couldn’t be sure of that until I’d done a thorough survey of the site looking for the injector signature. To make that easy if I have occasion to do it again, I have a backup of the entire irreal.org site. Most of the files will be static so it should suffice to look for changed files. Most of those will be log files so checking only changed files should simplify things considerably.

There used to be a Linux utility that went through the file system and took an MD5 signature of each file so that you could check for corruption on a regular basis. Following that idea, I can periodically pull a snapshot of the site back to my local network, generate MD5 signatures on it and the my original backup, and diff the results to find files that need examination.

I thought of writing some Elisp to do this but that’s really overkill. All I really need to do is

Ctrl+u Meta+!find -P . -type f -exec md5 {} \;

to get a list of all the files and their MD5 signatures into an Emacs buffer. Then I can compare this against the saved list using Ediff right from Emacs.

I’d be interested in any other idea that readers have to help me keep things secure. Irreal runs on a hosting service so I don’t have much control over site security other than using strong passwords and keeping WordPress up to date. If you’ve got any other ideas, please leave a comment.

This entry was posted in General and tagged , . Bookmark the permalink.

5 Responses to Malware Prophylaxis

  1. Have you considered using a static blog generator, like Jekyll or any of the other dozens of options? With that, there’s very little security to worry about. Pretty much just your password, which may be even less an issue if you push updates via ssh using key authentication. Hosting a static site has the bonus of also being extremely inexpensive — anywhere between cost-free and dirt-cheap. I myself switched to a static blog, from blosxom, exactly a year ago and I’ve been extremely happy about it ever since.

    The only tricky part is adding a comment system, which can’t be static. Fortunately there are a bunch of options here as well, the most popular being Disqus.

  2. Josh says:

    Maybe tripwire? (Fedora and Arch both have packages for it, and I’m sure it’s readily available on other distros, too.) I haven’t wrestled with it myself, but from what I’ve read it’s ridiculously configurable, so I can’t imagine it not being capable of doing what you need.

  3. Robert Goldman says:

    Second the recommendation for tripwire. It’s set up to do exactly that kind of hash signature checks. Also, I believe that it’s using a better hash function than MD5. I’m not entirely sure how important it is that MD5 collisions can be found, but if there’s something better that’s not harder to use, seems like one should use it.

    Good luck!

  4. Sharif says:

    Check out git_backup that one of my co-workers wrote (and uses).

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>