public static function verifyCrawlerPTR($hostPattern, $IP) { global $wpdb; $table = $wpdb->base_prefix . 'wfCrawlers'; $db = new wfDB(); $IPn = wfUtils::inet_aton($IP); $status = $db->querySingle("select status from {$table} where IP=%s and patternSig=UNHEX(MD5('%s')) and lastUpdate > unix_timestamp() - %d", $IPn, $hostPattern, WORDFENCE_CRAWLER_VERIFY_CACHE_TIME); if ($status) { if ($status == 'verified') { return true; } else { return false; } } $wfLog = new wfLog(wfConfig::get('apiKey'), wfUtils::getWPVersion()); $host = wfUtils::reverseLookup($IP); if (!$host) { $db->queryWrite("insert into {$table} (IP, patternSig, status, lastUpdate, PTR) values (%s, UNHEX(MD5('%s')), '%s', unix_timestamp(), '%s') ON DUPLICATE KEY UPDATE status='%s', lastUpdate=unix_timestamp(), PTR='%s'", $IPn, $hostPattern, 'noPTR', '', 'noPTR', ''); return false; } if (preg_match($hostPattern, $host)) { $resultIPs = gethostbynamel($host); $addrsMatch = false; foreach ($resultIPs as $resultIP) { if ($resultIP == $IP) { $addrsMatch = true; break; } } if ($addrsMatch) { $db->queryWrite("insert into {$table} (IP, patternSig, status, lastUpdate, PTR) values (%s, UNHEX(MD5('%s')), '%s', unix_timestamp(), '%s') ON DUPLICATE KEY UPDATE status='%s', lastUpdate=unix_timestamp(), PTR='%s'", $IPn, $hostPattern, 'verified', $host, 'verified', $host); return true; } else { $db->queryWrite("insert into {$table} (IP, patternSig, status, lastUpdate, PTR) values (%s, UNHEX(MD5('%s')), '%s', unix_timestamp(), '%s') ON DUPLICATE KEY UPDATE status='%s', lastUpdate=unix_timestamp(), PTR='%s'", $IPn, $hostPattern, 'fwdFail', $host, 'fwdFail', $host); return false; } } else { $db->queryWrite("insert into {$table} (IP, patternSig, status, lastUpdate, PTR) values (%s, UNHEX(MD5('%s')), '%s', unix_timestamp(), '%s') ON DUPLICATE KEY UPDATE status='%s', lastUpdate=unix_timestamp(), PTR='%s'", $IPn, $hostPattern, 'badPTR', $host, 'badPTR', $host); return false; } }
public static function reverseLookup($IP) { $db = new wfDB(); global $wpdb; $reverseTable = $wpdb->base_prefix . 'wfReverseCache'; $IPn = wfUtils::inet_pton($IP); $host = $db->querySingle("select host from " . $reverseTable . " where IP=%s and unix_timestamp() - lastUpdate < %d", $IPn, WORDFENCE_REVERSE_LOOKUP_CACHE_TIME); if (!$host) { // This function works for IPv4 or IPv6 if (function_exists('gethostbyaddr')) { $host = gethostbyaddr($IP); } if (!$host) { $ptr = false; if (filter_var($IP, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4) !== false) { $ptr = implode(".", array_reverse(explode(".", $IP))) . ".in-addr.arpa"; } else { if (filter_var($IP, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6) !== false) { $ptr = implode(".", array_reverse(str_split(bin2hex($IPn)))) . ".ip6.arpa"; } } if ($ptr && function_exists('dns_get_record')) { $host = @dns_get_record($ptr, DNS_PTR); if ($host) { $host = $host[0]['target']; } } } if (!$host) { $host = 'NONE'; } $db->queryWrite("insert into " . $reverseTable . " (IP, host, lastUpdate) values (%s, '%s', unix_timestamp()) ON DUPLICATE KEY UPDATE host='%s', lastUpdate=unix_timestamp()", $IPn, $host, $host); } if ($host == 'NONE') { return ''; } else { return $host; } }
public function scan($forkObj) { if (!$this->startTime) { $this->startTime = microtime(true); } if (!$this->lastStatusTime) { $this->lastStatusTime = microtime(true); } $db = new wfDB(); $lastCount = 'whatever'; $excludePattern = false; if (wfConfig::get('scan_exclude', false)) { $exParts = explode(',', wfConfig::get('scan_exclude')); foreach ($exParts as &$exPart) { $exPart = preg_quote($exPart); $exPart = preg_replace('/\\\\\\*/', '.*', $exPart); } $excludePattern = '/^(?:' . implode('|', $exParts) . ')$/i'; } while (true) { $thisCount = $db->querySingle("select count(*) from " . $db->prefix() . "wfFileMods where oldMD5 != newMD5 and knownFile=0"); if ($thisCount == $lastCount) { //count should always be decreasing. If not, we're in an infinite loop so lets catch it early break; } $lastCount = $thisCount; $res1 = $db->querySelect("select filename, filenameMD5, hex(newMD5) as newMD5 from " . $db->prefix() . "wfFileMods where oldMD5 != newMD5 and knownFile=0 limit 500"); if (sizeof($res1) < 1) { break; } foreach ($res1 as $rec1) { $db->queryWrite("update " . $db->prefix() . "wfFileMods set oldMD5 = newMD5 where filenameMD5='%s'", $rec1['filenameMD5']); //A way to mark as scanned so that if we come back from a sleep we don't rescan this one. $file = $rec1['filename']; if ($excludePattern && preg_match($excludePattern, $file)) { continue; } $fileSum = $rec1['newMD5']; if (!file_exists($this->path . $file)) { continue; } $fileExt = ''; if (preg_match('/\\.([a-zA-Z\\d\\-]{1,7})$/', $file, $matches)) { $fileExt = strtolower($matches[1]); } $isPHP = false; if (preg_match('/^(?:php|phtml|php\\d+)$/', $fileExt)) { $isPHP = true; } $dontScanForURLs = false; if (!wfConfig::get('scansEnabled_highSense') && (preg_match('/^(?:\\.htaccess|wp\\-config\\.php)$/', $file) || preg_match('/^(?:sql|tbz|tgz|gz|tar|log|err\\d+)$/', $fileExt))) { $dontScanForURLs = true; } if (preg_match('/^(?:jpg|jpeg|mp3|avi|m4v|gif|png)$/', $fileExt) && !wfConfig::get('scansEnabled_scanImages')) { continue; } if (!wfConfig::get('scansEnabled_highSense') && strtolower($fileExt) == 'sql') { // continue; } if (wfUtils::fileTooBig($this->path . $file)) { //We can't use filesize on 32 bit systems for files > 2 gigs //We should not need this check because files > 2 gigs are not hashed and therefore won't be received back as unknowns from the API server //But we do it anyway to be safe. wordfence::status(2, 'error', "Encountered file that is too large: {$file} - Skipping."); continue; } $fsize = filesize($this->path . $file); //Checked if too big above if ($fsize > 1000000) { $fsize = sprintf('%.2f', $fsize / 1000000) . "M"; } else { $fsize = $fsize . "B"; } if (function_exists('memory_get_usage')) { wordfence::status(4, 'info', "Scanning contents: {$file} (Size:{$fsize} Mem:" . sprintf('%.1f', memory_get_usage(true) / (1024 * 1024)) . "M)"); } else { wordfence::status(4, 'info', "Scanning contents: {$file} (Size: {$fsize})"); } $stime = microtime(true); $fh = @fopen($this->path . $file, 'r'); if (!$fh) { continue; } $totalRead = 0; while (!feof($fh)) { $data = fread($fh, 1 * 1024 * 1024); //read 1 megs max per chunk $totalRead += strlen($data); if ($totalRead < 1) { break; } if ($isPHP || wfConfig::get('scansEnabled_scanImages')) { if (strpos($data, '$allowed' . 'Sites') !== false && strpos($data, "define ('VER" . "SION', '1.") !== false && strpos($data, "TimThum" . "b script created by") !== false) { if (!$this->isSafeFile($this->path . $file)) { $this->addResult(array('type' => 'file', 'severity' => 1, 'ignoreP' => $this->path . $file, 'ignoreC' => $fileSum, 'shortMsg' => "File is an old version of TimThumb which is vulnerable.", 'longMsg' => "This file appears to be an old version of the TimThumb script which makes your system vulnerable to attackers. Please upgrade the theme or plugin that uses this or remove it.", 'data' => array('file' => $file, 'canDiff' => false, 'canFix' => false, 'canDelete' => true))); break; } } else { if (strpos($file, 'lib/wordfenceScanner.php') === false && preg_match($this->patterns['sigPattern'], $data, $matches)) { if (!$this->isSafeFile($this->path . $file)) { $this->addResult(array('type' => 'file', 'severity' => 1, 'ignoreP' => $this->path . $file, 'ignoreC' => $fileSum, 'shortMsg' => "This file appears to be malicious", 'longMsg' => "This file appears to be installed by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The text we found in this file that matches a known malicious file is: <strong style=\"color: #F00;\">\"" . $matches[1] . "\"</strong>.", 'data' => array('file' => $file, 'canDiff' => false, 'canFix' => false, 'canDelete' => true))); break; } } } if (preg_match($this->patterns['pat2'], $data)) { if (!$this->isSafeFile($this->path . $file)) { $this->addResult(array('type' => 'file', 'severity' => 1, 'ignoreP' => $this->path . $file, 'ignoreC' => $fileSum, 'shortMsg' => "This file may contain malicious executable code: " . $this->path . $file, 'longMsg' => "This file is a PHP executable file and contains an " . $this->patterns['word1'] . " function and " . $this->patterns['word2'] . " decoding function on the same line. This is a common technique used by hackers to hide and execute code. If you know about this file you can choose to ignore it to exclude it from future scans.", 'data' => array('file' => $file, 'canDiff' => false, 'canFix' => false, 'canDelete' => true))); break; } } if (wfConfig::get('scansEnabled_highSense')) { $badStringFound = false; if (strpos($data, $this->patterns['badstrings'][0]) !== false) { for ($i = 1; $i < sizeof($this->patterns['badstrings']); $i++) { if (strpos($data, $this->patterns['badstrings'][$i]) !== false) { $badStringFound = $this->patterns['badstrings'][$i]; break; } } } if ($badStringFound) { if (!$this->isSafeFile($this->path . $file)) { $this->addResult(array('type' => 'file', 'severity' => 1, 'ignoreP' => $this->path . $file, 'ignoreC' => $fileSum, 'shortMsg' => "This file may contain malicious executable code" . $this->path . $file, 'longMsg' => "This file is a PHP executable file and contains the word 'eval' (without quotes) and the word '" . $badStringFound . "' (without quotes). The eval() function along with an encoding function like the one mentioned are commonly used by hackers to hide their code. If you know about this file you can choose to ignore it to exclude it from future scans.", 'data' => array('file' => $file, 'canDiff' => false, 'canFix' => false, 'canDelete' => true))); break; } } } if (!$dontScanForURLs) { $this->urlHoover->hoover($file, $data); } } else { if (!$dontScanForURLs) { $this->urlHoover->hoover($file, $data); } } if ($totalRead > 2 * 1024 * 1024) { break; } } fclose($fh); $mtime = sprintf("%.5f", microtime(true) - $stime); $this->totalFilesScanned++; if (microtime(true) - $this->lastStatusTime > 1) { $this->lastStatusTime = microtime(true); $this->writeScanningStatus(); } $forkObj->forkIfNeeded(); } } $this->writeScanningStatus(); wordfence::status(2, 'info', "Asking Wordfence to check URL's against malware list."); $hooverResults = $this->urlHoover->getBaddies(); if ($this->urlHoover->errorMsg) { $this->errorMsg = $this->urlHoover->errorMsg; return false; } $this->urlHoover->cleanup(); foreach ($hooverResults as $file => $hresults) { foreach ($hresults as $result) { if (preg_match('/wfBrowscapCache\\.php$/', $file)) { continue; } if ($result['badList'] == 'goog-malware-shavar') { if (!$this->isSafeFile($this->path . $file)) { $this->addResult(array('type' => 'file', 'severity' => 1, 'ignoreP' => $this->path . $file, 'ignoreC' => md5_file($this->path . $file), 'shortMsg' => "File contains suspected malware URL: " . $this->path . $file, 'longMsg' => "This file contains a suspected malware URL listed on Google's list of malware sites. Wordfence decodes " . $this->patterns['word3'] . " when scanning files so the URL may not be visible if you view this file. The URL is: " . $result['URL'] . " - More info available at <a href=\"http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=" . urlencode($result['URL']) . "&client=googlechrome&hl=en-US\" target=\"_blank\">Google Safe Browsing diagnostic page</a>.", 'data' => array('file' => $file, 'badURL' => $result['URL'], 'canDiff' => false, 'canFix' => false, 'canDelete' => true, 'gsb' => 'goog-malware-shavar'))); } } else { if ($result['badList'] == 'googpub-phish-shavar') { if (!$this->isSafeFile($this->path . $file)) { $this->addResult(array('type' => 'file', 'severity' => 1, 'ignoreP' => $this->path . $file, 'ignoreC' => md5_file($this->path . $file), 'shortMsg' => "File contains suspected phishing URL: " . $this->path . $file, 'longMsg' => "This file contains a URL that is a suspected phishing site that is currently listed on Google's list of known phishing sites. The URL is: " . $result['URL'], 'data' => array('file' => $file, 'badURL' => $result['URL'], 'canDiff' => false, 'canFix' => false, 'canDelete' => true, 'gsb' => 'googpub-phish-shavar'))); } } } } } return $this->results; }
public static function trimWfHits() { global $wpdb; $p = $wpdb->base_prefix; $wfdb = new wfDB(); $count = $wfdb->querySingle("select count(*) as cnt from {$p}" . "wfHits"); $liveTrafficMaxRows = absint(wfConfig::get('liveTraf_maxRows', 2000)); if ($count > $liveTrafficMaxRows * 10) { $wfdb->truncate($p . "wfHits"); //So we don't slow down sites that have very large wfHits tables } else { if ($count > $liveTrafficMaxRows) { $wfdb->queryWrite("delete from {$p}" . "wfHits order by id asc limit %d", $count - $liveTrafficMaxRows + $liveTrafficMaxRows * 0.2); } } }
public function scan($forkObj) { /** @var wpdb */ global $wpdb; if (!$this->startTime) { $this->startTime = microtime(true); } if (!$this->lastStatusTime) { $this->lastStatusTime = microtime(true); } $db = new wfDB(); $blogsToScan = wfScanEngine::getBlogsToScan('options'); foreach ($blogsToScan as $blog) { // Check the options table for known shells $results = $db->querySelect("SELECT * FROM {$blog['table']} WHERE option_value REGEXP %s", trim(rtrim($this->patterns['dbSigPattern'], 'imsxeADSUXJu'), '/')); foreach ($results as $row) { preg_match($this->patterns['dbSigPattern'], $row['option_value'], $matches); $this->addResult(array('type' => 'database', 'severity' => 1, 'ignoreP' => "{$db->prefix()}option.{$row['option_name']}", 'ignoreC' => md5($row['option_value']), 'shortMsg' => "This option may contain malicious executable code: {$row['option_name']}", 'longMsg' => "This option appears to be inserted by a hacker to perform malicious activity. If you know about this option you can choose to ignore it to exclude it from future scans. The text we found in this file that matches a known malicious file is: <strong style=\"color: #F00;\">\"{$matches[1]}\"</strong>.", 'data' => array('option_name' => $row['option_name'], 'site_id' => $blog['blog_id'], 'canDelete' => true))); } } return $this->results; }
public static function reverseLookup($IP) { $db = new wfDB(); global $wpdb; $reverseTable = $wpdb->base_prefix . 'wfReverseCache'; $IPn = wfUtils::inet_aton($IP); $host = $db->querySingle("select host from " . $reverseTable . " where IP=%s and unix_timestamp() - lastUpdate < %d", $IPn, WORDFENCE_REVERSE_LOOKUP_CACHE_TIME); if (!$host) { $ptr = implode(".", array_reverse(explode(".", $IP))) . ".in-addr.arpa"; $host = @dns_get_record($ptr, DNS_PTR); if ($host == null) { $host = 'NONE'; } else { $host = $host[0]['target']; } $db->queryWrite("insert into " . $reverseTable . " (IP, host, lastUpdate) values (%s, '%s', unix_timestamp()) ON DUPLICATE KEY UPDATE host='%s', lastUpdate=unix_timestamp()", $IPn, $host, $host); } if ($host == 'NONE') { return ''; } else { return $host; } }
/** * @param wfScanEngine $forkObj * @return array */ public function scan($forkObj) { $this->scanEngine = $forkObj; $loader = $this->scanEngine->getKnownFilesLoader(); if (!$this->startTime) { $this->startTime = microtime(true); } if (!$this->lastStatusTime) { $this->lastStatusTime = microtime(true); } $db = new wfDB(); $lastCount = 'whatever'; $excludePattern = self::getExcludeFilePattern(self::EXCLUSION_PATTERNS_USER & self::EXCLUSION_PATTERNS_MALWARE); while (true) { $thisCount = $db->querySingle("select count(*) from " . $db->prefix() . "wfFileMods where oldMD5 != newMD5 and knownFile=0"); if ($thisCount == $lastCount) { //count should always be decreasing. If not, we're in an infinite loop so lets catch it early break; } $lastCount = $thisCount; $res1 = $db->querySelect("select filename, filenameMD5, hex(newMD5) as newMD5 from " . $db->prefix() . "wfFileMods where oldMD5 != newMD5 and knownFile=0 limit 500"); if (sizeof($res1) < 1) { break; } foreach ($res1 as $rec1) { $db->queryWrite("update " . $db->prefix() . "wfFileMods set oldMD5 = newMD5 where filenameMD5='%s'", $rec1['filenameMD5']); //A way to mark as scanned so that if we come back from a sleep we don't rescan this one. $file = $rec1['filename']; if ($excludePattern && preg_match($excludePattern, $file)) { continue; } $fileSum = $rec1['newMD5']; if (!file_exists($this->path . $file)) { continue; } $fileExt = ''; if (preg_match('/\\.([a-zA-Z\\d\\-]{1,7})$/', $file, $matches)) { $fileExt = strtolower($matches[1]); } $isPHP = false; if (preg_match('/\\.(?:php(?:\\d+)?|phtml)(\\.|$)/i', $file)) { $isPHP = true; } $dontScanForURLs = false; if (!wfConfig::get('scansEnabled_highSense') && (preg_match('/^(?:\\.htaccess|wp\\-config\\.php)$/', $file) || $file === ini_get('user_ini.filename'))) { $dontScanForURLs = true; } $isScanImagesFile = false; if (!$isPHP && preg_match('/^(?:jpg|jpeg|mp3|avi|m4v|gif|png|sql|js|tbz2?|bz2?|xz|zip|tgz|gz|tar|log|err\\d+)$/', $fileExt)) { if (wfConfig::get('scansEnabled_scanImages')) { $isScanImagesFile = true; } else { continue; } } $isHighSensitivityFile = false; if (strtolower($fileExt) == 'sql') { if (wfConfig::get('scansEnabled_highSense')) { $isHighSensitivityFile = true; } else { continue; } } if (wfUtils::fileTooBig($this->path . $file)) { //We can't use filesize on 32 bit systems for files > 2 gigs //We should not need this check because files > 2 gigs are not hashed and therefore won't be received back as unknowns from the API server //But we do it anyway to be safe. wordfence::status(2, 'error', "Encountered file that is too large: {$file} - Skipping."); continue; } wfUtils::beginProcessingFile($file); $fsize = filesize($this->path . $file); //Checked if too big above if ($fsize > 1000000) { $fsize = sprintf('%.2f', $fsize / 1000000) . "M"; } else { $fsize = $fsize . "B"; } if (function_exists('memory_get_usage')) { wordfence::status(4, 'info', "Scanning contents: {$file} (Size:{$fsize} Mem:" . sprintf('%.1f', memory_get_usage(true) / (1024 * 1024)) . "M)"); } else { wordfence::status(4, 'info', "Scanning contents: {$file} (Size: {$fsize})"); } $stime = microtime(true); $fh = @fopen($this->path . $file, 'r'); if (!$fh) { continue; } $totalRead = 0; $dataForFile = $this->dataForFile($file); while (!feof($fh)) { $data = fread($fh, 1 * 1024 * 1024); //read 1 megs max per chunk $totalRead += strlen($data); if ($totalRead < 1) { break; } $extraMsg = ''; if ($isScanImagesFile) { $extraMsg = ' This file was detected because you have enabled "Scan images, binary, and other files as if they were executable", which treats non-PHP files as if they were PHP code. This option is more aggressive than the usual scans, and may cause false positives.'; } else { if ($isHighSensitivityFile) { $extraMsg = ' This file was detected because you have enabled HIGH SENSITIVITY scanning. This option is more aggressive than the usual scans, and may cause false positives.'; } } if ($isPHP || wfConfig::get('scansEnabled_scanImages')) { if (strpos($data, '$allowed' . 'Sites') !== false && strpos($data, "define ('VER" . "SION', '1.") !== false && strpos($data, "TimThum" . "b script created by") !== false) { if (!$this->isSafeFile($this->path . $file)) { $this->addResult(array('type' => 'file', 'severity' => 1, 'ignoreP' => $this->path . $file, 'ignoreC' => $fileSum, 'shortMsg' => "File is an old version of TimThumb which is vulnerable.", 'longMsg' => "This file appears to be an old version of the TimThumb script which makes your system vulnerable to attackers. Please upgrade the theme or plugin that uses this or remove it." . $extraMsg, 'data' => array_merge(array('file' => $file), $dataForFile))); break; } } else { if (strpos($file, 'lib/wordfenceScanner.php') === false) { // && preg_match($this->patterns['sigPattern'], $data, $matches)){ $regexMatched = false; foreach ($this->patterns['rules'] as $rule) { if (preg_match('/(' . $rule[2] . ')/i', $data, $matches)) { if (!$this->isSafeFile($this->path . $file)) { $this->addResult(array('type' => 'file', 'severity' => 1, 'ignoreP' => $this->path . $file, 'ignoreC' => $fileSum, 'shortMsg' => "File appears to be malicious: " . esc_html($file), 'longMsg' => "This file appears to be installed by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The text we found in this file that matches a known malicious file is: <strong style=\"color: #F00;\">\"" . esc_html(strlen($matches[1]) > 200 ? substr($matches[1], 0, 200) . '...' : $matches[1]) . "\"</strong>. The infection type is: <strong>" . esc_html($rule[3]) . '</strong>' . $extraMsg, 'data' => array_merge(array('file' => $file), $dataForFile))); $regexMatched = true; break; } } } if ($regexMatched) { break; } } } if (wfConfig::get('scansEnabled_highSense')) { $badStringFound = false; if (strpos($data, $this->patterns['badstrings'][0]) !== false) { for ($i = 1; $i < sizeof($this->patterns['badstrings']); $i++) { if (strpos($data, $this->patterns['badstrings'][$i]) !== false) { $badStringFound = $this->patterns['badstrings'][$i]; break; } } } if ($badStringFound) { if (!$this->isSafeFile($this->path . $file)) { $this->addResult(array('type' => 'file', 'severity' => 1, 'ignoreP' => $this->path . $file, 'ignoreC' => $fileSum, 'shortMsg' => "This file may contain malicious executable code: " . esc_html($this->path . $file), 'longMsg' => "This file is a PHP executable file and contains the word 'eval' (without quotes) and the word '" . esc_html($badStringFound) . "' (without quotes). The eval() function along with an encoding function like the one mentioned are commonly used by hackers to hide their code. If you know about this file you can choose to ignore it to exclude it from future scans. This file was detected because you have enabled HIGH SENSITIVITY scanning. This option is more aggressive than the usual scans, and may cause false positives.", 'data' => array_merge(array('file' => $file), $dataForFile))); break; } } } if (!$dontScanForURLs) { $this->urlHoover->hoover($file, $data); } } else { if (!$dontScanForURLs) { $this->urlHoover->hoover($file, $data); } } if ($totalRead > 2 * 1024 * 1024) { break; } } fclose($fh); $this->totalFilesScanned++; if (microtime(true) - $this->lastStatusTime > 1) { $this->lastStatusTime = microtime(true); $this->writeScanningStatus(); } $forkObj->forkIfNeeded(); } } $this->writeScanningStatus(); wordfence::status(2, 'info', "Asking Wordfence to check URL's against malware list."); $hooverResults = $this->urlHoover->getBaddies(); if ($this->urlHoover->errorMsg) { $this->errorMsg = $this->urlHoover->errorMsg; return false; } $this->urlHoover->cleanup(); $siteURL = get_site_url(); $siteHost = parse_url($siteURL, PHP_URL_HOST); foreach ($hooverResults as $file => $hresults) { $dataForFile = $this->dataForFile($file, $this->path . $file); foreach ($hresults as $result) { if (preg_match('/wfBrowscapCache\\.php$/', $file)) { continue; } if (empty($result['URL'])) { continue; } $url = $result['URL']; $urlHost = parse_url($url, PHP_URL_HOST); if (strcasecmp($siteHost, $urlHost) === 0) { continue; } if ($result['badList'] == 'goog-malware-shavar') { if (!$this->isSafeFile($this->path . $file)) { $this->addResult(array('type' => 'file', 'severity' => 1, 'ignoreP' => $this->path . $file, 'ignoreC' => md5_file($this->path . $file), 'shortMsg' => "File contains suspected malware URL: " . esc_html($this->path . $file), 'longMsg' => "This file contains a suspected malware URL listed on Google's list of malware sites. Wordfence decodes " . esc_html($this->patterns['word3']) . " when scanning files so the URL may not be visible if you view this file. The URL is: " . esc_html($result['URL']) . " - More info available at <a href=\"http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=" . urlencode($result['URL']) . "&client=googlechrome&hl=en-US\" target=\"_blank\">Google Safe Browsing diagnostic page</a>.", 'data' => array_merge(array('file' => $file, 'badURL' => $result['URL'], 'gsb' => 'goog-malware-shavar'), $dataForFile))); } } else { if ($result['badList'] == 'googpub-phish-shavar') { if (!$this->isSafeFile($this->path . $file)) { $this->addResult(array('type' => 'file', 'severity' => 1, 'ignoreP' => $this->path . $file, 'ignoreC' => md5_file($this->path . $file), 'shortMsg' => "File contains suspected phishing URL: " . esc_html($this->path . $file), 'longMsg' => "This file contains a URL that is a suspected phishing site that is currently listed on Google's list of known phishing sites. The URL is: " . esc_html($result['URL']), 'data' => array_merge(array('file' => $file, 'badURL' => $result['URL'], 'gsb' => 'googpub-phish-shavar'), $dataForFile))); } } } } } wfUtils::endProcessingFile(); return $this->results; }
<head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <link rel='stylesheet' id='wordfence-main-style-css' href='<?php echo wfUtils::getBaseURL(); ?> /css/fullLog.css?ver=<?php echo WORDFENCE_VERSION; ?> ' type='text/css' media='all' /> <style type="text/css"> </style> <body> <h1>Wordfence Full Activity Log</h1> <?php $db = new wfDB(); global $wpdb; $debugOn = wfConfig::get('debugOn', 0); $table = $wpdb->base_prefix . 'wfStatus'; $q = $db->querySelect("select ctime, level, type, msg from {$table} order by ctime desc"); $timeOffset = 3600 * get_option('gmt_offset'); foreach ($q as $r) { if ($r['level'] < 4 || $debugOn) { echo '<div' . ($r['type'] == 'error' ? ' class="error"' : '') . '>[' . date('M d H:i:s', $r['ctime'] + $timeOffset) . ':' . $r['ctime'] . ':' . $r['level'] . ':' . $r['type'] . '] ' . esc_html($r['msg']) . "</div>\n"; } } ?> </body> </html> <?php exit(0);
<head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <link rel='stylesheet' id='wordfence-main-style-css' href='<?php echo wfUtils::getBaseURL(); ?> /css/fullLog.css?ver=<?php echo WORDFENCE_VERSION; ?> ' type='text/css' media='all' /> <style type="text/css"> </style> <body> <h1>Wordfence Full Activity Log</h1> <?php $db = new wfDB(); global $wpdb; $debugOn = wfConfig::get('debugOn', 0); $table = $wpdb->base_prefix . 'wfStatus'; $offset = 0; $timeOffset = 3600 * get_option('gmt_offset'); $q = $db->querySelect("SELECT ctime, level, type, msg FROM {$table} ORDER BY ctime DESC LIMIT %d, 100", $offset); while (is_array($q) && count($q) > 0) { foreach ($q as $r) { if ($r['level'] < 4 || $debugOn) { echo '<div' . ($r['type'] == 'error' ? ' class="error"' : '') . '>[' . date('M d H:i:s', $r['ctime'] + $timeOffset) . ':' . $r['ctime'] . ':' . $r['level'] . ':' . $r['type'] . '] ' . esc_html($r['msg']) . "</div>\n"; } } $offset += count($q); $q = $db->querySelect("SELECT ctime, level, type, msg FROM {$table} ORDER BY ctime DESC LIMIT %d, 100", $offset); }
private function scan_options() { $blogsToScan = $this->getBlogsToScan('options'); $wfdb = new wfDB(); foreach ($blogsToScan as $blog) { $charset = $wfdb->querySingle("select option_value from " . $blog['table'] . " where option_name='blog_charset'"); if (strtolower($charset) == 'utf-7') { $this->addIssue('badOption', 1, $blog['blog_id'] . 'blog_charset', $blog['blog_id'] . 'blog_charset', "An option was found in your site that indicates it may have been hacked.", "The 'blog_charset' option in your database is set to '" . $charset . "' which indicates your site may have been hacked. If hackers can gain access to your database via phpMyAdmin for example, they will change this value in order to inject malicious code into other parts of your site or allow XSS attacks. The 'badi' hack does this.", array('isMultisite' => $blog['isMultisite'], 'domain' => $blog['domain'], 'path' => $blog['path'], 'blog_id' => $blog['blog_id'])); } } }
public static function wfSchemaExists() { $db = new wfDB(); global $wpdb; $prefix = $wpdb->base_prefix; $exists = $db->querySingle("show tables like '{$prefix}" . "wfConfig'"); return $exists ? true : false; }
public static function becomeAdmin() { $db = new wfDB(); global $wpdb; $adminUserID = false; $userSource = ''; if (is_multisite()) { $users = get_users('role=super&fields=ID'); if (sizeof($users) < 1) { $supers = get_super_admins(); if (sizeof($supers) > 0) { foreach ($supers as $superLogin) { $superDat = get_user_by('login', $superLogin); if ($superDat) { $users = array($superDat->ID); $userSource = 'multisite get_super_admins() function'; break; } } } } else { $userSource = 'multisite get_users() function'; } } else { $users = get_users('role=administrator&fields=ID'); if (sizeof($users) < 1) { $supers = get_super_admins(); if (sizeof($supers) > 0) { foreach ($supers as $superLogin) { $superDat = get_user_by('login', $superLogin); if ($superDat) { $users = array($superDat->ID); $userSource = 'singlesite get_super_admins() function'; break; } } } } else { $userSource = 'singlesite get_users() function'; } } if (sizeof($users) > 0) { sort($users, SORT_NUMERIC); $adminUserID = $users[0]; } else { //Last ditch attempt $adminUserID = $db->querySingle("select user_id from " . $wpdb->usermeta . " where meta_key='" . $wpdb->base_prefix . "user_level' order by meta_value desc, user_id asc limit 1"); if (!$adminUserID) { //One final attempt for those who have changed their table prefixes but the meta_key is still wp_ prefixed... $adminUserID = $db->querySingle("select user_id from " . $wpdb->usermeta . " where meta_key='wp_user_level' order by meta_value desc, user_id asc limit 1"); if (!$adminUserID) { self::status(1, 'error', "Could not get the administrator's user ID. Scan can't continue."); exit; } } $userSource = 'manual DB query'; } $adminUsername = $db->querySingle("select user_login from " . $wpdb->users . " where ID=%d", $adminUserID); self::status(4, 'info', "Scan will run as admin user '{$adminUsername}' with ID '{$adminUserID}' sourced from: {$userSource}"); wp_set_current_user($adminUserID); if (!is_user_logged_in()) { self::status(1, 'error', "Scan could not sign in as user '{$adminUsername}' with ID '{$adminUserID}' from source '{$userSource}'. Scan can't continue."); exit; } self::status(4, 'info', "Scan authentication complete."); }
/** * @param string|null $ip * @return bool */ public static function verifyGooglebotViaNOC1($ip = null) { global $wpdb; $table = $wpdb->base_prefix . 'wfCrawlers'; if ($ip === null) { $ip = wfUtils::getIP(); } $db = new wfDB(); $IPn = wfUtils::inet_pton($ip); $patternSig = 'googlenoc1'; $status = $db->querySingle("select status from {$table}\n\t\t\t\twhere IP=%s\n\t\t\t\tand patternSig=UNHEX(MD5('%s'))\n\t\t\t\tand lastUpdate > unix_timestamp() - %d", $IPn, $patternSig, WORDFENCE_CRAWLER_VERIFY_CACHE_TIME); if ($status === 'verified') { return true; } else { if ($status === 'fakeBot') { return false; } } $api = new wfAPI(wfConfig::get('apiKey'), wfUtils::getWPVersion()); try { $data = $api->call('verify_googlebot', array('ip' => $ip)); if (is_array($data) && !empty($data['verified'])) { // Cache results $db->queryWrite("insert into {$table} (IP, patternSig, status, lastUpdate)\nvalues (%s, UNHEX(MD5('%s')), '%s', unix_timestamp())\nON DUPLICATE KEY UPDATE status='%3\$s', lastUpdate=unix_timestamp()", $IPn, $patternSig, 'verified'); return true; } else { $db->queryWrite("insert into {$table} (IP, patternSig, status, lastUpdate)\nvalues (%s, UNHEX(MD5('%s')), '%s', unix_timestamp())\nON DUPLICATE KEY UPDATE status='%3\$s', lastUpdate=unix_timestamp()", $IPn, $patternSig, 'fakeBot'); } } catch (Exception $e) { // Do nothing, bail } return false; }
public function scan($forkObj) { if (!$this->startTime) { $this->startTime = microtime(true); } if (!$this->lastStatusTime) { $this->lastStatusTime = microtime(true); } $db = new wfDB(); $keepGoing = true; $limitOffset = 0; $queryChunkSize = 1000; while ($keepGoing) { $keepGoing = false; $res1 = $db->querySelect("select filename, filenameMD5, hex(newMD5) as newMD5 from " . $db->prefix() . "wfFileMods where oldMD5 != newMD5 and knownFile=0 limit {$limitOffset} , {$queryChunkSize}"); if (sizeof($res1) > 0) { $keepGoing = true; $limitOffset += $queryChunkSize; } foreach ($res1 as $rec1) { $db->queryWrite("update " . $db->prefix() . "wfFileMods set oldMD5 = newMD5 where filenameMD5='%s'", $rec1['filenameMD5']); //A way to mark as scanned so that if we come back from a sleep we don't rescan this one. $file = $rec1['filename']; $fileSum = $rec1['newMD5']; if (!file_exists($this->path . $file)) { continue; } $fileExt = ''; if (preg_match('/\\.([a-zA-Z\\d\\-]{1,7})$/', $file, $matches)) { $fileExt = strtolower($matches[1]); } $isPHP = false; if (preg_match('/^(?:php|phtml|php\\d+)$/', $fileExt)) { $isPHP = true; } if (preg_match('/^(?:jpg|jpeg|mp3|avi|m4v|gif|png)$/', $fileExt)) { continue; } if (wfUtils::fileTooBig($this->path . $file)) { //We can't use filesize on 32 bit systems for files > 2 gigs //We should not need this check because files > 2 gigs are not hashed and therefore won't be received back as unknowns from the API server //But we do it anyway to be safe. wordfence::status(2, 'error', "Encountered file that is too large: {$file} - Skipping."); continue; } $fsize = filesize($this->path . $file); //Checked if too big above if ($fsize > 1000000) { $fsize = sprintf('%.2f', $fsize / 1000000) . "M"; } else { $fsize = $fsize . "B"; } if (function_exists('memory_get_usage')) { wordfence::status(4, 'info', "Scanning contents: {$file} (Size:{$fsize} Mem:" . sprintf('%.1f', memory_get_usage(true) / (1024 * 1024)) . "M)"); } else { wordfence::status(4, 'info', "Scanning contents: {$file} (Size: {$fsize})"); } $stime = microtime(true); $fh = @fopen($this->path . $file, 'r'); if (!$fh) { continue; } $totalRead = 0; while (!feof($fh)) { $data = fread($fh, 1 * 1024 * 1024); //read 1 megs max per chunk $totalRead += strlen($data); if ($totalRead < 1) { break; } if ($isPHP) { if (strpos($data, '$allowed' . 'Sites') !== false && strpos($data, "define ('VER" . "SION', '1.") !== false && strpos($data, "TimThum" . "b script created by") !== false) { $this->addResult(array('type' => 'file', 'severity' => 1, 'ignoreP' => $this->path . $file, 'ignoreC' => $fileSum, 'shortMsg' => "File is an old version of TimThumb which is vulnerable.", 'longMsg' => "This file appears to be an old version of the TimThumb script which makes your system vulnerable to attackers. Please upgrade the theme or plugin that uses this or remove it.", 'data' => array('file' => $file, 'canDiff' => false, 'canFix' => false, 'canDelete' => true))); break; } else { if (strpos($file, 'lib/wordfenceScanner.php') === false && preg_match($this->patterns['sigPattern'], $data, $matches)) { $this->addResult(array('type' => 'file', 'severity' => 1, 'ignoreP' => $this->path . $file, 'ignoreC' => $fileSum, 'shortMsg' => "This file appears to be an attack shell", 'longMsg' => "This file appears to be an executable shell that allows hackers entry to your site via a backdoor. If you know about this file you can choose to ignore it to exclude it from future scans. The text we found in this file that matches a known malicious file is: <strong style=\"color: #F00;\">\"" . $matches[1] . "\"</strong>.", 'data' => array('file' => $file, 'canDiff' => false, 'canFix' => false, 'canDelete' => true))); break; } } /* $longestNospace = wfUtils::longestNospace($data); if($longestNospace > 1000 && (strpos($data, $this->patterns['pat1']) !== false || preg_match('/preg_replace\([^\(]+\/[a-z]*e/', $data)) ){ $this->addResult(array( 'type' => 'file', 'severity' => 1, 'ignoreP' => $this->path . $file, 'ignoreC' => $fileSum, 'shortMsg' => "This file may contain malicious executable code", 'longMsg' => "This file is a PHP executable file and contains a line $longestNospace characters long without spaces that may be encoded data along with functions that may be used to execute that code. If you know about this file you can choose to ignore it to exclude it from future scans.", 'data' => array( 'file' => $file, 'canDiff' => false, 'canFix' => false, 'canDelete' => true ) )); break; } */ if (preg_match($this->patterns['pat2'], $data)) { $this->addResult(array('type' => 'file', 'severity' => 1, 'ignoreP' => $this->path . $file, 'ignoreC' => $fileSum, 'shortMsg' => "This file may contain malicious executable code", 'longMsg' => "This file is a PHP executable file and contains an " . $this->patterns['word1'] . " function and " . $this->patterns['word2'] . " decoding function on the same line. This is a common technique used by hackers to hide and execute code. If you know about this file you can choose to ignore it to exclude it from future scans.", 'data' => array('file' => $file, 'canDiff' => false, 'canFix' => false, 'canDelete' => true))); break; } $this->urlHoover->hoover($file, $data); } else { $this->urlHoover->hoover($file, $data); } if ($totalRead > 2 * 1024 * 1024) { break; } } fclose($fh); $mtime = sprintf("%.5f", microtime(true) - $stime); $this->totalFilesScanned++; if (microtime(true) - $this->lastStatusTime > 1) { $this->lastStatusTime = microtime(true); $this->writeScanningStatus(); } $forkObj->forkIfNeeded(); } } $this->writeScanningStatus(); wordfence::status(2, 'info', "Asking Wordfence to check URL's against malware list."); $hooverResults = $this->urlHoover->getBaddies(); if ($this->urlHoover->errorMsg) { $this->errorMsg = $this->urlHoover->errorMsg; return false; } foreach ($hooverResults as $file => $hresults) { foreach ($hresults as $result) { if ($result['badList'] == 'goog-malware-shavar') { $this->addResult(array('type' => 'file', 'severity' => 1, 'ignoreP' => $this->path . $file, 'ignoreC' => md5_file($this->path . $file), 'shortMsg' => "File contains suspected malware URL: " . $this->path . $file, 'longMsg' => "This file contains a suspected malware URL listed on Google's list of malware sites. Wordfence decodes " . $this->patterns['word3'] . " when scanning files so the URL may not be visible if you view this file. The URL is: " . $result['URL'] . " - More info available at <a href=\"http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=" . urlencode($result['URL']) . "&client=googlechrome&hl=en-US\" target=\"_blank\">Google Safe Browsing diagnostic page</a>.", 'data' => array('file' => $file, 'badURL' => $result['URL'], 'canDiff' => false, 'canFix' => false, 'canDelete' => true, 'gsb' => 'goog-malware-shavar'))); } else { if ($result['badList'] == 'googpub-phish-shavar') { $this->addResult(array('type' => 'file', 'severity' => 1, 'ignoreP' => $this->path . $file, 'ignoreC' => md5_file($this->path . $file), 'shortMsg' => "File contains suspected phishing URL: " . $this->path . $file, 'longMsg' => "This file contains a URL that is a suspected phishing site that is currently listed on Google's list of known phishing sites. The URL is: " . $result['URL'], 'data' => array('file' => $file, 'badURL' => $result['URL'], 'canDiff' => false, 'canFix' => false, 'canDelete' => true, 'gsb' => 'googpub-phish-shavar'))); } } } } return $this->results; }
</td> <td><?php echo esc_html($cron_job); ?> </td> </tr> <?php } } } } ?> </tbody> </table> <?php $wfdb = new wfDB(); $q = $wfdb->querySelect("show table status"); if ($q) { $databaseCols = count($q[0]); ?> <div style="max-width: 100%; overflow: auto; padding: 1px;"> <table class="wf-table"<?php echo !empty($inEmail) ? ' border=1' : ''; ?> > <tbody class="empty-row"> <tr> <td colspan="<?php echo $databaseCols; ?> "></td>
private function scan_passwds_main() { global $wpdb; $wfdb = new wfDB(); while (strlen($this->userPasswdQueue) > 3) { $usersLeft = strlen($this->userPasswdQueue) / 4; //4 byte ints if ($usersLeft % 100 == 0) { wordfence::status(2, 'info', "Total of {$usersLeft} users left to process in password strength check."); } $userID = unpack('N', substr($this->userPasswdQueue, 0, 4)); $userID = $userID[1]; $this->userPasswdQueue = substr($this->userPasswdQueue, 4); $userLogin = $wfdb->querySingle("select user_login from {$wpdb->users} where ID=%s", $userID); if (!$userLogin) { wordfence::status(2, 'error', "Could not get username for user with ID {$userID} when checking password strenght."); continue; } wordfence::status(4, 'info', "Checking password strength for user {$userLogin} with ID {$userID}"); if ($this->scanUserPassword($userID)) { $this->passwdHasIssues = true; } $this->forkIfNeeded(); } }
function ticker() { $wfdb = new wfDB(); global $wpdb; $p = $wpdb->base_prefix; $serverTime = $wfdb->querySingle('select unix_timestamp()'); $issues = new wfIssues(); $jsonData = array('serverTime' => $serverTime, 'msg' => $wfdb->querySingle("select msg from {$p}" . 'wfStatus where level < 3 order by ctime desc limit 1')); $events = array(); $alsoGet = $_POST['alsoGet']; if (preg_match('/^logList_(404|hit|human|ruser|crawler|gCrawler|loginLogout)$/', $alsoGet, $m)) { $type = $m[1]; $newestEventTime = $_POST['otherParams']; $listType = 'hits'; if ('loginLogout' === $type) { $listType = 'logins'; } $events = self::getLog()->getHits($listType, $type, $newestEventTime); } else { if ('perfStats' === $alsoGet) { $newestEventTime = $_POST['otherParams']; $events = self::getLog()->getPerfStats($newestEventTime); } } /* $longest = 0; foreach($events as $e){ $length = $e['domainLookupEnd'] + $e['connectEnd'] + $e['responseStart'] + $e['responseEnd'] + $e['domReady'] + $e['loaded']; $longest = $length > $longest ? $length : $longest; } */ $jsonData['events'] = $events; $jsonData['alsoGet'] = $alsoGet; //send it back so we don't load data if panel has changed $jsonData['cacheType'] = wfConfig::get('cacheType'); return $jsonData; }
public static function synchronizeConfigSettings() { if (!class_exists('wfConfig')) { // Ensure this is only called when WordPress and the plugin are fully loaded return; } static $isSynchronizing = false; if ($isSynchronizing) { return; } $isSynchronizing = true; global $wpdb; $db = new wfDB(); // Pattern Blocks $r1 = $db->querySelect("SELECT id, blockType, blockString FROM {$wpdb->base_prefix}wfBlocksAdv"); $patternBlocks = array(); foreach ($r1 as $blockRec) { if ($blockRec['blockType'] == 'IU') { $bDat = explode('|', $blockRec['blockString']); $ipRange = isset($bDat[0]) ? $bDat[0] : ''; $uaPattern = isset($bDat[1]) ? $bDat[1] : ''; $refPattern = isset($bDat[2]) ? $bDat[2] : ''; $hostnamePattern = isset($bDat[3]) ? $bDat[3] : ''; $patternBlocks[] = array('id' => $blockRec['id'], 'ipRange' => $ipRange, 'hostnamePattern' => $hostnamePattern, 'uaPattern' => $uaPattern, 'refPattern' => $refPattern); } } // Country Blocks $wfLog = new wfLog(wfConfig::get('apiKey'), wfUtils::getWPVersion()); $cblCookie = $wfLog->getCBLCookieVal(); //Ensure we have the bypass cookie option set $countryBlocks = array(); $countryBlocks['action'] = wfConfig::get('cbl_action', false); $countryBlocks['loggedInBlocked'] = wfConfig::get('cbl_loggedInBlocked', false); $countryBlocks['loginFormBlocked'] = wfConfig::get('cbl_loginFormBlocked', false); $countryBlocks['restOfSiteBlocked'] = wfConfig::get('cbl_restOfSiteBlocked', false); $countryBlocks['bypassRedirURL'] = wfConfig::get('cbl_bypassRedirURL', ''); $countryBlocks['bypassRedirDest'] = wfConfig::get('cbl_bypassRedirDest', ''); $countryBlocks['bypassViewURL'] = wfConfig::get('cbl_bypassViewURL', ''); $countryBlocks['redirURL'] = wfConfig::get('cbl_redirURL', ''); $countryBlocks['countries'] = explode(',', wfConfig::get('cbl_countries', '')); $countryBlocks['cookieVal'] = $cblCookie; //Other Blocks $otherBlocks = array('blockedTime' => wfConfig::get('blockedTime', 0)); $otherBlockEntries = $db->querySelect("SELECT IP, blockedTime, reason, permanent, wfsn FROM {$wpdb->base_prefix}wfBlocks WHERE permanent = 1 OR (blockedTime + %d > unix_timestamp())", $otherBlocks['blockedTime']); $otherBlocks['blocks'] = is_array($otherBlockEntries) ? $otherBlockEntries : array(); foreach ($otherBlocks['blocks'] as &$b) { $b['IP'] = base64_encode($b['IP']); } // Save it try { $patternBlocksJSON = wfWAFUtils::json_encode($patternBlocks); wfWAF::getInstance()->getStorageEngine()->setConfig('patternBlocks', $patternBlocksJSON); $countryBlocksJSON = wfWAFUtils::json_encode($countryBlocks); wfWAF::getInstance()->getStorageEngine()->setConfig('countryBlocks', $countryBlocksJSON); $otherBlocksJSON = wfWAFUtils::json_encode($otherBlocks); wfWAF::getInstance()->getStorageEngine()->setConfig('otherBlocks', $otherBlocksJSON); wfWAF::getInstance()->getStorageEngine()->setConfig('advancedBlockingEnabled', wfConfig::get('firewallEnabled')); wfWAF::getInstance()->getStorageEngine()->setConfig('disableWAFIPBlocking', wfConfig::get('disableWAFIPBlocking')); } catch (Exception $e) { // Do nothing } $isSynchronizing = false; }