/**
* @param wfScanEngine $forkObj
* @return array
*/
public function scan($forkObj)
{
$this->scanEngine = $forkObj;
$loader = $this->scanEngine->getKnownFilesLoader();
if (!$this->startTime) {
$this->startTime = microtime(true);
}
if (!$this->lastStatusTime) {
$this->lastStatusTime = microtime(true);
}
$db = new wfDB();
$lastCount = 'whatever';
$excludePattern = self::getExcludeFilePattern(self::EXCLUSION_PATTERNS_USER | self::EXCLUSION_PATTERNS_MALWARE);
while (true) {
$thisCount = $db->querySingle("select count(*) from " . $db->prefix() . "wfFileMods where oldMD5 != newMD5 and knownFile=0");
if ($thisCount == $lastCount) {
//count should always be decreasing. If not, we're in an infinite loop so lets catch it early
break;
}
$lastCount = $thisCount;
$res1 = $db->querySelect("select filename, filenameMD5, hex(newMD5) as newMD5 from " . $db->prefix() . "wfFileMods where oldMD5 != newMD5 and knownFile=0 limit 500");
if (sizeof($res1) < 1) {
break;
}
foreach ($res1 as $rec1) {
$db->queryWrite("update " . $db->prefix() . "wfFileMods set oldMD5 = newMD5 where filenameMD5='%s'", $rec1['filenameMD5']);
//A way to mark as scanned so that if we come back from a sleep we don't rescan this one.
$file = $rec1['filename'];
if ($excludePattern && preg_match($excludePattern, $file)) {
continue;
}
if (!file_exists($this->path . $file)) {
continue;
}
$fileSum = $rec1['newMD5'];
$fileExt = '';
if (preg_match('/\\.([a-zA-Z\\d\\-]{1,7})$/', $file, $matches)) {
$fileExt = strtolower($matches[1]);
}
$isPHP = false;
if (preg_match('/\\.(?:php(?:\\d+)?|phtml)(\\.|$)/i', $file)) {
$isPHP = true;
}
$isHTML = false;
if (preg_match('/\\.(?:html?)(\\.|$)/i', $file)) {
$isHTML = true;
}
$isJS = false;
if (preg_match('/\\.(?:js)(\\.|$)/i', $file)) {
$isJS = true;
}
$dontScanForURLs = false;
if (!wfConfig::get('scansEnabled_highSense') && (preg_match('/^(?:\\.htaccess|wp\\-config\\.php)$/', $file) || $file === ini_get('user_ini.filename'))) {
$dontScanForURLs = true;
}
$isScanImagesFile = false;
if (!$isPHP && preg_match('/^(?:jpg|jpeg|mp3|avi|m4v|mov|mp4|gif|png|tiff?|svg|sql|js|tbz2?|bz2?|xz|zip|tgz|gz|tar|log|err\\d+)$/', $fileExt)) {
if (wfConfig::get('scansEnabled_scanImages')) {
$isScanImagesFile = true;
} else {
if (!$isJS) {
continue;
}
}
}
$isHighSensitivityFile = false;
if (strtolower($fileExt) == 'sql') {
if (wfConfig::get('scansEnabled_highSense')) {
$isHighSensitivityFile = true;
} else {
continue;
}
}
if (wfUtils::fileTooBig($this->path . $file)) {
//We can't use filesize on 32 bit systems for files > 2 gigs
//We should not need this check because files > 2 gigs are not hashed and therefore won't be received back as unknowns from the API server
//But we do it anyway to be safe.
wordfence::status(2, 'error', "Encountered file that is too large: {$file} - Skipping.");
continue;
}
wfUtils::beginProcessingFile($file);
$fsize = @filesize($this->path . $file);
//Checked if too big above
if ($fsize > 1000000) {
$fsize = sprintf('%.2f', $fsize / 1000000) . "M";
} else {
$fsize = $fsize . "B";
}
if (function_exists('memory_get_usage')) {
wordfence::status(4, 'info', "Scanning contents: {$file} (Size:{$fsize} Mem:" . sprintf('%.1f', memory_get_usage(true) / (1024 * 1024)) . "M)");
} else {
wordfence::status(4, 'info', "Scanning contents: {$file} (Size: {$fsize})");
}
$stime = microtime(true);
$fh = @fopen($this->path . $file, 'r');
if (!$fh) {
continue;
}
$totalRead = 0;
$dataForFile = $this->dataForFile($file);
while (!feof($fh)) {
$data = fread($fh, 1 * 1024 * 1024);
//read 1 megs max per chunk
$totalRead += strlen($data);
if ($totalRead < 1) {
break;
}
$extraMsg = '';
if ($isScanImagesFile) {
$extraMsg = ' This file was detected because you have enabled "Scan images, binary, and other files as if they were executable", which treats non-PHP files as if they were PHP code. This option is more aggressive than the usual scans, and may cause false positives.';
} else {
if ($isHighSensitivityFile) {
$extraMsg = ' This file was detected because you have enabled HIGH SENSITIVITY scanning. This option is more aggressive than the usual scans, and may cause false positives.';
}
}
$treatAsBinary = $isPHP || $isHTML || wfConfig::get('scansEnabled_scanImages');
if ($treatAsBinary && strpos($data, '$allowed' . 'Sites') !== false && strpos($data, "define ('VER" . "SION', '1.") !== false && strpos($data, "TimThum" . "b script created by") !== false) {
if (!$this->isSafeFile($this->path . $file)) {
$this->addResult(array('type' => 'file', 'severity' => 1, 'ignoreP' => $this->path . $file, 'ignoreC' => $fileSum, 'shortMsg' => "File is an old version of TimThumb which is vulnerable.", 'longMsg' => "This file appears to be an old version of the TimThumb script which makes your system vulnerable to attackers. Please upgrade the theme or plugin that uses this or remove it." . $extraMsg, 'data' => array_merge(array('file' => $file), $dataForFile)));
break;
}
} else {
if (strpos($file, 'lib/wordfenceScanner.php') === false) {
$regexMatched = false;
foreach ($this->patterns['rules'] as $rule) {
$type = isset($rule[4]) && !empty($rule[4]) ? $rule[4] : 'server';
$logOnly = isset($rule[5]) && !empty($rule[5]) ? $rule[5] : false;
if ($type == 'server' && !$treatAsBinary) {
continue;
} else {
if (($type == 'both' || $type == 'browser') && $fileExt == 'js') {
$extraMsg = '';
} else {
if (($type == 'both' || $type == 'browser') && !$treatAsBinary) {
continue;
}
}
}
if (preg_match('/(' . $rule[2] . ')/i', $data, $matches, PREG_OFFSET_CAPTURE)) {
if (!$this->isSafeFile($this->path . $file)) {
$matchString = $matches[1][0];
$matchOffset = $matches[1][1];
$beforeString = substr($data, max(0, $matchOffset - 100), $matchOffset - max(0, $matchOffset - 100));
$afterString = substr($data, $matchOffset + strlen($matchString), 100);
if (!$logOnly) {
$this->addResult(array('type' => 'file', 'severity' => 1, 'ignoreP' => $this->path . $file, 'ignoreC' => $fileSum, 'shortMsg' => "File appears to be malicious: " . esc_html($file), 'longMsg' => "This file appears to be installed by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The text we found in this file that matches a known malicious file is: <strong style=\"color: #F00;\">\"" . wfUtils::potentialBinaryStringToHTML(strlen($matchString) > 200 ? substr($matchString, 0, 200) . '...' : $matchString) . "\"</strong>. The infection type is: <strong>" . esc_html($rule[3]) . '</strong>.' . $extraMsg, 'data' => array_merge(array('file' => $file), $dataForFile)));
}
$regexMatched = true;
$this->scanEngine->recordMetric('malwareSignature', $rule[0], array('file' => $file, 'match' => $matchString, 'before' => $beforeString, 'after' => $afterString), false);
break;
}
}
}
if ($regexMatched) {
break;
}
}
}
if ($treatAsBinary && wfConfig::get('scansEnabled_highSense')) {
$badStringFound = false;
if (strpos($data, $this->patterns['badstrings'][0]) !== false) {
for ($i = 1; $i < sizeof($this->patterns['badstrings']); $i++) {
if (strpos($data, $this->patterns['badstrings'][$i]) !== false) {
$badStringFound = $this->patterns['badstrings'][$i];
break;
}
}
}
if ($badStringFound) {
if (!$this->isSafeFile($this->path . $file)) {
$this->addResult(array('type' => 'file', 'severity' => 1, 'ignoreP' => $this->path . $file, 'ignoreC' => $fileSum, 'shortMsg' => "This file may contain malicious executable code: " . esc_html($this->path . $file), 'longMsg' => "This file is a PHP executable file and contains the word 'eval' (without quotes) and the word '" . esc_html($badStringFound) . "' (without quotes). The eval() function along with an encoding function like the one mentioned are commonly used by hackers to hide their code. If you know about this file you can choose to ignore it to exclude it from future scans. This file was detected because you have enabled HIGH SENSITIVITY scanning. This option is more aggressive than the usual scans, and may cause false positives.", 'data' => array_merge(array('file' => $file), $dataForFile)));
break;
}
}
}
if (!$dontScanForURLs) {
$this->urlHoover->hoover($file, $data);
}
if ($totalRead > 2 * 1024 * 1024) {
break;
}
}
fclose($fh);
$this->totalFilesScanned++;
if (microtime(true) - $this->lastStatusTime > 1) {
$this->lastStatusTime = microtime(true);
$this->writeScanningStatus();
}
$forkObj->forkIfNeeded();
}
}
$this->writeScanningStatus();
wordfence::status(2, 'info', "Asking Wordfence to check URL's against malware list.");
$hooverResults = $this->urlHoover->getBaddies();
if ($this->urlHoover->errorMsg) {
$this->errorMsg = $this->urlHoover->errorMsg;
return false;
}
$this->urlHoover->cleanup();
$siteURL = get_site_url();
$siteHost = parse_url($siteURL, PHP_URL_HOST);
foreach ($hooverResults as $file => $hresults) {
$dataForFile = $this->dataForFile($file, $this->path . $file);
foreach ($hresults as $result) {
if (preg_match('/wfBrowscapCache\\.php$/', $file)) {
continue;
}
if (empty($result['URL'])) {
continue;
}
$url = $result['URL'];
$urlHost = parse_url($url, PHP_URL_HOST);
if (strcasecmp($siteHost, $urlHost) === 0) {
continue;
}
if ($result['badList'] == 'goog-malware-shavar') {
if (!$this->isSafeFile($this->path . $file)) {
$this->addResult(array('type' => 'file', 'severity' => 1, 'ignoreP' => $this->path . $file, 'ignoreC' => md5_file($this->path . $file), 'shortMsg' => "File contains suspected malware URL: " . esc_html($this->path . $file), 'longMsg' => "This file contains a suspected malware URL listed on Google's list of malware sites. Wordfence decodes " . esc_html($this->patterns['word3']) . " when scanning files so the URL may not be visible if you view this file. The URL is: " . esc_html($result['URL']) . " - More info available at <a href=\"http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=" . urlencode($result['URL']) . "&client=googlechrome&hl=en-US\" target=\"_blank\">Google Safe Browsing diagnostic page</a>.", 'data' => array_merge(array('file' => $file, 'badURL' => $result['URL'], 'gsb' => 'goog-malware-shavar'), $dataForFile)));
}
} else {
if ($result['badList'] == 'googpub-phish-shavar') {
if (!$this->isSafeFile($this->path . $file)) {
$this->addResult(array('type' => 'file', 'severity' => 1, 'ignoreP' => $this->path . $file, 'ignoreC' => md5_file($this->path . $file), 'shortMsg' => "File contains suspected phishing URL: " . esc_html($this->path . $file), 'longMsg' => "This file contains a URL that is a suspected phishing site that is currently listed on Google's list of known phishing sites. The URL is: " . esc_html($result['URL']), 'data' => array_merge(array('file' => $file, 'badURL' => $result['URL'], 'gsb' => 'googpub-phish-shavar'), $dataForFile)));
}
}
}
}
}
wfUtils::endProcessingFile();
return $this->results;
}
echo $bg_colors[$stripe];
?>
" align="left" valign="baseline"><?php
echo $this->attackTime($attack_row->attackLogTime);
?>
</td>
<td style="font-size: 100%; vertical-align: baseline; font-weight: normal; text-align: left; border-collapse: collapse; margin: 0; padding: 6px 4px; border: 1px solid #cccccc;<?php
echo $bg_colors[$stripe];
?>
" align="left" valign="baseline">
<div style="font-weight: bold; font-size: 12px;"><?php
echo $this->displayIP($attack_row->IP);
?>
</div>
<pre class="display-file" style="font-size: 12px; vertical-align: baseline; width: 420px; margin: 0; padding: 0; border: 0; white-space: normal;"><?php
echo wfUtils::potentialBinaryStringToHTML($attack_row->longDescription, true);
?>
</pre>
</td>
</tr>
<?php
}
?>
<?php
} else {
?>
<tr>
<td colspan="2">
No blocked attacks yet.
</td>
</tr>
