Link to home
Start Free TrialLog in
Avatar of tripatkhetarpaul
tripatkhetarpaul

asked on

what is best site scan tool for code files to find any backdoor or malware?

What is best site scan tool for code files to find any backdoor or malware?

We have online shopping site coded in PHP/MySQL. some of the old code files are 13 years old and programming files are very extensive.

What is best tool, that scan and tell us of any backdoor in code or any malware existence?

Regards
SOLUTION
Avatar of noci
noci

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of tripatkhetarpaul
tripatkhetarpaul

ASKER

We have tried OWASP and BURP and these are good for penetration testing from outside. There must be something that scans the PHP pages and inform us of any backdoor which any hacker might have created in any previous attempt.

I have found sucuri.net and we used this also. But I do not think, it is finding any backdoor.
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Key I see for "backdoor" codes embedded are like injected on compromised site otherwise are web shell embedded within the runtime codes to be executes. In fact OWASP has the list specifically for static code scan - https://www.owasp.org/index.php/Source_Code_Analysis_Tools

But I like to highlight that most of such tool is not be specific to detect backdoor but rather more of part of the secure software development lifecycle to surface
- vulnerable codes (subjected to buffer overflow, weak cipher library, unpatched CVE etc)
- bad codes (like error or data leaking codes, lack of parameter validation, lack of authentication) not aligning to secure coding practices...
NIST's Source Code Security Analysis Tools  are another on top of OWASP tool list- https://samate.nist.gov/index.php/Source_Code_Security_Analyzers.html

So for such backdoor, I see the "backdoor" detection should differentiate from above use case and surface codes that signify behaviors or have trait of below (otherwise it is back to those code check tools ..). I do not see there are any specific tool dedicated to surface these backdoor type though.
- webshell (remote admin to backend),
- time bomb (time and event driven),
- theft/intercept intent (recording/storing to unauthorized repository sites, inline jump codes/stub/detours, memory resident monitors),
- hardcoded credential (compromised external accounts, such as admin which is to escalate privilege)

Most of it that I see is the "signature" supported tool which they will import that can then be used to conduct such codes review. I thought tool that may be "expanded" to cater to customized rule to surface those signature of those backdoor trait can be candidates..

- PHP CodeSniffer check for CVE issues/advisories of related to CMS/framework @ https://github.com/FloeDesignTechnologies/phpcs-security-audit
- Yasca checks like the "Grep"  @ http://www.scovetta.com/yasca.html
- PHP-Sat check your source code for certain security breaches @ http://www.program-transformation.org/PHP/

pardon for not having come close to any specific tools to surface backdoor...
Also to share some signature of these sort
@ https://blog.sucuri.net/2014/02/php-backdoors-hidden-with-clever-use-of-extract-function.html.
@ https://aw-snap.info/articles/backdoor-examples.php

But most of it is via manual review and supplement with scanning for a bunch of base64_encoded stuff or lines of php code that start out eval(base64_decode(' or eval(gzinflate(base64_decode(' or eval(gzuncompress(base64_decode(' followed by a long string of seemingly random characters.

This site share a simple script to surface the use of "base64_decode" in files
https://aw-snap.info/articles/base64-decode.php
Right Here on Experts Exchange you can,
 Click on Browse, Website Testing.
To request your system be tested by ethical hackers that will try to break the system with there personal know how.
> Right Here on Experts Exchange you can,
> Click on Browse, Website Testing.

good reminder, and up selling. :)
PHP code can Not be scanned over the web because all you ever see are the web pages generated.  You will never see a 'back door' in your PHP code that way.  You probably have to download all of your code and scan it on your computer.  However... since scanners and anti-virus programs are intended to be used by the users who view your web pages, I think it is unlikely that the scanners would recognize bad PHP code.
@Dave Baldwin:
The mentioned PHP code scanners need to run on the source code, obviously so they are tools for developers/auditors.  Other scanner can be used to see effects of malicious input to the php scripting (blackbox tests)  they work on anything you can reach on the web... Those check if they can insert SQL statements into input field f.e. or what happens if you try a 4G upload... etc.
For consideration including below as assisted as php scanner is suggested.
ID: 41482305
Also for below as specific indicator of code may lead to backdoor doings
ID: 41482313