API action=get_pattern not returning full list

  • Resolved stegough

    (@stegough)


    2 years, 5 months ago

    I’ve set wordfence up on a new development site and all morning the scan has been failing after scanning files – after scouring these forums and online looking for a fix to the problem, I can’t see a client side solution, it appears that the API is only returning the first 39 lines, then cutting off abruptly.

    {
	"rules": [
			[4, 1458883265, "<\\?php[\\x00-\\x1f\\s]if\\(\\!isset\\(\\$GLOBALS\\[\\\"\\\\x", "Suspicious code pattern checking for obfuscated global variable", "both", 0, "Suspicious", "Suspicious:PHP\/issetobfuglobal.4", [0]],
			[12, 1458883265, "\\$l____l_\\(\\);", "A backdoor known as LunderL", "both", 0, "Backdoor", "Backdoor:PHP\/f726_LunderL.12", []],
			[14, 1458883265, "\"b\"\\.\"\"\\.\"\"\\.\"\"\\.\"as\"\\.\"\"\\.\"\"\\.\"\"\\.\"e\"\\.\"\"\\.\"\"\\.\"6\"\\.\"\"\\.\"\"\\.\"4\"\\.\"_\"\\.\"\"\\.\"\"\\.\"\"\\.\"de\"\\.\"\"\\.\"c\"\\.\"o\"\\.\"\"\\.\"\"\\.\"\"\\.\"\"\\.\"\"\\.\"d\"\\.\"\"\\.\"\"\\.\"\"\\.\"e\"", "Suspicious code pattern obfuscating a PHP function name", "both", 0, "Suspicious", "Suspicious:PHP\/strconcatb64.14", []],
			[16, 1458883265, "onfr64_qrpbqr", "A backdoor known as onfr64", "both", 0, "Backdoor", "Backdoor:PHP\/onfr64.16", []],
			[24, 1458883265, "\\$this_file\\?op=phpinfo", "A backdoor known as aZRaiLPhp", "both", 0, "Backdoor", "Backdoor:PHP\/aZRaiLPhp.24", []],
			[26, 1458883265, "1Aqapkrv", "Backdoor used to remotely control a server", "both", 0, "Backdoor", "Backdoor:TXT\/supp1.26", []],
			[28, 1458883265, "visitorTracker_isMob[\\x00-\\x1f\\s]*\\(", "A backdoor known as isMob", "both", 0, "Backdoor", "Backdoor:PHP\/isMob.28", []],
			[29, 1458883265, "base64_decode\\(['\"]?PHNjcmlwdCB0eXBlPSJ0ZXh0L2phdmFzY3JpcHQiIGlkPSJpZF", "A backdoor known as phnj", "both", 0, "Backdoor", "Backdoor:PHP\/phnj.29", [1]],
			[37, 1458883265, "Dim szCMD, szTempFile", "A backdoor known as CmdAsp.asp", "both", 0, "Backdoor", "Backdoor:ASP\/CmdAsp.37", []],
			[38, 1458883265, "Open base dir: \\$hopenbasedir", "A backdoor known as Crystal_shell", "both", 0, "Backdoor", "Backdoor:PHP\/Crystal_shell.38", []],
			[48, 1458883265, "WebShell::Configuration", "Backdoor used to remotely control a server", "both", 0, "Backdoor", "Backdoor:PL\/gammawebshell.48", []],
			[52, 1458883265, "open\\(FILEHANDLE,\\s*['\"]cd\\s+\\$param\\{dir\\}", "A backdoor known as go-shell", "both", 0, "Backdoor", "Backdoor:PL\/go-shell.52", []],
			[54, 1458883265, "\\$cmd 1> \\\/tmp\\\/cmdtemp 2>\\&1\\; cat", "A backdoor known as h4ntu", "both", 0, "Backdoor", "Backdoor:PHP\/h4ntu.54", []],
			[57, 1458883265, "proc\\s*=\\s*runtime\\.exec\\(\\s*cmd\\s*\\)", "A backdoor known as JSP_Web_Shell", "both", 0, "Backdoor", "Backdoor:PHP\/JSP_Web_Shell.57", []],
			[59, 1458883265, "if\\(\\(\\$_POST\\['exe'\\]\\) == \"Execute\"", "Backdoor used to remotely control a server", "both", 0, "Backdoor", "Backdoor:PHP\/lamashell.59", []],
			[60, 1458883265, "cat \\\/etc\\\/passwd", "Theft of server password information. Also sometimes seen in a backdoor known as Liz0ziM", "both", 0, "Backdoor", "Backdoor:SH\/passwdaccess.60", []],
			[64, 1458883265, "if[\\x00-\\x1f\\s]*\\(isset[\\x00-\\x1f\\s]*\\(\\$_POST\\)\\)[\\x00-\\x1f\\s]*walkArray\\([\\x00-\\x1f\\s]*\\$_POST", "A backdoor known as MPP.B", "both", 0, "Backdoor", "Backdoor:PHP\/MPP.B.64", []],
			[65, 1458883265, "define\\(\\s*[\"']PHPSHELL_VERSION['\"]\\s*,\\s*['\"]\\d+", "Code seen in various shells, especially a backdoor known as Matamu", "both", 0, "Backdoor", "Backdoor:PHP\/generic_shell.65", []],
			[67, 1458883265, "\\$MyShellVersion", "A backdoor known as MShell", "both", 0, "Backdoor", "Backdoor:PHP\/MShell.67", []],
			[68, 1458883265, "function viewSchema", "A backdoor known as Mysql_interface", "both", 0, "Backdoor", "Backdoor:PHP\/Mysql_interface.68", []],
			[69, 1458883265, "global \\$HTTP_GET_VARS, \\$HTTP_COOKIE_VARS, \\$password", "A backdoor known as mysql_tool", "both", 0, "Backdoor", "Backdoor:PHP\/mysql_tool.69", []],
			[70, 1458883265, "\\$file[\\x00-\\x1f\\s]*=[\\x00-\\x1f\\s]*['\"]\\\/etc\\\/passwd['\"];", "A backdoor known as mysql_reaper", "both", 0, "Backdoor", "Backdoor:PHP\/mysql_reaper.70", []],
			[72, 1458883265, "passthru\\s*\\(\\s*getenv\\s*\\(\\s*\"HTTP_ACCEPT_LANGUAGE", "A backdoor known as passthru_bd", "both", 0, "Backdoor", "Backdoor:PHP\/passthru_bd.72", []],
			[79, 1458883265, "function mvcp\\(\\$from", "A backdoor known as Webcommander", "both", 0, "Backdoor", "Backdoor:PHP\/Webcommander.79", []],
			[82, 1458883265, "find \\\/ \\-type f \\-perm \\-04000", "A backdoor known as nsTView", "both", 0, "Backdoor", "Backdoor:PHP\/nsTView.82", []],
			[83, 1458883265, "runcommand\\s*\\(['\"]etcpasswdfile", "A backdoor known as Ajax_PHP_Command_Shell", "both", 0, "Backdoor", "Backdoor:PHP\/Ajax_PHP_Command_Shell.83", []],
			[95, 1458883265, "str_rot13\\([^\\r\\n<]+eval\\(", "A suspicious code known as rot13_of_eval", "both", 0, "Suspicious", "Suspicious:PHP\/rot13_of_eval.95", [2]],
			[109, 1458883265, "\\$[a-z0-9]{5,20}=\"(?:\\\\[x0-9][a-f0-9]{1,3})+\"\\;\\@eval\\(\\$[0-9a-z]+\\(", "A backdoor known as FOPO.A", "both", 0, "Backdoor", "Backdoor:PHP\/FOPO.A.109", [2]],
			[110, 1458883265, "\\\\x65\\\\x76\\\\x61\\\\x6C\\\\x28", "A backdoor known as 561C", "both", 0, "Backdoor", "Backdoor:PHP\/561C.110", []],
			[117, 1458883265, "include\\([\\\"'][a-zA-Z0-9\\-\\\/\\_\\~]*social\\.png['\\\"]", "Backdoor known as CryptoPHP", "both", 0, "Backdoor", "Backdoor:PHP\/CryptoPHP_shell.117", [3]],
			[122, 1458883265, "edoced_46esab\\(", "A backdoor known as t5194", "both", 0, "Backdoor", "Backdoor:PHP\/t5194.122", []],
			[127, 1475771749, "datesfinder\\w+\\.ru", "A spam link known as datesfinder", "both", 0, "Spam", "Spam:HTML\/datesfinder.127", [4]],
			[133, 1475771749, "<\\?php[\\x00-\\x1f\\s]*if[\\x00-\\x1f\\s]*\\([\\x00-\\x1f\\s]*\\$mode[\\x00-\\x1f\\s]*==[\\x00-\\x1f\\s]*['\"][\\x00-\\x1f\\s]*upload[\\x00-\\x1f\\s]*['\"][\\x00-\\x1f\\s]*\\)[\\x00-\\x1f\\s]*\\{[\\x00-\\x1f\\s]*if[\\x00-\\x1f\\s]*\\([\\x00-\\x1f\\s]*is_uploaded_file[\\x00-\\x1f\\s]*\\([\\x00-\\x1f\\s]*\\$_FILES[\\x00-\\x1f\\s]*\\[[\\x00-\\x1f\\s]*['\"][\\x00-\\x1f\\s]*filename[\\x00-\\x1f\\s]*['\"][\\x00-\\x1f\\s]*\\][\\x00-\\x1f\\s]*\\[[\\x00-\\x1f\\s]*['\"][\\x00-\\x1f\\s]*tmp_name[\\x00-\\x1f\\s]*['\"][\\x00-\\x1f\\s]*\\][\\x00-\\x1f\\s]*\\)[\\x00-\\x1f\\s]*\\)[\\x00-\\x1f\\s]*\\{[\\x00-\\x1f\\s]*move_uploaded_file[\\x00-\\x1f\\s]*\\([\\x00-\\x1f\\s]*\\$_FILES[\\x00-\\x1f\\s]*\\[[\\x00-\\x1f\\s]*['\"][\\x00-\\x1f\\s]*filename[\\x00-\\x1f\\s]*['\"][\\x00-\\x1f\\s]*\\][\\x00-\\x1f\\s]*\\[[\\x00-\\x1f\\s]*['\"][\\x00-\\x1f\\s]*tmp_name[\\x00-\\x1f\\s]*['\"][\\x00-\\x1f\\s]*\\][\\x00-\\x1f\\s]*,[\\x00-\\x1f\\s]*\\$_FILES[\\x00-\\x1f\\s]*\\[[\\x00-\\x1f\\s]*['\"][\\x00-\\x1f\\s]*filename[\\x00-\\x1f\\s]*['\"][\\x00-\\x1f\\s]*\\][\\x00-\\x1f\\s]*\\[[\\x00-\\x1f\\s]*['\"][\\x00-\\x1f\\s]*name[\\x00-\\x1f\\s]*['\"][\\x00-\\x1f\\s]*\\][\\x00-\\x1f\\s]*\\)[\\x00-\\x1f\\s]*;[\\x00-\\x1f\\s]*echo[\\x00-\\x1f\\s]*\\$_FILES[\\x00-\\x1f\\s]*\\[[\\x00-\\x1f\\s]*['\"][\\x00-\\x1f\\s]*filename[\\x00-\\x1f\\s]*['\"][\\x00-\\x1f\\s]*\\][\\x00-\\x1f\\s]*\\[[\\x00-\\x1f\\s]*['\"][\\x00-\\x1f\\s]*name[\\x00-\\x1f\\s]*['\"][\\x00-\\x1f\\s]*\\][\\x00-\\x1f\\s]*;", "A malicious file uploader known as basic_uploader", "server", 0, "Backdoor", "Backdoor:PHP\/basic_uploader.133", [0]],
			[135, 1475285337, "\\$\\w+[\\x00-\\x1f\\s]*?=[\\x00-\\x1f\\s]*?['\"][\\x00-\\x1f\\s]*?[\\w\\\/+=]{500,}?[\\x00-\\x1f\\s]*?['\"][\\x00-\\x1f\\s]*?;[\\x00-\\x1f\\s]*?echo[\\x00-\\x1f\\s]*?base64_decode[\\x00-\\x1f\\s]*?\\([\\x00-\\x1f\\s]*?\\$\\w+[\\x00-\\x1f\\s]*?\\)[\\x00-\\x1f\\s]*?;", "A backdoor known as PGRpd", "server", 0, "Backdoor", "Backdoor:PHP\/PGRpd.135", [5]],
			[137, 1475771749, "my[\\x00-\\x1f\\s]*\\$\\w+[\\x00-\\x1f\\s]*=[\\x00-\\x1f\\s]*['\"][\\x00-\\x1f\\s]*\\\/usr\\\/sbin\\\/httpd[\\x00-\\x1f\\s]*['\"][\\x00-\\x1f\\s]*;[\\x00-\\x1f\\s]*\\$SIG[\\x00-\\x1f\\s]*{[\\x00-\\x1f\\s]*\"[\\x00-\\x1f\\s]*INT[\\x00-\\x1f\\s]*\"[\\x00-\\x1f\\s]*}[\\x00-\\x1f\\s]*=[\\x00-\\x1f\\s]*\"[\\x00-\\x1f\\s]*IGNORE[\\x00-\\x1f\\s]*\"[\\x00-\\x1f\\s]*;[\\x00-\\x1f\\s]*\\$SIG{[\\x00-\\x1f\\s]*\"[\\x00-\\x1f\\s]*HUP[\\x00-\\x1f\\s]*\"[\\x00-\\x1f\\s]*}[\\x00-\\x1f\\s]*=[\\x00-\\x1f\\s]*\"[\\x00-\\x1f\\s]*IGNORE[\\x00-\\x1f\\s]*\"[\\x00-\\x1f\\s]*;[\\x00-\\x1f\\s]*\\$SIG{[\\x00-\\x1f\\s]*\"[\\x00-\\x1f\\s]*TERM[\\x00-\\x1f\\s]*\"[\\x00-\\x1f\\s]*}[\\x00-\\x1f\\s]*=[\\x00-\\x1f\\s]*\"IGNORE\"[\\x00-\\x1f\\s]*;[\\x00-\\x1f\\s]*\\$SIG{[\\x00-\\x1f\\s]*\"[\\x00-\\x1f\\s]*CHLD[\\x00-\\x1f\\s]*\"[\\x00-\\x1f\\s]*}[\\x00-\\x1f\\s]*=[\\x00-\\x1f\\s]*\"[\\x00-\\x1f\\s]*IGNORE[\\x00-\\x1f\\s]*\"[\\x00-\\x1f\\s]*;[\\x00-\\x1f\\s]*\\$SIG{[\\x00-\\x1f\\s]*\"[\\x00-\\x1f\\s]*PS[\\x00-\\x1f\\s]*\"[\\x00-\\x1f\\s]*}[\\x00-\\x1f\\s]*=[\\x00-\\x1f\\s]*\"[\\x00-\\x1f\\s]*IGNORE[\\x00-\\x1f\\s]*\"[\\x00-\\x1f\\s]*;", "A backdoor known as processo", "server", 0, "Backdoor", "Backdoor:PL\/processo.137", []],
			[138, 1476460013, "<\\?php[\\x00-\\x1f\\s]*?\\$\\w+[\\x00-\\x1f\\s]*?=[\\x00-\\x1f\\s]*?<<", "A malicious file uploader known as a1777", "server", 0, "Backdoor", "Backdoor:PHP\/a1777.163", [1]],
			[164, 1475771749, "echo[\\x00-\\x1f\\s]*\"[\\x00-\\x1f\\s]*

    This is where it cuts off.

    Is there anything I can do to make the server return the full pattern so I can continue scanning the site?

    Cheers

    Ste

Viewing 7 replies - 1 through 7 (of 7 total)
  • Plugin Support wfpeter

    (@wfpeter)

    Hi @stegough, thanks for reaching out to us.

    On some environments such as Litespeed noabort code needs to be added to stop communication stopping abruptly in this way, usually during scans: https://www.wordfence.com/help/advanced/system-requirements/litespeed/

    If that doesn’t help as you’re not running on Litespeed, can you send a diagnostic report to wftest @ wordfence . com? You can find the link to do so at the top of the Wordfence > Tools > Diagnostics page. Then click on “Send Report by Email”. Please add your forum username where indicated and respond here after you have sent it.

    NOTE: It should look as follows – Screenshot of Tools > Diagnostic > Send by Email

    Thanks,

    Peter.

    Thread Starter stegough

    (@stegough)

    Thanks, I’ve submitted this report.

    Plugin Support wfpeter

    (@wfpeter)

    Hi @stegough,

    I’ve not received the diagnostic with your username attached to our inbox. The Wordfence diagnostic can be exported as a txt file on the Wordfence > Tools > Diagnostics page, which could be sent directly to the wftest @ wordfence . com email address from your personal/work email. Remember to put your forum username in the email’s subject line and let me know here you’ve sent it so I can try finding it there instead and I’ll take a look.

    Thanks,

    Peter.

    Thread Starter stegough

    (@stegough)

    Thanks Peter, I have exported and responded.
    Subject: SteGough @stegough – Forum Response

    Cheers

    Plugin Support wfpeter

    (@wfpeter)

    Thanks for sending that over @stegough,

    Naturally, I can’t reach your domain myself but the site not having a public DNS server doesn’t seem to be an issue with communication in and out, so I assume it’s mapped locally for testing.

    It seems like the site can reach itself, along with our noc1 server as any scan signatures at all being obtained shows this. The cut off patterns may just be a limit on how the output is being logged. There is a chance that there’s a transparent proxy or a firewall breaking the response, but that would be quite unusual.

    I’d enable PHP error logging with WP_DEBUG and WP_DEBUG_LOG, then try to run a scan again. Send us the whole scan log and error logs to the email you sent the diagnostics to (again, with your username in the subject line – telling us here if/when you have) should anything end up in there.

    Thanks,

    Peter.

    Thread Starter stegough

    (@stegough)

    Hi Peter,

    apologies on the delay on this.

    In light of being able to scan thoroughly with this tool we took the approach of building the development site again from scratch on a new server – we would however like the site to be protected by wordfence, so on a new install, on a new server (within the same host) we tried to set up Wordfence as a plugin on the new install (the reason the domain was not accessible to you is that it’s a placeholder, but the development is available via an IP Address/subfolder.

    We have run into exactly the same issue on a new install, new address, new IP.

    The tool runs to the point it gets patterns, and then returns upto half way through the 39th line – this is viewing the URL reported by diagnostics including the API key for get_patterns action.
    This JSON returning malformed leads me to believe this is where the error lies.
    Not being able to return the full patterns via a browser makes me think there is an issue with the service returning this.
    Using a new development and providing a new API key makes me wonder if theres an underlying issue within the system on your end that is providing the patterns.

    I’d like to provide the link here for you to test the API Key / Security but that seems counterintuitive from a security of the site standpoint.

    Is there anything going on from your end to stop the patterns being returned fully? is there something that would stop me from viewing the URL and getting the entire pattern returned in the browser?

    Look forward to your response.

    Kind Regards,

    Ste

    Plugin Support wfpeter

    (@wfpeter)

    Hi @stegough,

    I was informed by our development team that the cutoff is likely to be an output issue when logging rather than where the communication actually stops. We say this as there would be a huge influx of this if our entire customer-base was affected by broken rules. It is interesting that it’s happened with a second site installation attempt, but some settings or the environment itself could be closely configured to the first.

    If you can include your username in the subject line of an email (for ease of finding) to wftest @ wordfence . com, you can send us the sensitive information that you think is relevant there. Make sure to remove any keys/salts/credentials from anything you do send.

    Thanks again,

    Peter.

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘API action=get_pattern not returning full list’ is closed to new replies.