lance_haoh — 2013-05-01T22:34:09-04:00 — #1
If the set of code is "document.write("Hello World");", then my program must be able to tell that the code is trying to write a "Hello World" string to the browser.
The program must be able to analyze what script has done, not only its visible output.
I have no idea on how to start. Could someone please advise me?
dklynn — 2013-05-04T09:25:27-04:00 — #2
What the scripts are doing? Simply make a list of the actions you wish to detect and search the script's code to detect the functions which perform those actions. On the second level, what are those functions doing (echo or print_r or ... within PHP), e.g., your "Hello World" as the output of a stdout function.
If you're not concerned with the "internal workings" of a script (database access, include statements, etc), then you could merely capture all output to a string and parse that string - but that's too simple for an educational project.
lance_haoh — 2013-05-05T02:38:41-04:00 — #3
Hi. Thanks for your advice. The aim that I hope to achieve in my program is to analyze the "internal workings" of a script so that I can determine if the script is trying to do something malicious. According to your post, you recommended me to make a list of actions that I wish to detect. But would this list be too large? Do I have to analyze single line of code to achieve my program's aim?
Please advise me.
logic_earth — 2013-05-05T02:51:57-04:00 — #4
dklynn — 2013-05-05T06:46:47-04:00 — #5
Lance, you are trying to reinvent the wheel. You will never be able to duplicate applications like maldet which is both designed to identify and remove/quarantine malware AND is updated regularly. It can be run via CRON and will notify you of any malware (in JS or PHP or other signatures it has in its database).
IMHO, you need to THINK Security from a webmaster's point-of-view where you use VERY strong passwords on everything (control panel login, FTP, telnet, etc), you only upload known "clean" files and you run your own script to check on those files to ensure that they've not been modified (or to report on those modified to you so you know whether you're the one who updated or you'd been hacked). I'd discussed that type of file some time ago and wrote an article for SitePoint on doing just that (hint: try the search button within SitePoint articles; it's only a few months since it was published).
Finally, IF you are using CANNED applications (WordPress, Joomla, Drupal, ZenCart, OSCommerce, etc) as you MUST check daily and update ASAP in order to beat the "script kiddies" to the hacker websites where the latest exploits will be published. If you delay, you will be hacked (plan on it and make backups regularly).