Upload site Flagged By AV's - How to overcome?

andre1990 · October 21, 2011, 4:36pm

So my site gets flagged by AV’s because once in a while a virus will be uploaded.

Now this doesnt affect sites like fileave.com which actually have viruses on their system, so how come it affects us?

My site is currently just a php upload site, would maybe have mysql store the files help? I don’t know, im just asking for tips/methods.

Thanks.

logic_earth · October 22, 2011, 3:03am

The other use JavaScript and button presses and other things that make it hard for robots to get the files.

andre1990 · October 22, 2011, 2:51pm

Ah, so just javascript the whole thing?

AnthonySterling · October 22, 2011, 4:03pm

Do you want to allow infected content to be uploaded and made available? If not, move the infected file outside of web-root upon upload, and schedule a scan (clamav et al). If it’s clean, move to another folder which would then make it available for download.

andre1990 · October 22, 2011, 4:10pm

Hi Anthony, no i don’t! I’ve got a cronjob on the server deleting all .exe files every 4 hours, just because of the issue that there may be viruses.

Would you suggest having all uploaded files be uploaded to a different location? If so, which?

At the moment, files are uploaded to (Root)/Uploads

AnthonySterling · October 22, 2011, 4:38pm

.exe files aren’t necessarily bad, you may want to bear that in mind.

Where would I put them? I’d probably have a stucture that looks something like:-


/data/uploads/{files-go-here}
/www/assets/css/
/www/assets/js/
/www/assets/img/
/www/index.php

I would have my web server (Apache, IIS, NginX) serve the contents of the ‘www’ directory. Can you see how the ‘data’ directory wouldn’t be served up by the web server? This is where I’d move the files to, users would be unable to access them. I would then have the application decide whether or not to obtain and deliver the file to the user, a proxy if you will.

Does the request file exist, has it been scanned, if so, deliver it to the user.

Does that make sense?

andre1990 · October 22, 2011, 5:28pm

Yes it does, and sounds reasonable.

So i would move from the current structure of:


Within Root directory
/index.php
/upload.php
/Uploads
...etc...

to


Within root directory
/index.php
/upload.php
...etc...

Outside root
Uploads

It sounds do-able (my skills in mind), could i just ask how i would point to the folder Uploads in my php script?

I’m planning to put all uploads in there, and have them called from that directory when people want to download them.

<?php
ob_start();

session_start();

$extensions = array("jpg", "png","jpeg", "gif", "zip", "rar", "swf", "tiff", "bmp", "txt", "fla", "7z", "tar", "gz", "iso", 

"dmg", "mp3", "wav", "m4a", "aac", "doc", "docx", "xls", "rtf", "ppt", "bsd", "exe", "psd", "c4d", "pdf", "dwg", "max", "ipa", 

"vtf", "iam", "ipt", "flv", "cap", "scr");
$maxsize = 104288000;
$server = "http://www.uploadvillage.com";

$name = $_FILES['file']['name'];
$temp = $_FILES['file']['tmp_name'];
$size = $_FILES['file']['size'];

$random = md5(uniqid(rand(), true));
$random = substr($random, 0, 20);

if (!$name || !$temp || !$size)
{
   echo "Go back and select a file.";
   exit();
}

foreach ($_FILES as $file)
{
 if ($file['tmp_name'] != null) 
 {
	$thisext1=explode(".", strtolower($file['name']));
	$thisext=$thisext1[count($thisext1)-1];
  if (!in_array($thisext, $extensions))
  {
    echo "That file type is not allowed.";
   exit(); 
  }
 }
}

if ($size > $maxsize)
{
   echo "File size too big.";
   exit();
}

$destination = "Uploads/".$random;
mkdir($destination);
move_uploaded_file($temp, $destination."/".$name);

$final = $server."/".$destination."/".$name;

$contents = file_get_contents("http://is.gd/create.php?format=simple&url=$final");


?>

AnthonySterling · October 22, 2011, 6:02pm

Your path to the uploads directory would simply just move up a level, like, ‘…/uploads/’. The double period moves the path up a level.

$destination = '../uploads/' . $random ;

andre1990 · October 22, 2011, 6:10pm

Cheers for the help Anthony, doesn’t seem to like that directory.


$server = "http://www.mysite.com";

$name = $_FILES['file']['name'];
$temp = $_FILES['file']['tmp_name'];
$size = $_FILES['file']['size'];

$destination = '../uploads/'. $random;
mkdir($destination);
move_uploaded_file($temp, $destination."/".$name);

$final = $server."/".$destination."/".$name;

The final URL echos out as: http://mysite.com/uploads/randomstring/file.txt

It has full permission at the moment.

felgall · October 22, 2011, 8:17pm

You can’t supply web addresses for files outside the root folder. What you do instead is have a PHP script that retrieves the content of that file and delivers it instead. The actual filename would be passed to the script that does the retrieval.

andre1990 · October 22, 2011, 8:24pm

So looking at my script in particular, would it be right in saying…

$yourfile = file_get_contents(“/var/www/vhosts/domain.com/Upload/randomstring/file.txt”)

Then echo that out elsewhere?