Overview

eCheck Seciruty is a tiny tool for detecting malicious PHP scripts and code portions on your website. It was originally build to check e107 CMS based sites, but it can be actually used on any kind of PHP based projects.
This tool is licensed under GNU General Public License - http://www.gnu.org/licenses/gpl.txt

Before you start using the tool, I have to warn you - DON'T PANIC when you first see the 'suspicious' results. Be sure you read the 'Analyzing the results' chapter.

Download most recent version of eCheck Seciruty here

Shell script (echeck.php)

Copy echeck.php somewhere on your server. In this example I'm copying it in /home/secretr/

[secretr@SecretR /]$ cd /home/secretr/
[secretr@SecretR ~]$ ./echeck.php -v
eCheck 1.0 beta
Report issues or get help on http://free-source.net or irc://irc.freenode.org/e107
[secretr@SecretR ~]$

You can always get quick help

[secretr@SecretR ~]$ ./echeck.php -v
eCheck 1.0 beta
Report issues or get help on http://free-source.net or irc://irc.freenode.org/e107

[secretr@SecretR ~]$ ./echeck.php -h
This is a command line PHP script for checking for/cleaning PHP malicious code.

Usage:./echeck.php [options] /path/to/wwwroot
Options:
-v                      Script version
-I                      Output a list with infected files only
-S                      Output a list with suspected files only
-C                      Clean files (MAKE A BACKUP BEFORE DOING THIS), confirmation is required
-r number            Directory depth level

[secretr@SecretR ~]$

Now, the only thing you need to know is the path to your web root (e107 root for e107 user). In my case this is /home/secretr/public_html and my e107 Installation is located in e107_0.7 folder. There are two alternatives. You could let eCheck know the path to your web root:

$ ./echeck.php -I -S ./public_html/e107_0.7/

or the opposite - navigate to web root and call the script with the proper path:

[secretr@SecretR ~]$ cd public_html/e107_0.7/
[secretr@SecretR e107_0.7]$ /home/secretr/./echeck.php -I -S ./

Here is the output of eCheck scan on fresh e107 v0.7 CVS copy:

[secretr@SecretR ~]$ ./echeck.php -I -S -r 10 ./public_html/e107_0.7/
Directory depth set to 10

./public_html/e107_0.7/backend.php...SUSPECTED (shell execution)
./public_html/e107_0.7/e107_plugins/pdf/pdf.sc...SUSPECTED (shell execution)
./public_html/e107_0.7/e107_handlers/resize_handler.php...SUSPECTED (shell execution)

Files checked: 1040
Files suspected: 3
Files infected: 0
Files cleaned: 0
Clean errors: 0
Clean warnings: 0

NOTE: SUSPECTED DOES N0T MEAN INFECTED! DIFF AGAINST TRUSTED COPY OF SUSPECTED FILES TO BE SURE EVERYTHING IS OK.
SUSPECTED FILES ARE NOT CLEANED!

[secretr@SecretR ~]$

There is (still experimental) cleanup option you could try if eCheck finds files marked as INFECTED. I recommend to make a backup of your files first. Additionally, you need write permission on all checked files (e.g. run eCheck as root) and your PHP version should be at least 5.0.
I'll put infected and real malicious files inside my local e107 system to show you what happens:

[secretr@SecretR ~]$ ./echeck.php -C -I -S ./public_html/e107_0.7/
Directory depth set to 100

Did you make a backup? Be sure you did it!  Type 'yes' to continue:

You need to confirm (type yes and press enter) to continue the operation

[secretr@SecretR ~]$ ./echeck.php -C -I -S ./public_html/e107_0.7/
Directory depth set to 100

Did you make a backup? Be sure you did it!  Type 'yes' to continue: yes
./public_html/e107_0.7/echeckwww.php...SUSPECTED (eval/base64_decode found)
./public_html/e107_0.7/backend.php...SUSPECTED (shell execution)
./public_html/e107_0.7/index.php...INFECTED...CLEANED
./public_html/e107_0.7/e107_plugins/pdf/pdf.sc...SUSPECTED (shell execution)
./public_html/e107_0.7/e107_files/public/shell.php...SUSPECTED (eval/base64_decode found)
./public_html/e107_0.7/e107_handlers/resize_handler.php...SUSPECTED (shell execution)

Files checked: 1043
Files suspected: 5
Files infected: 1
Files cleaned: 1
Clean errors: 0
Clean warnings: 0

NOTE: SUSPECTED DOES NOT MEAN INFECTED! DIFF AGAINST TRUSTED COPY OF SUSPECTED FILES TO BE SURE EVERYTHING IS OK.
SUSPECTED FILES ARE NOT CLEANED!

[secretr@SecretR ~]$

Our index.php was infected with known infection, so eCheck was able to clean it. Note we have one new line - './public_html/e107_0.7/e107_files/public/shell.php'. We'll talk about this one later.

One last example - let's execute eCheck as root (your current user should be sudoer), output everything (all checked files) and write the output to a file - log.txt in our case.

[secretr@SecretR ~]$sudo ./echeck.php ./public_html/e107_0.7/ > ./log.txt
[secretr@SecretR ~]$cat log.txt | more
Directory depth set to 100

./public_html/e107_0.7/install_.php....CHECKING...OK
./public_html/e107_0.7/user.php....CHECKING...OK
./public_html/e107_0.7/rate.php....CHECKING...OK
./public_html/e107_0.7/search.php....CHECKING...OK
./public_html/e107_0.7/online.php....CHECKING...OK
./public_html/e107_0.7/fpw.php....CHECKING...OK
./public_html/e107_0.7/print.php....CHECKING...OK
./public_html/e107_0.7/upload.php....CHECKING...OK
./public_html/e107_0.7/page.php....CHECKING...OK
./public_html/e107_0.7/links.php....CHECKING...OK
./public_html/e107_0.7/e107_languages/English/lan_notify.php....CHECKING...OK
./public_html/e107_0.7/e107_languages/English/lan_np.php....CHECKING...OK
./public_html/e107_0.7/e107_languages/English/lan_usersettings.php....CHECKING...OK
./public_html/e107_0.7/e107_languages/English/lan_membersonly.php....CHECKING...OK
./public_html/e107_0.7/e107_languages/English/lan_sitelinks.php....CHECKING...OK
./public_html/e107_0.7/e107_languages/English/lan_upload_handler.php....CHECKING...OK
./public_html/e107_0.7/e107_languages/English/lan_fpw.php....CHECKING...OK
./public_html/e107_0.7/e107_languages/English/lan_download.php....CHECKING...OK
--More--

Scan via a browser (echeckwww.php)

For those who don't have shell access to their sites (most common case for shared hosting) there is an alternative.
Copy echeckwww.php to your site root (in my case /home/secretr/public_html/e107_0.7/) and just call it in your favorite browser like this:
yoursite.com/echeckwww.php
You should see something like this (click to enlarge)


Keep in mind you don't have any options you can set in this case. Auto-clean is not available as well

Analyzing the results

Scripts are analyzed in two ways:

• Known infections - based on hackers code infection that I inspected in the time - files are added to output list as INFECTED, auto-cleaning is possible in some cases - on your responsibility though ;)
• Suspected infections (heuristics) - based on most common hackers habits - files are added to output list as SUSPECTED, cleaning is not possible

Suspected doesn't mean files are infected in some way. Most of the phrases (generic php functions) are used in all kind of software. The process of analyzing the results is your responsibility. If you know the structure of your site, and you have generic knowledge of 'what, where happens', it would be easy to identify the problems (if there are any).

I'll use the example above, more precisely this line from our latest shell example:

./public_html/e107_0.7/e107_files/public/shell.php...SUSPECTED (eval/base64_decode found)

Every e107 user should know that /e107_files/public/ folder should not contain any scripts. Experienced admins would know what to do from now on - checking the file last modified date and investigating the Apache logs to find out how was this file uploaded on the server, eventually reporting the problem to e107 core team.
In other hand we see

./public_html/e107_0.7/backend.php...SUSPECTED (shell execution)
./public_html/e107_0.7/e107_plugins/pdf/pdf.sc...SUSPECTED (shell execution)
./public_html/e107_0.7/e107_handlers/resize_handler.php...SUSPECTED (shell execution)

lines are appearing on and on. These are the false positives I'm talking about. You'll have many of them on a live site with a lot of 3rd party code. You just need to investigate all you see - it's pretty easy to distinguish malicious from creative code.

Where can I get help?

• Support forums
  Use support forums to report problems or just give me a feedback.
• irc://irc.freenode.org/e107
  Get help on e107 IRC channel