Last active
September 18, 2022 00:12
-
-
Save MisterDaniels/764bf2ac96ff4dc266da6f42eb2bb4e1 to your computer and use it in GitHub Desktop.
Wordpress security malwares
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"companies": [ | |
{ | |
"docker": "ecommerce-auryn", | |
"wordpress": { | |
"domain": "wp.auryn.com.br" | |
}, | |
"shop": { | |
"domain": "fotogea.photobookfinal.com/app_dev.php" | |
} | |
}, | |
{ | |
"docker": "ecommerce-auryn-2", | |
"wordpress": { | |
"domain": "wp2.auryn.com.br" | |
}, | |
"shop": { | |
"domain": "fotogea.photobookfinal.com/app_dev.php" | |
} | |
} | |
] | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
FROM python:3 | |
WORKDIR /usr/src/app | |
ENV CHECKSUM_RSA_KEY_FILE /usr/src/app/rsa_key | |
COPY requirements.txt ./ | |
RUN pip install --no-cache-dir -r requirements.txt | |
RUN apt update | |
RUN apt install libmagic-dev | |
RUN curl -o /tmp/yara_v4.2.2.tar.gz --location --remote-name https://github.com/VirusTotal/yara/archive/refs/tags/v4.2.2.tar.gz && \ | |
tar --directory /tmp --gzip --extract --verbose --file /tmp/yara_v4.2.2.tar.gz && \ | |
cd /tmp/yara-4.2.2 && \ | |
./bootstrap.sh && \ | |
./configure --prefix=/root/yara --enable-magic && make && make install | |
RUN export LD_LIBRARY_PATH=$HOME/yara/lib | |
RUN cd /tmp/yara-4.2.2 && make check | |
RUN rm -rf /tmp/yara-4.2.2 && rm /tmp/yara_v4.2.2.tar.gz | |
RUN python -m venv ~/yara | |
ENV PATH="/root/yara/bin:${PATH}" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
RSA_KEY_FILE=PATH | |
REMOTE_SERVER=HOST | |
REMOTE_USER=USERNAME | |
PHP_MALWARE_FINDER=PATH | |
WORDPRESS_MOUNT_LOCATION=PATH | |
WORDPRESS_BACKUP_LOCATION=PATH | |
WORDPRESS_SERVER_LOCATION=PATH | |
DISCORD_SCRIPT_LOCATION=PATH | |
DISCORD_WEBHOOK=URL | |
AURYN_LOGIN=EMAIL | |
AURYN_PASSWORD=PASSWORD |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
include .env | |
include $(WORDPRESS_SERVER_LOCATION)/.env | |
export | |
SHELL := /bin/bash | |
CURRENT_DIR = $(shell pwd) | |
build/environment: | |
docker build -t malware-finder . | |
generate/checksum: | |
@@mkdir -p result && touch result/$(companyName) | |
docker run \ | |
-it \ | |
--rm \ | |
--name checksum-checker \ | |
--mount type=bind,source=$(CURRENT_DIR)/wordpress_checksum_checks.py,target=/usr/src/app/wordpress_checksum_checks.py \ | |
--mount type=bind,source=$(RSA_KEY_FILE),target=/usr/src/app/rsa_key \ | |
--mount type=bind,source=$(CURRENT_DIR)/result/$(companyName),target=/usr/src/app/$(companyName) \ | |
-e CHECKSUM_REMOTE_SERVER=$(REMOTE_SERVER) \ | |
-e CHECKSUM_REMOTE_USERNAME=$(REMOTE_USER) \ | |
-e COMPANY_NAME=$(companyName) \ | |
-w /usr/src/app \ | |
malware-finder:latest \ | |
python /usr/src/app/wordpress_checksum_checks.py --mode sum /usr/src/app/$(companyName); | |
check/wordpress: | |
@docker cp $(companyName):/var/www/html/. $(WORDPRESS_MOUNT_LOCATION); | |
mkdir -p result && touch result/$(companyName); | |
docker run \ | |
-t \ | |
--rm \ | |
--name vulnerability-checker \ | |
--mount type=bind,source=$(WORDPRESS_MOUNT_LOCATION),target=/usr/src/app/wordpress \ | |
-v "$(PHP_MALWARE_FINDER):/usr/src/app/php-malware-finder" \ | |
-e COMPANY_NAME=$(companyName) \ | |
-w /usr/src/app \ | |
malware-finder:latest \ | |
/usr/src/app/php-malware-finder/php-malware-finder/phpmalwarefinder /usr/src/app/wordpress > $(CURRENT_DIR)/result/$(companyName); | |
rm -rf $(WORDPRESS_MOUNT_LOCATION); | |
backup/wordpress: | |
@rm -rf $(WORDPRESS_MOUNT_LOCATION); | |
docker cp $(companyName):/var/www/html/. $(WORDPRESS_MOUNT_LOCATION); | |
cd $(WORDPRESS_MOUNT_LOCATION) && zip -r $(companyName).zip . && mv $(companyName).zip $(WORDPRESS_BACKUP_LOCATION); | |
rm -rf $(WORDPRESS_MOUNT_LOCATION); | |
recover/wordpress: | |
@rm -rf $(WORDPRESS_MOUNT_LOCATION); | |
unzip $(WORDPRESS_BACKUP_LOCATION)/$(companyName).zip -d $(WORDPRESS_MOUNT_LOCATION); | |
docker exec -i $(companyName) bash -c "find /var/www/html ! -path /var/www/html/wp-content/uploads ! -path '/var/www/html/wp-content/uploads/*' ! -name '.htaccess' -type f -exec rm -rf {} +"; | |
rm -rf $(WORDPRESS_MOUNT_LOCATION)/wp-content/uploads; | |
mv $(WORDPRESS_MOUNT_LOCATION)/.htaccess $(WORDPRESS_SERVER_LOCATION)/configurations/$(companyDomain)/ | |
docker cp $(WORDPRESS_MOUNT_LOCATION)/. $(companyName):/var/www/html/; | |
docker exec -it $(companyName) bash -c "chown www-data:www-data -R *"; | |
docker exec -it $(companyName) bash -c "find . -type d -exec chmod 755 {} \;"; | |
docker exec -it $(companyName) bash -c "find . -type f -exec chmod 644 {} \;"; | |
docker restart $(companyName); | |
rm -rf $(WORDPRESS_MOUNT_LOCATION); | |
recover/wordpress/clean: | |
@rm -rf $(WORDPRESS_MOUNT_LOCATION); | |
unzip $(WORDPRESS_BACKUP_LOCATION)/$(companyName).zip -d $(WORDPRESS_MOUNT_LOCATION); | |
mv $(WORDPRESS_MOUNT_LOCATION)/.htaccess $(WORDPRESS_SERVER_LOCATION)/configurations/$(companyDomain)/ | |
docker exec -it $(companyName) bash -c "find /var/www/html ! -name '.htaccess' -type f -exec rm -rf {} +"; | |
docker cp $(WORDPRESS_MOUNT_LOCATION)/. $(companyName):/var/www/html/; | |
docker exec -it $(companyName) bash -c "chown www-data:www-data -R *"; | |
docker exec -it $(companyName) bash -c "find . -type d -exec chmod 755 {} \;"; | |
docker exec -it $(companyName) bash -c "find . -type f -exec chmod 644 {} \;"; | |
docker restart $(companyName); | |
rm -rf $(WORDPRESS_MOUNT_LOCATION); | |
healthcheck/wordpress/all: | |
@jq -c '.companies[]' companies.json | while read company; do \ | |
echo "---"; \ | |
echo "Verificando Wordpress $$companyName"; \ | |
dockerName=`echo $$company | jq -r '.docker'`; echo "Nome: $$dockerName"; \ | |
wordpressUrl=`echo $$company | jq -r '.wordpress.domain'`; echo "URL Wordpress: $$wordpressUrl"; \ | |
shopUrl=`echo $$company | jq -r '.shop.domain'`; echo "URL Loja: $$shopUrl"; \ | |
wordpressStatusCode=`curl -o /dev/null --silent --insecure --head --write-out '%{response_code}\n' https://$$wordpressUrl:$(SERVER_HTTPS_PORT)`; echo "Status code Wordpress: $$wordpressStatusCode"; \ | |
shopBody=`wget -qO- --no-check-certificate https://$$shopUrl`; echo "Body Loja: $$shopBody" | head -c 100; \ | |
echo ""; \ | |
dockerStatus=`docker container inspect -f '{{.State.Running}}' $$dockerName`; echo "Status Docker: $$dockerStatus"; \ | |
if [ $$wordpressStatusCode -eq 502 ]; then \ | |
if [ "$$dockerStatus" = false ]; then \ | |
echo "Reiniciando container $$dockerName"; \ | |
docker start $$dockerName; \ | |
curl --silent -X POST https://$$shopUrl/manager/redis/clearCompanyCache -H "Content-Type: application/json" --user "$(AURYN_LOGIN):$(AURYN_PASSWORD)"; \ | |
if [ -z ${DISCORD_SCRIPT_LOCATION+x} ]; then \ | |
if [ -z ${DISCORD_WEBHOOK+x} ]; then \ | |
bash $(DISCORD_SCRIPT_LOCATION)/discord.sh --webhook-url=$(DISCORD_WEBHOOK) --text "Iniciado docker $$dockerName novamente"; \ | |
fi; \ | |
fi; \ | |
exit 0; \ | |
fi; \ | |
echo "Wordpress nao esta funcionando, tentando reiniciar"; \ | |
docker restart $$dockerName; \ | |
if [ -z ${DISCORD_SCRIPT_LOCATION+x} ]; then \ | |
if [ -z ${DISCORD_WEBHOOK+x} ]; then \ | |
bash $(DISCORD_SCRIPT_LOCATION)/discord.sh --webhook-url=$(DISCORD_WEBHOOK) --text "Wordpress $$wordpressUrl nao esta funcionando por mais que o container esteja funcionando"; \ | |
fi; \ | |
fi; \ | |
exit 1; \ | |
fi; \ | |
if [[ $$shopBody == *"correta? Url acessada: https://$$wordpressUrl"* ]]; then \ | |
echo "Wordpress nao esta funcionando na loja da Auryn, recuperando ultimo backup"; \ | |
make -C $(CURRENT_DIR) recover/wordpress companyName=$$dockerName companyDomain=$$wordpressUrl; \ | |
curl --silent -X POST https://$$shopUrl/manager/redis/clearCompanyCache -H "Content-Type: application/json" --user "$(AURYN_LOGIN):$(AURYN_PASSWORD)"; \ | |
if [ -z ${DISCORD_SCRIPT_LOCATION+x} ]; then \ | |
if [ -z ${DISCORD_WEBHOOK+x} ]; then \ | |
bash $(DISCORD_SCRIPT_LOCATION)/discord.sh --webhook-url=$(DISCORD_WEBHOOK) --text "Recuperado $$wordpressUrl"; \ | |
fi; \ | |
fi; \ | |
fi; \ | |
done | |
start/docker: | |
@docker run \ | |
-t \ | |
--rm \ | |
--name vulnerability-checker \ | |
--mount type=bind,source=$(CURRENT_DIR)/result/$(companyName),target=/usr/src/app/$(companyName) \ | |
--mount type=bind,source=$(WORDPRESS_MOUNT_LOCATION),target=/usr/src/app/wordpress \ | |
-v "$(PHP_MALWARE_FINDER):/usr/src/app/php-malware-finder" \ | |
-e COMPANY_NAME=$(companyName) \ | |
-w /usr/src/app \ | |
malware-finder:latest |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
paramiko |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment