Scanning Your Server for Malware

If you’ve been unfortunate enough to be targetted by hackers who have added malware to your web server, here are a few Linux CLI tools you can use to troubleshoot.

The first is maldet which can be paired with Clam Antivirus to scan for malware. Here’s a good guide on how to do that.

Note you can install maldet via tools like yum or apt usually too. The key is to make sure it is running together with ClamAV which you should keep up to date. You can also get it to alert you and automatically quarantine suspicious files.

Another tool, which is much better at finding hacked PHP code (which is usually encoded) is PHP malware finder. You’ll notice that hacked PHP files aren’t plain PHP code, but have instead be encoded (e.g. base64) to make them unreadable without decoding.

This can be cloned to the server and run from the CLI with PHP. Just a note it will pick up a lot of positives depending on your app (e.g. WordPress) and you’ll need to work through these yourself.

Don’t forget to also have something like [All in One WP Security and Firewall] (https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/) installed to lock down your WordPress site and also to scan for and alert you of any changes.

As a final measure, it helps if your application code is kept under version control on the server using a tool like git. This helps to see any untracked or modified files which you can then investigate and quarantine.

Mahara Class ‘HTMLPurifier_Config’ not found

This error relates to a call to the clean_html function in lib/web.php which loads HTMLPurifier. Turns out that due to a bad .gitignore file where all files with the name config.php were being ignored, the file:

lib/htmlpurifier/HTMLPurifier/Config.php

Wasn’t in the install and caused this error. Fixing up the .gitignore file to only ignore the root level config.php (/config.php/) resolved the issue and allowed the missing config.php file to be deployed on the target install.

Moodle Git and Finding Versions

The key to working with the Moodle git repository is the version.php file. This file is changed on every major commit, so you can use it to track down a specific moodle version in the repository (use this in conjunction with branches and version tags).

To see what’s changed on this file including the file changes themselves use:

git whatchanged -p version.php

This is handy, but chances are you are searching for a specific version. Eg. say I want version 2012062503.02. How do I track down the commit(s) that relate to that version? Use the command above but add the -S search parameter:

git whatchanged -p -S2012062503.02 version.php

This gives you the commit details (including the hash) you need. If you get multiple results, you probably want the latest commit.

Once you have the correct commit, use git checkout with the branch option to make/set your branch. E.g.

git checkout 5f1d8f2 -B moodle

Now my moodle branch points to the commit I was looking for.

Show staged differences in git

You can use git diff to also show staged (cached) changes and compare them to the last committed change as follows:

$ git diff --staged example.php

This will show you the differences between the last committed change and the changes you have made, but not yet committed (i.e. are staged). Note you can use (–cached which means the same thing).

Git undo modifications

Much like you can get a list of deleted files, you can also get a list of modifications and then check them all out (undo) in one command using the following:

git checkout $(git ls-files -m)

This is effectively an “undo” of all modifications in the given branch (but it doesn’t impact added or deleted files).

Git remove multiple deleted files

Sometimes when you are committing changes in git you’ll find that a number of files have been deleted. 

You could manually set these files to delete by individually issuing the command:

$ git rm filename

However, there is a shortcut. If you issue the command:

$ git ls-files --deleted

It will return a list of all files that are flagged as deleted.

You can then simply pass that list to git rm, using a combined syntax like this:

$ git rm $(git ls-files --deleted)

(Just don’t forget the –deleted parameter!). 

Bitbucket

Bitbucket

Netbeans for PHP Development

Turns out for serious PHP development, Netbeans is great (yes, even on the Mac):

  • The PHP integration is comprehensive, especially for things like syntax highlighting/code-folding/syntax checking, navigating code, and looking up documentation. 
  • There is good support for all the related file types you need to work with like HTML, CSS, XML, Javascript, SQL. 
  • It integrates nicely with Git (and supports several other version control systems). 
  • There are some nifty plugins (and a few you should turn off if you don’t use them).
  • So far it is the only IDE I’ve found with a decent PHP debugger integration using Xdebug. 
  • Most importantly it isn’t too clunky! Nothing worse than a slow development environment.

One thing that sucks is the dreary soul-crushing enterprise black-text-on-white-background theme. But that’s easily fixed with this Twilight Theme from NetTuts+. It’s a shame its not the default.

If you’re still not sold, check out the list of other major IDEs at NetTuts+.

Git How To (Tutorial)

Git How To (Tutorial)