Skip to content

paranoya integration (experimental)

c0m4r edited this page Jan 17, 2024 · 1 revision

paranoya integration

As an additional security measure you might want to scan uploaded files for malware.

Uploader will use paranoya IOC and YARA scanner if present.

This will however extend the file upload time, especially for bigger files, apart from the fact that such scanning may be considered as an overkill.

Disclaimer

This solution is experimental and may in itself introduce DoS vulnerability on higher load.

Requirements

  • PHP module: sockets
  • Temporary upload directory (upload_tmp_dir, usually /tmp) must be shared between PHP and paranoya
  • paranoya scan enabled in config.php ("paranoya" => true)

Recommendations

Docker

In this setup it's important to share /tmp between php-fpm and paranoya containers so paranoya could scan files temporarily saved by PHP.

git clone https://github.com/c0m4r/up.git
cd up
git clone https://github.com/c0m4r/paranoya
mv .docker/docker-compose-with-paranoya.yml docker-compose.yml
chown 82:82 i logs -R
wget https://getcomposer.org/download/2.6.6/composer.phar
echo "72600201c73c7c4b218f1c0511b36d8537963e36aafa244757f52309f885b314 composer.phar" | sha256sum -c || rm composer.phar

Before running docker compose, edit config.php and change these options respectively:

    "allowed_hosts"  => '127.0.0.1:8080,localhost,localhost:8080',
    "ssl"            => false,
    "paranoya"       => true,
    "paranoya_host"  => 'paranoya',

Now you can start docker compose:

docker compose up -d
docker compose exec php-fpm /bin/sh -c "cd /usr/share/nginx/html && php composer.phar update"

Additional yara rules

Because we want to protect against webshells it's a good idea to supplement the rules with additional ones. I found php-malware-finder rules working quite well. They work a bit excessive while scanning other files, causing a lot of false positives, but because we want to block any php webshells mimicing image files, this could turned out to be an advantage. Still, I had to filter out some rules causing false positives and interfering with signature-base.

php-malware-finder yara rules for paranoya

cd paranoya
curl -Ls \
    https://raw.githubusercontent.com/jvoisin/php-malware-finder/aca14bfc3b2fa40a470a4f0fd8dcc1e0856f9c1c/data/php.yar \
    | grep -vE '(powershell|safemode_bypass|\$comment)' \
    | sed 's/global private/private/g;' \
    | sed 's/include "whitelist.yar"//g;' \
    | sed 's/ and not IsWhitelisted//g;' \
    | sed 's/^{/{\n   meta:\n      description = "php-malware-finder"\n      author = "jvoisin"\n      reference = "https\:\/\/github\.com\/jvoisin\/php-malware-finder"\n/g;' > signature-base/yara/php-malware-finder.yar

How it works

paranoya scan will be invoked before the file is about to be saved.

image

If paranoya detects anything suspicious, the file will not be saved and an error message will appear:

image

Detected malware scanns are being logged into logs/malware.log

This will not prevent targeted malwares of course, but should be enough for bots and script kiddies.