I'm inheriting a rather large php project. It's suspected that it has some "spy" code in it that connects to external sites and/or sends email to an outside source. All of the code is in "raw" php, nothing like ioncube was used to lock it up.
We're wanting to find if any such code exists.
Obviously we can grep for 'email' throughout the entire code base (and have) to find any spots that would be sending email (none were found).
We'd like to do the same for terms like file_get_contents and curl* functions, etc, but we want to make sure we have a definitive list of all the functions we should be searching for.
OR - is there a better way? Is there a php ini setting we can set that would explicitly tell php to not allow outbound connections?
Thanks in advance for any thoughts and feedback!
finding outbound connections?
Moderator: General Moderators
Re: finding outbound connections?
You can try to monitor it first. if it's Linux:
and grep /var/log/messages for MONITOR string
This will log all outgoing (i.e. initializing, not responding) connection made by the Apache. Take a look at the destionation IPs and decide whether they are legitimate ones or not.
Code: Select all
iptables -I OUTPUT -p tcp -m state --state NEW -m owner --uid-owner apache_user_id_here -j LOG --log-prefix "MONITOR"This will log all outgoing (i.e. initializing, not responding) connection made by the Apache. Take a look at the destionation IPs and decide whether they are legitimate ones or not.
There are 10 types of people in this world, those who understand binary and those who don't