Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Backdoor/Trojan detected from Virustotal #663

Open
qdgithub323 opened this issue Mar 8, 2024 · 7 comments
Open

Backdoor/Trojan detected from Virustotal #663

qdgithub323 opened this issue Mar 8, 2024 · 7 comments

Comments

@qdgithub323
Copy link

Hello,

Most likely a false positive, but it seems that the download for php_imagick-3.7.0-8.1-nts-vs16-x64.zip has a few detections on virus total.
https://www.virustotal.com/gui/file/bc87e8a6bcd0e13b3b155f01ab4a8a13c5fe56b6e592b0857ebb1126b4d74e60

In particular, file IM_MOD_RL_bmp_.dll is thought to contain Backdoor.Grunt.f from Jiangmin. https://www.virustotal.com/gui/file/cf997f51229fd617ec6d91a11a4b44ea1735bfa283fec18a862006bfc510fd10/detection

IM_MOD_RL_sgi_.dll is thought to have Trojan.Malware.300983.susgen from MaxSecure. There might be a few other files detected from this one too...
https://www.virustotal.com/gui/file/3dacde08b0a3e0c45a8900512fe70d1186ecb283d03c48905c590b1c3a994801/detection

Normally, I would disregard only one or two detections from these types of files, but with a recent suspected compromise to one of our servers, I'm being overly cautious with all the files on rebuild.

Thank you.
@macintoshplus
Copy link

Where have you downloaded the archive with DLLs?

@qdgithub323
Copy link
Author

Sorry, I thought I had included that already. Downloaded the Windows version from the php.net website: https://windows.php.net/downloads/pecl/releases/imagick/3.7.0/php_imagick-3.7.0-8.1-nts-vs16-x64.zip

@macintoshplus
Copy link

The trojan is already detected on the Imagick Library sources used to build the extension.
https://www.virustotal.com/gui/file/3684a58b0896e2a55995029fa92cc13bd1ac778e03cdf8682c4369bbef86be9e

I'm finding the script used to build the development library. If you have some idea.

The Imagigk version 7.1.1it's ok:
https://www.virustotal.com/gui/file/3dfe41df29c239997205e19acf4e208149a8f178b020ad9e7525aadb00169f9d

@Danack
Copy link
Collaborator

Danack commented Mar 19, 2024

Thanks for reporting this. A couple of notes in no particular order.

  • I don't have the technical ability to evaluate this properly. One of the reasons why I don't distribute binaries (particularly Windows binaries) myself is that I don't have the skills to respond properly to security issues related to trojans.

  • This looks quite a lot like a false positive, not only because only 2 / 63 companies are reporting an issue, but because one of those vendors seems to have a high rate of false positives, according to a quick internet search.

  • I believe those files that are being reported as having a problem come from ImageMagick distribution rather than Imagick itself, as I think they're the files that contain the code for reading/writing BMP and SGI files. It would be interesting to compare the ones in the zip file to the ones they are built against.

  • the Windows builds used to be done on a server and by a person that was sponsored by Microsoft, but they have withdrawn that funding. There is a project to replace the old PECL system with something created this millennium, but I'm not involved in that: https://externals.io/message/121927

I think that's a long way of saying, I'll keep an eye on this, but aren't planning to do anything just yet.

@macintoshplus
Copy link

@Danack I understand your point of view, and I respect it.

I initiated 2023 a website https://phpext.phptools.online/ to build and distribute AS IS the PHP Extension for Windows.

I use the libraries pre-built by the Windows PHP team. Sometimes, I want to build the latest version of the used library.

I searched the script (or instructions) used to build the deps used to build some PHP extensions.

Have you some information? Who contact?

PS: I have already written a message to the PHP Windows list.

@Chocobo1 Chocobo1 mentioned this issue Mar 19, 2024
Closed
@Danack
Copy link
Collaborator

Danack commented Mar 19, 2024

I initiated 2023 a website https://phpext.phptools.online/ to build and distribute AS IS the PHP Extension for Windows.

Cool.

I searched the script (or instructions) used to build the deps used to build some PHP extensions.

Have you some information?

Er, not really? I mean, I can point you to some directories that might contain relevant info:

https://windows.php.net/downloads/pecl/deps/
https://windows.php.net/downloads/php-sdk/
https://github.com/cmb69/setup-php-sdk
https://github.com/microsoft/php-sdk-binary-tools

But if you have a question about a specific extension, I might be able to point you in the right direction.

Who contact?

If you have a Stackoverflow account and at least 20 points, a few senior PHP people hang out at https://chat.stackoverflow.com/rooms/11/php

You could also contact Derick Rethans who is involved in the effort to modernise PECL and he's contactable through "derick at php.net".

@macintoshplus
Copy link

Thank you,

I have effectively a question about the library available at this URL https://windows.php.net/downloads/pecl/deps/

How to build it? Who makes these builds?

PS: Sorry for my English :-)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@macintoshplus @Danack @qdgithub323