Blocking certain file extensions inside arcive files to stop malware.

mean said:
DirectAdmin does not provide protection against this type of threat.
Click to expand...
Or well... not DA because it's not DA's task to do so, it's Exim.

I'm just wondering... isn't that kind of the same Exim is already doing with the /etc/system_filter.exim file?

Code: 
## -----------------------------------------------------------------------
# Look for single part MIME messages with suspicious name extensions
# Check Content-Type header using quoted filename [content_type_quoted_fn_match]
if $header_content-type: matches "(?:file)?name=\"([^\"]+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd
|pif|reg|sc[mrt]|shs|url|vb[se]?|ws[fhc]))\""
then
  seen finish
endif
# same again using unquoted filename [content_type_unquoted_fn_match]
if $header_content-type: matches "(?:file)?name=(\\\\S+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|p
if|reg|sc[mrt]|shs|url|vb[se]?|ws[fhc])\")([\\\\s;]|\\$)"
then
  seen finish
endif


## -----------------------------------------------------------------------
# Attempt to catch embedded VBS attachments
# in emails.   These were used as the basis for
# the ILOVEYOU virus and its variants - many many varients
# Quoted filename - [body_quoted_fn_match]
if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[
0-7]{3,4}(?>\\\\s+))\"([^\"]+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|sc[mrt]|shs|url|vb[
se]?|ws[fhc])\")[\\\\s;]"
then
  seen finish
endif
# same again using unquoted filename [body_unquoted_fn_match]
if $message_body matches "(?:Content-(?:Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+|Disposition:(?>\\\\s*)attachment);(?>\\\\s*)(?:file)?name=|begin(?>\\\\s+)[
0-7]{3,4}(?>\\\\s+))(\\\\S+\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|sc[mrt]|shs|url|vb[se
]?|ws[fhc])\")[\\\\s;]"
then
  seen finish
endif
## -----------------------------------------------------------------------

# Fudge to catch Klez virus (mal formed mime details, unquoted filename with spaces)
#if $message_body matches "Content-Type:(?>\\\\s*)[\\\\w-]+/[\\\\w-]+;\\\\s*(?:name)=([^\" ]+ [^\"]*\\\\.(?:ad[ep]|ba[st]|chm|cmd|com|cpl|crt|exe|hlp|
hta|in[fs]|isp|jse?|lnk|md[be]|ms[cipt]|pcd|pif|reg|sc[mrt]|shs|url|vb[se]?|ws[fhc])\")[\\\\s;]"
#then
#  seen finish
#endif
 
Previously, I tested blocking .rar files, but it caused issues for email users.
Therefore, scanning the contents of .rar files — in the same way as .zip files — would be a better solution.

From my monitoring, I have found that .rar attachments are being used to send malicious files such as .exe and .bin to customers. Unfortunately, by default, DirectAdmin does not provide protection against this.

# Share my solutions.

nano /etc/exim.check_mime.conf.custom
Code: 
warn
     decode = default

# start check attachment
deny
     condition = ${if match \
                  {${lc:$mime_filename}} \
                  {\N(\.exe|\.pif|\.bat|\.scr|\.lnk|\.com|\.vbs|\.cpl|\.jar)$\N} \
                  {1}{0}}
     message = Blacklisted file extension detected ($mime_filename)
     log_message = Message for $recipients denied, T="$h_subject:" Blacklisted file extension detected ($mime_filename)

deny
    condition = ${if match \
                  {${lc:$mime_filename}} \
                  {\N(\.rar)$\N} \
                  {1}{0}}
    condition = ${run{/bin/sh -c '/etc/exim.easy_spam_fighter/exim_check_attachment.custom.sh rar $message_exim_id $mime_decoded_filename'}{0}{1}}
    message = rar file contains an attachment with a dangerous payload ($mime_filename).
    log_message = Message for $recipients denied, T="$h_subject:" rar file contains an attachment with a dangerous payload ($mime_filename).

deny
    condition = ${if match \
                  {${lc:$mime_filename}} \
                  {\N(\.zip)$\N} \
                  {1}{0}}
    condition = ${run{/bin/sh -c '/etc/exim.easy_spam_fighter/exim_check_attachment.sh zip $message_exim_id $mime_decoded_filename'}{0}{1}}
    message = zip file contains an attachment with a dangerous payload ($mime_filename).
    log_message = Message for $recipients denied, T="$h_subject:" zip file contains an attachment with a dangerous payload ($mime_filename).

accept



nano /etc/exim.easy_spam_fighter/exim_check_attachment.custom.sh
chmod +x /etc/exim.easy_spam_fighter/exim_check_attachment.custom.sh
Code: 
#!/bin/sh
# Usage: script.sh (zip|rar) <subdir> <archive_name>

TYPE=$1
SUBDIR=$2
Z=$3

# zip/rar
case "$TYPE" in
zip | rar) ;;
*)
  echo "$0: we can only scan zip,rar files"
  exit 0
  ;;
esac

P="/var/spool/exim/scan/$SUBDIR"

# skip if dir not exits
cd "$P" 2>/dev/null || exit 0
[ -s "$Z" ] || exit 0

# protect file extensions
SUSPECT_EXT='[.](bat|btm|cmd|com|cpl|dat|dll|exe|lnk|msi|pif|prf|reg|scr|vb|vbs|url|jar)$'

if [ "$TYPE" = "rar" ]; then
  if [ ! -x /usr/local/bin/rar ]; then
    echo "rar not found"
    exit 0
  fi
  # rar t "Testing ... OK"
  COUNT=$(
    /usr/local/bin/rar t -idcdp -- "$Z" |
      awk '/^Testing/ { sub(/^Testing[ \t]+/,""); sub(/[ \t]+OK[ \t]*$/,""); print }' |
      egrep -i "$SUSPECT_EXT" |
      wc -l
  )
elif [ "$TYPE" = "zip" ]; then
  if [ ! -x /usr/bin/unzip ]; then
    echo "unzip not found"
    exit 0
  fi

  #  unzip -Z -1 (zipinfo)
  if /usr/bin/unzip -Z -1 -- "$Z" >/dev/null 2>&1; then
    COUNT=$(/usr/bin/unzip -Z -1 -- "$Z" 2>/dev/null |
      egrep -i "$SUSPECT_EXT" |
      wc -l)
  else
    # fallback: "unzip -l"
    COUNT=$(/usr/bin/unzip -l -- "$Z" 2>/dev/null |
      tail -n +4 | head -n -2 |
      awk '{ $1=$2=$3=""; sub(/^ +/,""); print }' |
      egrep -i "$SUSPECT_EXT" |
      wc -l)
  fi
fi

# found → exit 1
[ "$COUNT" -gt 0 ] && exit 1
exit 0

# .rar installation script
nano install_rar.sh
sh install_rar.sh
Code: 
#!/bin/sh

# config
RAR_VERSION="712"
RAR_FILE="rarlinux-x64-${RAR_VERSION}.tar.gz"
RAR_URL="https://www.rarlab.com/rar/${RAR_FILE}"
RAR_CLI="/usr/local/bin/rar"

# Check if rar already installed
if [ -x "$RAR_CLI" ]; then
  echo "[+] RAR already installed at $RAR_CLI"
else
  echo "[*] RAR not found, installing..."
  echo "[*] Downloading RAR v${RAR_VERSION}..."
  wget -q "${RAR_URL}" -O "/tmp/${RAR_FILE}"

  if [ ! -s "/tmp/${RAR_FILE}" ]; then
    echo "[!] Download rar failed or file is empty"
    exit 1
  else
    echo "[+] File downloaded successfully: $RAR_FILE"
  fi

  if ! tar -tzf "/tmp/${RAR_FILE}" >/dev/null 2>&1; then
    echo "[!] Invalid tar.gz archive"
    exit 1
  fi

  echo "[*] Extracting..."
  tar -xzf "/tmp/${RAR_FILE}" -C /tmp

  echo "[*] Installing..."
  cd /tmp/rar
  cp rar unrar /usr/local/bin/
  chmod 755 /usr/local/bin/rar /usr/local/bin/unrar

  echo "[*] Cleaning up..."
  rm -rf "/tmp/${RAR_FILE}" /tmp/rar

  echo "[+] Installation rar complete!"
fi
 
It's correct, only things in .zip were checked. Maybe it's a good idea for DA to include your scripts into installations so both rar and zip are checked.
 
You must log in or register to reply here.
Back
Top