Hosting company is blocking ports because of YamlRunnerTest.php

[Dillon-Brown]

Summary of problem or feature request

Example email from hostgator but this issue is occurring with other hosts:

"Dear Customer,

As provider of Shared Hosting services, we monitor the usage of all our customers to ensure that our Quality of Service is not adversely affected. Our goal is to ensure that one customer should not affect all the other customers on the same server.

As part of our routine monitoring, we have observed that some of the files hosted on this server belonging to luminisindia.com hosted under your account, has some malicious files hosted. In order to prevent blacklisting of our service with various service providers, we have blocked outbound port 80, 443, 587 and 465 for this domain name as a precautionary measure. Here are the details of the files that were detected to be malicious.

/home/luminisi/public_html/SuiteCRM/cache/upgrades/temp/0n48Sr/SuiteCRM-Upgrade-7.10.x-to-7.11.1/vendor/elasticsearch/elasticsearch/tests/Elasticsearch/Tests/YamlRunnerTest.php /home/luminisi/public_html/SuiteCRM/cache/upgrades/temp/6L7azM/SuiteCRM-Upgrade-7.10.x-to-7.11.1/vendor/elasticsearch/elasticsearch/tests/Elasticsearch/Tests/YamlRunnerTest.php /home/luminisi/public_html/SuiteCRM/cache/upgrades/temp/LQNCgU/SuiteCRM-Upgrade-7.10.x-to-7.11.1/vendor/elasticsearch/elasticsearch/tests/Elasticsearch/Tests/YamlRunnerTest.php /home/luminisi/public_html/SuiteCRM/cache/upgrades/temp/XX0wpX/SuiteCRM-Upgrade-7.10.x-to-7.11.1/vendor/elasticsearch/elasticsearch/tests/Elasticsearch/Tests/YamlRunnerTest.php /home/luminisi/public_html/SuiteCRM/vendor/elasticsearch/elasticsearch/tests/Elasticsearch/Tests/YamlRunnerTest.php

We have currently altered the permissions of the files so that they become immutable. This means you will not be able to read or write to the file.

We strongly suggest you to scan all the above listed files for any vulnerabilities. If the files are part of some plugins of your CMS, then we suggest you to update the plugin to the latest version or contact the plugin developer directly.

Please treat this as an alert to take immediate action and remove the malicious file(s) within the next 48 hours. If we detect malicious files in your account again, we will be taking strict action against the domain which might cause disruption of the service"

Code snippet of problem

https://github.com/elastic/elasticsearch-php/blob/v5.4.0/tests/Elasticsearch/Tests/YamlRunnerTest.php

System details

• Operating System Ubuntu 16.04
• PHP Version 5.6
• Elasticsearch version 5.4.0

[polyfractal]

Uhh, I think you need to find out why your hosting company thinks these files are malicious.

This is the test runner that we use to execute yaml tests (from the ES repo) against a running ES cluster. There must be something about it that tripped their security scanner, and it sounds like their security scanner is over-zealous and not very intelligent.

There's nothing overtly malicious about the test runner, although it does do things like opening curl connections against the local cluster, etc. It's also not invoked unless you are running tests, so if you don't want to deal with your service provider you could just delete the entire tests directory.

[Dillon-Brown]

Hi @polyfractal, I can do some investigating to try and see why exactly this is being triggered but it's happening across multiple hosting companies. I agree there's nothing malicious in this file but ideally it shouldn't be getting picked up by these security scanners.

Removing the tests directory isn't really a solution as when clients are running composer install --no-dev it's going to download this file. All the v5.0.0 versions contain this file too so I can't just lock the dependency to an older version.

[polyfractal]

Agreed that it's not good, although I really have no idea what about the file they are flagging as malicious (as opposed to other areas of the code that do similar things like opening curl connections). Perhaps it's how the test runner iterates over the yaml files that is tripping the scanner?

I can look into including .gitattributes, which would allow users to exclude tests. Unfortunately as you noted, composer doesn't support excluding tests itself and doesn't plan to :(

[polyfractal]

Another option, albeit hacky and not great, is to use a post-install/post-update script in Composer to remove the test directory: https://getcomposer.org/doc/articles/scripts.md

[Dillon-Brown]

@polyfractal For now I've gone ahead and just added this to a post-package-install script, I'm not sure if the security scanner is going to pick up the file before it gets removed though.... For reference this is the scanner that is picking up YamlRunnerTest.php as malicious: https://www.sitelock.com. It would be really great if you guys could add a .gitattributes file for this.

Thanks for the assistance!

[bishopj88]

Don't want to bump an old issue, however BitNinja also, still, falsely quarantines this file as malicious.

BitNinja returns:

Malware type: {HEX}php.exe.globals.mod.418

[ezimuel]

@bishopj88, @Dillon-Brown Just merged #844 that should prevents the issue.