c99.php is not detected. Signatures out of date?

[VicDeo]

root@testserver:~# mkdir -p c99test && cd c99test/
root@testserver:~/c99test# wget https://www.r57shell.net/shells/c99.rar
--2023-03-14 10:42:06--  https://www.r57shell.net/shells/c99.rar
Resolving www.r57shell.net (www.r57shell.net)... 172.67.166.66, 104.21.58.238, 2606:4700:3033::ac43:a642, ...
Connecting to www.r57shell.net (www.r57shell.net)|172.67.166.66|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 115844 (113K) [application/x-rar-compressed]
Saving to: ‘c99.rar’

c99.rar                                              100%[====================================================================================================================>] 113.13K   460KB/s    in 0.2s    

2023-03-14 10:42:06 (460 KB/s) - ‘c99.rar’ saved [115844/115844]

root@testserver:~/c99test# unrar e c99.rar 

UNRAR 5.61 beta 1 freeware      Copyright (c) 1993-2018 Alexander Roshal


Extracting from c99.rar

Extracting  c99.php                                                   OK 
All OK
root@testserver:~/c99test# maldet -a /root/c99test/
Linux Malware Detect v1.6.4
            (C) 2002-2019, R-fx Networks <[email protected]>
            (C) 2019, Ryan MacDonald <[email protected]>
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(1336597): {scan} signatures loaded: 17370 (14533 MD5 | 2054 HEX | 783 YARA | 0 USER)
maldet(1336597): {scan} building file list for /root/c99test/, this might take awhile...
maldet(1336597): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6
maldet(1336597): {scan} file list completed in 0s, found 3476 files...
maldet(1336597): {scan} found clamav binary at /usr/bin/clamdscan, using clamav scanner engine...
maldet(1336597): {scan} scan of /root/c99test/ (3476 files) in progress...

maldet(1336597): {scan} scan completed on /root/c99test/: files 3476, malware hits 0, cleaned hits 0, time 4s
maldet(1336597): {scan} scan report saved, to view run: maldet --report 230314-1042.1336597

malware hits 0, cleaned hits 0, time 4s

For example r57 is successfully detected even in rar archive so the scanner configuration is ok, something is wrong with the signatures :

root@testserver:~/c99test# wget https://github.com/dangerover/r57c99/raw/main/r57shell.rar
--2023-03-14 10:46:39--  https://github.com/dangerover/r57c99/raw/main/r57shell.rar
Resolving github.com (github.com)... 140.82.112.4
Connecting to github.com (github.com)|140.82.112.4|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://raw.githubusercontent.com/dangerover/r57c99/main/r57shell.rar [following]
--2023-03-14 10:46:39--  https://raw.githubusercontent.com/dangerover/r57c99/main/r57shell.rar
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.109.133, 185.199.110.133, 185.199.111.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.109.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 64759 (63K) [application/octet-stream]
Saving to: ‘r57shell.rar’

r57shell.rar                                         100%[====================================================================================================================>]  63.24K  --.-KB/s    in 0.001s  

2023-03-14 10:46:39 (114 MB/s) - ‘r57shell.rar’ saved [64759/64759]

root@testserver:~/c99test# maldet -a /root/c99test/
Linux Malware Detect v1.6.4
            (C) 2002-2019, R-fx Networks <[email protected]>
            (C) 2019, Ryan MacDonald <[email protected]>
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(1337058): {scan} signatures loaded: 17370 (14533 MD5 | 2054 HEX | 783 YARA | 0 USER)
maldet(1337058): {scan} building file list for /root/c99test/, this might take awhile...
maldet(1337058): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6
maldet(1337058): {scan} file list completed in 0s, found 3477 files...
maldet(1337058): {scan} found clamav binary at /usr/bin/clamdscan, using clamav scanner engine...
maldet(1337058): {scan} scan of /root/c99test/ (3477 files) in progress...
maldet(1337058): {scan} processing scan results for hits: 1 hits 0 cleaned
maldet(1337058): {scan} scan completed on /root/c99test/: files 3477, malware hits 1, cleaned hits 0, time 4s
maldet(1337058): {scan} scan report saved, to view run: maldet --report 230314-1046.1337058
maldet(1337058): {scan} quarantine is disabled! set quarantine_hits=1 in conf.maldet or to quarantine results run: maldet -q 230314-1046.1337058

malware hits 1, cleaned hits 0, time 4s

[Gazoo]

By default maldet will ignore files owned as root as to prevent system damage from automatic quarantine. So change the ownership of the files before the scan or change the scan_ignore_root setting in the maldet config.

[VicDeo]

@Gazoo thanks. but this is non-default setup....
See the log above, r57 shell is detected on the same server (as well as the other malware).
c99 is not.
Obviously something is wrong with the signatures.

[rfxn]

Downloading and unpackaging archives as root from untrusted sources is pretty risky behavior, please be careful!

Please try any scans similar to this in the future with maldet -co scan_ignore_root=0 -a /path/to/c99.

Thank you

[VicDeo]

@rfxn Thanks for your reply.
Probably I should write it for the third time to articulate clear enough:
The initial message has two demo test cases. I didn't download anything from internet except these exact two shells (r57 and c99).

In fact I just put my collection of shells into the test dir and found that one shell from the collection was not detected. After that I crafted two test cases, validated them and posted here.

So the issue is not about a CLI key scan_ignore_root - it is about the fact that maldet does detects r57 and doesn't detect c99.

[rfxn]

Understood; thank you for the quick follow-up. I'm working on cutting a new release and will evaluate the c99 rules, specifically the sample archives you are linking.