Jamit Software Forum
Welcome, Guest. Please login or register.
June 19, 2018, 05:47:08 pm

Login with username, password and session length
Search:     Advanced search
May 27th, 2009 - Jamit Software Launches the forum today!
3,080 Posts in 791 Topics by 1,427,216 Members
Latest Member: NGEBeulah3
* Home Help Search Login Register
+  Jamit Software Forum
|-+  Jamit Job Board Customers
| |-+  Security
| | |-+  Security Tools Plugin
« previous next »
Pages: 1 [2] 3 Print
Author Topic: Security Tools Plugin  (Read 32755 times)
Adam
Administrator
Hero Member
*****
Posts: 112


« Reply #15 on: October 30, 2009, 01:41:06 am »

Phil:

These look like they are our files, but in the wrong place. They can be deleted:

include/functions2.php on line 231:
$make_magick = exec($command, $retval);

include/functions2.php on line 1701:
exec ("w", $out);

include/edit_config.php on line 909:
@exec ("w", $out);



The files class.php and adw.php are not from our software. If not in use by other software on your server, then they should be deleted ASAP and also change your FTP passwords.
Logged
Philcol
Jammers
Jr. Member
*
Posts: 15


« Reply #16 on: January 02, 2010, 03:51:54 am »

Received the below when using Scan File command:

Possibly bad code in (command execution) /home/cityjobb/public_html/mywaterplantjobs/cache/cat_f4_c0_cache.inc.php on line 2:

$category_table = unserialize('a:2:{s:2:"EN";a:6:{i:0;a:7:{s:3:"cid";s:3:"703";s:4:"cpid";s:1:"0";s:1:"n";s:15:"Consulting Firm";s:2:"oc";s:1:"0";s:2:"ch";a:0:{}s:3:"chc";i:0;s:3:"seo";N;}i:1;a:7:{s:3:"cid";s:3:"702";s:4:"cpid";s:1:"0";s:1:"n";s:24:"Private System Operator ";s:2:"oc";s:1:"0";s:2:"ch";a:0:{}s:3:"chc";i:0;s:3:"seo";N;}i:2;a:7:{s:3:"cid";s:3:"707";s:4:"cpid";s:1:"0";s:1:"n";s:21:"Public Utility (City)";s:2:"oc";s:1:"0";s:2:"ch";a:0:{}s:3:"chc";i:0;s:3:"seo";N;}i:3;a:7:{s:3:"cid";s:3:"708";s:4:"cpid";s:1:"0";s:1:"n";s:30:"Public Utility (County/Parish)";s:2:"oc";s:1:"0";s:2:"ch";a:0:{}s:3:"chc";i:0;s:3:"seo";N;}i:4;a:7:{s:3:"cid";s:3:"709";s:4:"cpid";s:1:"0";s:1:"n";s:22:"Water - Sewer District";s:2:"oc";s:1:"0";s:2:"ch";a:0:{}s:3:"chc";i:0;s:3:"seo";N;}i:5;a:7:{s:3:"cid";s:3:"701";s:4:"cpid";s:1:"0";s:1:"n";s:22:"Water System (Public) ";s:2:"oc";s:1:"0";s:2:"ch";a:0:{}s:3:"chc";i:0;s:3:"seo";N;}}s:2:"ES";a:6:{i:0;a:7:{s:3:"cid";s:3:"703";s:4:"cpid";s:1:"0";s:1:"n";s:15:"Consulting Firm";s:2:"oc";s:1:"0";s:2:"ch";a:0:{}s:3:"chc";i:0;s:3:"seo";N;}i:1;a:7:{s:3:"cid";s:3:"702";s:4:"cpid";s:1:"0";s:1:"n";s:24:"Private System Operator ";s:2:"oc";s:1:"0";s:2:"ch";a:0:{}s:3:"chc";i:0;s:3:"seo";N;}i:2;a:7:{s:3:"cid";s:3:"707";s:4:"cpid";s:1:"0";s:1:"n";s:21:"Public Utility (City)";s:2:"oc";s:1:"0";s:2:"ch";a:0:{}s:3:"chc";i:0;s:3:"seo";N;}i:3;a:7:{s:3:"cid";s:3:"708";s:4:"cpid";s:1:"0";s:1:"n";s:30:"Public Utility (County/Parish)";s:2:"oc";s:1:"0";s:2:"ch";a:0:{}s:3:"chc";i:0;s:3:"seo";N;}i:4;a:7:{s:3:"cid";s:3:"709";s:4:"cpid";s:1:"0";s:1:"n";s:22:"Water - Sewer District";s:2:"oc";s:1:"0";s:2:"ch";a:0:{}s:3:"chc";i:0;s:3:"seo";N;}i:5;a:7:{s:3:"cid";s:3:"701";s:4:"cpid";s:1:"0";s:1:"n";s:22:"Water System (Public) ";s:2:"oc";s:1:"0";s:2:"ch";a:0:{}s:3:"chc";i:0;s:3:"seo";N;}}}');
Logged
Adam
Administrator
Hero Member
*****
Posts: 112


« Reply #17 on: January 14, 2010, 02:39:34 am »

Phil, that looks like a false alarm. Do not worry about that one.
Logged
Philcol
Jammers
Jr. Member
*
Posts: 15


« Reply #18 on: March 12, 2010, 01:07:53 pm »

Found these results in a scan recently:  This came from a site which is not up and running yet but had 4 new users logged in with ip addresses from amsterdam; not my favorite source of users 

Possibly bad code (Common way of hiding malicious code) in /home/cityjobb/public_html/mywaterplantjobs.biz/include/plugins/NAS_TrafficTracker/NAS_TrafficTracker/NAS_TrafficTracker.php on line 45:
$this->config[$nas_prefix.'tracking_code'] = base64_decode($this->config[$nas_prefix.'tracking_code']);
Possibly bad code (Common way of hiding malicious code) in /home/cityjobb/public_html/mywaterplantjobs.biz/include/plugins/NAS_TrafficTracker/NAS_TrafficTracker/NAS_TrafficTracker.php on line 210:
$_REQUEST[$nas_prefix.'tracking_code'] = base64_decode($_REQUEST[$nas_prefix.'tracking_code']);
Logged
Peter
Administrator
Hero Member
*****
Posts: 248



« Reply #19 on: June 04, 2010, 12:46:29 am »

If you use the SECURITY TOOLS plugin to scan your server and you see this, don't worry. This is NOT any threat.

Code:
Possibly bad code (Common way of hiding malicious code) in /var/www/vhosts/domain.com/httpdocs/include/plugins/TrafficCop/configuration.php  on line 164:
$_REQUEST['redirects'] = base64_decode($_REQUEST['redirects']); // caution: can contain arbitary HTML after decode
Possibly bad code (Common way of hiding malicious code) in /var/www/vhosts/domain.com/httpdocs/include/plugins/TrafficCop/configuration.php on line 224:
$_REQUEST['ua_exceptions'] = base64_decode($_REQUEST['ua_exceptions']); // caution: can contain arbitary HTML after decode
Logged

SECURE your site BEFORE you wish you had! Use plugins by COLOSSAL MIND!
Adam
Administrator
Hero Member
*****
Posts: 112


« Reply #20 on: August 03, 2010, 07:19:36 am »

Security Tools 2.0 released today!
Updates the white-list, improves the code scanner and also adds an automatic scan feature.
Free download (for Jamit customers)
Go to: http://market.jamit.com/item/security-tools/2010-08-03/23
Logged
MartyStevens
Jammers
Newbie
*
Posts: 3


« Reply #21 on: August 12, 2010, 10:41:35 am »

Wow,

happy to see this tool, more importantly the forum. Because I apparently got infected. What's interesting is when I visit my site "dadaal.com", it loads fine...just jumps to end of page just before it finishes loading.

Some friends have complained that that it loads than redirects real quick some some russian search site!!!

So after downloading the security tool...this is what i got. Ugh.
Any advice is welcome, and I'm a beginner all things css/html so please break it down.

Much obliged.
Ps: I have Kaspersky.

I've attached the Security Tool Report in Notepad format to this posting.
Logged
lee
Jammers
Sr. Member
*
Posts: 86



WWW
« Reply #22 on: August 12, 2010, 10:56:25 am »

Read this

http://forum.jamit.com/index.php?topic=577.0

It may help

Regards lee
Logged
Adam
Administrator
Hero Member
*****
Posts: 112


« Reply #23 on: October 20, 2010, 11:46:02 am »

Greetings,
Just to let you know that the Security Tools plugin was updated. It adds some more signatures, and has a new feature which will scan the job board daily and email a report if anything new is detected. Grab it from the market http://market.jamit.com/

Adam
Logged
Regan
Jammers
Newbie
*
Posts: 5


« Reply #24 on: December 08, 2010, 05:09:11 pm »

Just installed it - traffic cop (latest version) seems to be triggering a bunch of security alerts. Since my site is in beta and password-protected - I'd be shocked if any of these warnings were real. I think I'm going to treat this as a baseline false-positive and go from there.

Possibly bad code (Common way of hiding malicious code) in /home/workinh/workinhealth.ca/include/plugins/TrafficCop/TrafficCop.php on line 135:
$this->config['ua_invstr'] = base64_decode($this->config['ua_invstr']); // string
Possibly bad code (Common way of hiding malicious code) in /home/workinh/workinhealth.ca/include/plugins/TrafficCop/TrafficCop.php on line 2833:
$this->config['ua_invstr'] = base64_decode($_REQUEST['ua_invstr']);
Possibly bad code (Common way of hiding malicious code) in /home/workinh/workinhealth.ca/include/plugins/TrafficCop/general_settings.php on line 221:
$_REQUEST['ua_invstr'] = base64_decode($_REQUEST['ua_invstr']);
Possibly bad code (execution of a shell command) /home/workinh/workinhealth.ca/include/lib/scw/scw_js_with_comments.php on line 976:
if (scwExpValYear.exec(scwArrSeed[0]) == null ||
Possibly bad code (execution of a shell command) /home/workinh/workinhealth.ca/include/lib/scw/scw_js_with_comments.php on line 977:
scwExpValMonth.exec(scwArrSeed[1]) == null ||
Possibly bad code (execution of a shell command) /home/workinh/workinhealth.ca/include/lib/scw/scw_js_with_comments.php on line 978:
scwExpValDay.exec(scwArrSeed[2]) == null
Found 6 threats. Some may be false-positives. Please discuss this on the forum
---------------------------------
Possibly a rogue php file: /home/workinh/workinhealth.ca/cache/dns-aaf1cb2102de05d120d2dc6f789b5bbb.txt
Possibly a rogue php file: /home/workinh/workinhealth.ca/cache/dns-b535ae0297243fd610c6c11276d888a8.txt
Possibly a rogue php file: /home/workinh/workinhealth.ca/cache/tcop-stats-56ae6db8b06280f612f2572a99012f3c.txt
Possibly a rogue php file: /home/workinh/workinhealth.ca/cache/tcop-purge-56ae6db8b06280f612f2572a99012f3c.txt
Possibly a rogue php file: /home/workinh/workinhealth.ca/cache/dns-f228a08ad1110dd5ddde4d14b72f51fe.txt
Logged
Peter
Administrator
Hero Member
*****
Posts: 248



« Reply #25 on: December 27, 2010, 10:06:44 am »

Possibly a rogue php file: /home/workinh/workinhealth.ca/cache/dns-aaf1cb2102de05d120d2dc6f789b5bbb.txt
Possibly a rogue php file: /home/workinh/workinhealth.ca/cache/dns-b535ae0297243fd610c6c11276d888a8.txt
Possibly a rogue php file: /home/workinh/workinhealth.ca/cache/tcop-stats-56ae6db8b06280f612f2572a99012f3c.txt
Possibly a rogue php file: /home/workinh/workinhealth.ca/cache/tcop-purge-56ae6db8b06280f612f2572a99012f3c.txt
Possibly a rogue php file: /home/workinh/workinhealth.ca/cache/dns-f228a08ad1110dd5ddde4d14b72f51fe.txt

The files starting with "dns-....." are the DNS cache files written by Traffic Cop.

The files starting with "tcop-stats-......" and "tcop-purge-....." are also written by Traffic Cop.

All of these I described are not any threat.
Logged

SECURE your site BEFORE you wish you had! Use plugins by COLOSSAL MIND!
Peter
Administrator
Hero Member
*****
Posts: 248



« Reply #26 on: December 27, 2010, 10:08:33 am »

Possibly bad code (Common way of hiding malicious code) in /home/workinh/workinhealth.ca/include/plugins/TrafficCop/TrafficCop.php on line 135:
$this->config['ua_invstr'] = base64_decode($this->config['ua_invstr']); // string
Possibly bad code (Common way of hiding malicious code) in /home/workinh/workinhealth.ca/include/plugins/TrafficCop/TrafficCop.php on line 2833:
$this->config['ua_invstr'] = base64_decode($_REQUEST['ua_invstr']);
Possibly bad code (Common way of hiding malicious code) in /home/workinh/workinhealth.ca/include/plugins/TrafficCop/general_settings.php on line 221:
$_REQUEST['ua_invstr'] = base64_decode($_REQUEST['ua_invstr']);

No worries, mate! This is correct and there is no threat!
Logged

SECURE your site BEFORE you wish you had! Use plugins by COLOSSAL MIND!
Regan
Jammers
Newbie
*
Posts: 5


« Reply #27 on: December 30, 2010, 02:15:37 pm »

I get 12 alerts with the scan - but my site is in beta and locked to anyone but me accessing it, so I'm assuming that they are false alarms. TrafficCop plugin generates a few, as does something in include/lib/scw and the cache.

Any thoughts on how to handle them - ie ignore it or is there some way to whitelist these alerts?

Possibly bad code (Common way of hiding malicious code) in /home/workinh/workinhealth.ca/include/plugins/TrafficCop/TrafficCop.php on line 135:
$this->config['ua_invstr'] = base64_decode($this->config['ua_invstr']); // string
Possibly bad code (Common way of hiding malicious code) in /home/workinh/workinhealth.ca/include/plugins/TrafficCop/TrafficCop.php on line 2833:
$this->config['ua_invstr'] = base64_decode($_REQUEST['ua_invstr']);
Possibly bad code (Common way of hiding malicious code) in /home/workinh/workinhealth.ca/include/plugins/TrafficCop/general_settings.php on line 221:
$_REQUEST['ua_invstr'] = base64_decode($_REQUEST['ua_invstr']);
Possibly bad code (execution of a shell command) /home/workinh/workinhealth.ca/include/lib/scw/scw_js_with_comments.php on line 976:
if (scwExpValYear.exec(scwArrSeed[0]) == null ||
Possibly bad code (execution of a shell command) /home/workinh/workinhealth.ca/include/lib/scw/scw_js_with_comments.php on line 977:
scwExpValMonth.exec(scwArrSeed[1]) == null ||
Possibly bad code (execution of a shell command) /home/workinh/workinhealth.ca/include/lib/scw/scw_js_with_comments.php on line 978:
scwExpValDay.exec(scwArrSeed[2]) == null
Found 6 threats. Some may be false-positives. Please discuss this on the forum
---------------------------------
Possibly a rogue php file: /home/workinh/workinhealth.ca/cache/dns-aaf1cb2102de05d120d2dc6f789b5bbb.txt
Possibly a rogue php file: /home/workinh/workinhealth.ca/cache/dns-83c4d13df7b1fa7949305b483273ca5a.txt
Possibly a rogue php file: /home/workinh/workinhealth.ca/cache/tcop-stats-56ae6db8b06280f612f2572a99012f3c.txt
Possibly a rogue php file: /home/workinh/workinhealth.ca/cache/dns-7ed251c8c745055be49d1c8e02e89638.txt
Possibly a rogue php file: /home/workinh/workinhealth.ca/cache/tcop-purge-56ae6db8b06280f612f2572a99012f3c.txt
Possibly a rogue php file: /home/workinh/workinhealth.ca/cache/dns-5eef6aab6ea341d2005113fde1e9021d.txt
Logged
Peter
Administrator
Hero Member
*****
Posts: 248



« Reply #28 on: January 04, 2011, 11:13:28 am »

Regan, please see my earlier reply that also applies to your situation regarding some items found by the Security Tools plugin.
Logged

SECURE your site BEFORE you wish you had! Use plugins by COLOSSAL MIND!
lithium
Jammers
Jr. Member
*
Posts: 13



WWW
« Reply #29 on: January 04, 2011, 11:48:02 am »

Hi Peter,

I get exactly the same problem as Regan and although there is no risk, they are quite annoying especially the one that lists the cache files as it seems to get longer each time. Is there no way of fixing this or is it something that will be fixed in the next version?

Jamit: 3.6.8
Traffic Cop: 4.37

Cheers,

Chris.
Logged
Pages: 1 [2] 3 Print 
« previous next »
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2013, Simple Machines Valid XHTML 1.0! Valid CSS!
Page created in 0.17 seconds with 18 queries.