Security Tools Plugin

[Adam]

Phil:

These look like they are our files, but in the wrong place. They can be deleted:

include/functions2.php on line 231:
$make_magick = exec($command, $retval);

include/functions2.php on line 1701:
exec ("w", $out);

include/edit_config.php on line 909:
@exec ("w", $out);



The files class.php and adw.php are not from our software. If not in use by other software on your server, then they should be deleted ASAP and also change your FTP passwords.

[Philcol]

Received the below when using Scan File command:

Possibly bad code in (command execution) /home/cityjobb/public_html/mywaterplantjobs/cache/cat_f4_c0_cache.inc.php on line 2:

$category_table = unserialize('a:2:{s:2:"EN";a:6:{i:0;a:7:{s:3:"cid";s:3:"703";s:4:"cpid";s:1:"0";s:1:"n";s:15:"Consulting Firm";s:2:"oc";s:1:"0";s:2:"ch";a:0:{}s:3:"chc";i:0;s:3:"seo";N;}i:1;a:7:{s:3:"cid";s:3:"702";s:4:"cpid";s:1:"0";s:1:"n";s:24:"Private System Operator ";s:2:"oc";s:1:"0";s:2:"ch";a:0:{}s:3:"chc";i:0;s:3:"seo";N;}i:2;a:7:{s:3:"cid";s:3:"707";s:4:"cpid";s:1:"0";s:1:"n";s:21:"Public Utility (City)";s:2:"oc";s:1:"0";s:2:"ch";a:0:{}s:3:"chc";i:0;s:3:"seo";N;}i:3;a:7:{s:3:"cid";s:3:"708";s:4:"cpid";s:1:"0";s:1:"n";s:30:"Public Utility (County/Parish)";s:2:"oc";s:1:"0";s:2:"ch";a:0:{}s:3:"chc";i:0;s:3:"seo";N;}i:4;a:7:{s:3:"cid";s:3:"709";s:4:"cpid";s:1:"0";s:1:"n";s:22:"Water - Sewer District";s:2:"oc";s:1:"0";s:2:"ch";a:0:{}s:3:"chc";i:0;s:3:"seo";N;}i:5;a:7:{s:3:"cid";s:3:"701";s:4:"cpid";s:1:"0";s:1:"n";s:22:"Water System (Public) ";s:2:"oc";s:1:"0";s:2:"ch";a:0:{}s:3:"chc";i:0;s:3:"seo";N;}}s:2:"ES";a:6:{i:0;a:7:{s:3:"cid";s:3:"703";s:4:"cpid";s:1:"0";s:1:"n";s:15:"Consulting Firm";s:2:"oc";s:1:"0";s:2:"ch";a:0:{}s:3:"chc";i:0;s:3:"seo";N;}i:1;a:7:{s:3:"cid";s:3:"702";s:4:"cpid";s:1:"0";s:1:"n";s:24:"Private System Operator ";s:2:"oc";s:1:"0";s:2:"ch";a:0:{}s:3:"chc";i:0;s:3:"seo";N;}i:2;a:7:{s:3:"cid";s:3:"707";s:4:"cpid";s:1:"0";s:1:"n";s:21:"Public Utility (City)";s:2:"oc";s:1:"0";s:2:"ch";a:0:{}s:3:"chc";i:0;s:3:"seo";N;}i:3;a:7:{s:3:"cid";s:3:"708";s:4:"cpid";s:1:"0";s:1:"n";s:30:"Public Utility (County/Parish)";s:2:"oc";s:1:"0";s:2:"ch";a:0:{}s:3:"chc";i:0;s:3:"seo";N;}i:4;a:7:{s:3:"cid";s:3:"709";s:4:"cpid";s:1:"0";s:1:"n";s:22:"Water - Sewer District";s:2:"oc";s:1:"0";s:2:"ch";a:0:{}s:3:"chc";i:0;s:3:"seo";N;}i:5;a:7:{s:3:"cid";s:3:"701";s:4:"cpid";s:1:"0";s:1:"n";s:22:"Water System (Public) ";s:2:"oc";s:1:"0";s:2:"ch";a:0:{}s:3:"chc";i:0;s:3:"seo";N;}}}');

[Adam]

Phil, that looks like a false alarm. Do not worry about that one.

[Philcol]

Found these results in a scan recently:  This came from a site which is not up and running yet but had 4 new users logged in with ip addresses from amsterdam; not my favorite source of users 

Possibly bad code (Common way of hiding malicious code) in /home/cityjobb/public_html/mywaterplantjobs.biz/include/plugins/NAS_TrafficTracker/NAS_TrafficTracker/NAS_TrafficTracker.php on line 45:
$this->config[$nas_prefix.'tracking_code'] = base64_decode($this->config[$nas_prefix.'tracking_code']);
Possibly bad code (Common way of hiding malicious code) in /home/cityjobb/public_html/mywaterplantjobs.biz/include/plugins/NAS_TrafficTracker/NAS_TrafficTracker/NAS_TrafficTracker.php on line 210:
$_REQUEST[$nas_prefix.'tracking_code'] = base64_decode($_REQUEST[$nas_prefix.'tracking_code']);

[Peter]

If you use the SECURITY TOOLS plugin to scan your server and you see this, don't worry. This is NOT any threat.

Code:

Possibly bad code (Common way of hiding malicious code) in /var/www/vhosts/domain.com/httpdocs/include/plugins/TrafficCop/configuration.php  on line 164:
$_REQUEST['redirects'] = base64_decode($_REQUEST['redirects']); // caution: can contain arbitary HTML after decode
Possibly bad code (Common way of hiding malicious code) in /var/www/vhosts/domain.com/httpdocs/include/plugins/TrafficCop/configuration.php on line 224:
$_REQUEST['ua_exceptions'] = base64_decode($_REQUEST['ua_exceptions']); // caution: can contain arbitary HTML after decode

[Adam]

Security Tools 2.0 released today!
Updates the white-list, improves the code scanner and also adds an automatic scan feature.
Free download (for Jamit customers)
Go to: http://market.jamit.com/item/security-tools/2010-08-03/23

[MartyStevens]

Wow,

happy to see this tool, more importantly the forum. Because I apparently got infected. What's interesting is when I visit my site "dadaal.com", it loads fine...just jumps to end of page just before it finishes loading.

Some friends have complained that that it loads than redirects real quick some some russian search site!!!

So after downloading the security tool...this is what i got. Ugh.
Any advice is welcome, and I'm a beginner all things css/html so please break it down.

Much obliged.
Ps: I have Kaspersky.

I've attached the Security Tool Report in Notepad format to this posting.

[lee]

Read this

http://forum.jamit.com/index.php?topic=577.0

It may help

Regards lee

[Adam]

Greetings,
Just to let you know that the Security Tools plugin was updated. It adds some more signatures, and has a new feature which will scan the job board daily and email a report if anything new is detected. Grab it from the market http://market.jamit.com/

Adam

[Regan]

Just installed it - traffic cop (latest version) seems to be triggering a bunch of security alerts. Since my site is in beta and password-protected - I'd be shocked if any of these warnings were real. I think I'm going to treat this as a baseline false-positive and go from there.

Possibly bad code (Common way of hiding malicious code) in /home/workinh/workinhealth.ca/include/plugins/TrafficCop/TrafficCop.php on line 135:
$this->config['ua_invstr'] = base64_decode($this->config['ua_invstr']); // string
Possibly bad code (Common way of hiding malicious code) in /home/workinh/workinhealth.ca/include/plugins/TrafficCop/TrafficCop.php on line 2833:
$this->config['ua_invstr'] = base64_decode($_REQUEST['ua_invstr']);
Possibly bad code (Common way of hiding malicious code) in /home/workinh/workinhealth.ca/include/plugins/TrafficCop/general_settings.php on line 221:
$_REQUEST['ua_invstr'] = base64_decode($_REQUEST['ua_invstr']);
Possibly bad code (execution of a shell command) /home/workinh/workinhealth.ca/include/lib/scw/scw_js_with_comments.php on line 976:
if (scwExpValYear.exec(scwArrSeed[0]) == null ||
Possibly bad code (execution of a shell command) /home/workinh/workinhealth.ca/include/lib/scw/scw_js_with_comments.php on line 977:
scwExpValMonth.exec(scwArrSeed[1]) == null ||
Possibly bad code (execution of a shell command) /home/workinh/workinhealth.ca/include/lib/scw/scw_js_with_comments.php on line 978:
scwExpValDay.exec(scwArrSeed[2]) == null
Found 6 threats. Some may be false-positives. Please discuss this on the forum
---------------------------------
Possibly a rogue php file: /home/workinh/workinhealth.ca/cache/dns-aaf1cb2102de05d120d2dc6f789b5bbb.txt
Possibly a rogue php file: /home/workinh/workinhealth.ca/cache/dns-b535ae0297243fd610c6c11276d888a8.txt
Possibly a rogue php file: /home/workinh/workinhealth.ca/cache/tcop-stats-56ae6db8b06280f612f2572a99012f3c.txt
Possibly a rogue php file: /home/workinh/workinhealth.ca/cache/tcop-purge-56ae6db8b06280f612f2572a99012f3c.txt
Possibly a rogue php file: /home/workinh/workinhealth.ca/cache/dns-f228a08ad1110dd5ddde4d14b72f51fe.txt

[Peter]

Possibly a rogue php file: /home/workinh/workinhealth.ca/cache/dns-aaf1cb2102de05d120d2dc6f789b5bbb.txt
Possibly a rogue php file: /home/workinh/workinhealth.ca/cache/dns-b535ae0297243fd610c6c11276d888a8.txt
Possibly a rogue php file: /home/workinh/workinhealth.ca/cache/tcop-stats-56ae6db8b06280f612f2572a99012f3c.txt
Possibly a rogue php file: /home/workinh/workinhealth.ca/cache/tcop-purge-56ae6db8b06280f612f2572a99012f3c.txt
Possibly a rogue php file: /home/workinh/workinhealth.ca/cache/dns-f228a08ad1110dd5ddde4d14b72f51fe.txt

The files starting with "dns-....." are the DNS cache files written by Traffic Cop.

The files starting with "tcop-stats-......" and "tcop-purge-....." are also written by Traffic Cop.

All of these I described are not any threat.

[Peter]

Possibly bad code (Common way of hiding malicious code) in /home/workinh/workinhealth.ca/include/plugins/TrafficCop/TrafficCop.php on line 135:
$this->config['ua_invstr'] = base64_decode($this->config['ua_invstr']); // string
Possibly bad code (Common way of hiding malicious code) in /home/workinh/workinhealth.ca/include/plugins/TrafficCop/TrafficCop.php on line 2833:
$this->config['ua_invstr'] = base64_decode($_REQUEST['ua_invstr']);
Possibly bad code (Common way of hiding malicious code) in /home/workinh/workinhealth.ca/include/plugins/TrafficCop/general_settings.php on line 221:
$_REQUEST['ua_invstr'] = base64_decode($_REQUEST['ua_invstr']);

No worries, mate! This is correct and there is no threat!

[Regan]

I get 12 alerts with the scan - but my site is in beta and locked to anyone but me accessing it, so I'm assuming that they are false alarms. TrafficCop plugin generates a few, as does something in include/lib/scw and the cache.

Any thoughts on how to handle them - ie ignore it or is there some way to whitelist these alerts?

Possibly bad code (Common way of hiding malicious code) in /home/workinh/workinhealth.ca/include/plugins/TrafficCop/TrafficCop.php on line 135:
$this->config['ua_invstr'] = base64_decode($this->config['ua_invstr']); // string
Possibly bad code (Common way of hiding malicious code) in /home/workinh/workinhealth.ca/include/plugins/TrafficCop/TrafficCop.php on line 2833:
$this->config['ua_invstr'] = base64_decode($_REQUEST['ua_invstr']);
Possibly bad code (Common way of hiding malicious code) in /home/workinh/workinhealth.ca/include/plugins/TrafficCop/general_settings.php on line 221:
$_REQUEST['ua_invstr'] = base64_decode($_REQUEST['ua_invstr']);
Possibly bad code (execution of a shell command) /home/workinh/workinhealth.ca/include/lib/scw/scw_js_with_comments.php on line 976:
if (scwExpValYear.exec(scwArrSeed[0]) == null ||
Possibly bad code (execution of a shell command) /home/workinh/workinhealth.ca/include/lib/scw/scw_js_with_comments.php on line 977:
scwExpValMonth.exec(scwArrSeed[1]) == null ||
Possibly bad code (execution of a shell command) /home/workinh/workinhealth.ca/include/lib/scw/scw_js_with_comments.php on line 978:
scwExpValDay.exec(scwArrSeed[2]) == null
Found 6 threats. Some may be false-positives. Please discuss this on the forum
---------------------------------
Possibly a rogue php file: /home/workinh/workinhealth.ca/cache/dns-aaf1cb2102de05d120d2dc6f789b5bbb.txt
Possibly a rogue php file: /home/workinh/workinhealth.ca/cache/dns-83c4d13df7b1fa7949305b483273ca5a.txt
Possibly a rogue php file: /home/workinh/workinhealth.ca/cache/tcop-stats-56ae6db8b06280f612f2572a99012f3c.txt
Possibly a rogue php file: /home/workinh/workinhealth.ca/cache/dns-7ed251c8c745055be49d1c8e02e89638.txt
Possibly a rogue php file: /home/workinh/workinhealth.ca/cache/tcop-purge-56ae6db8b06280f612f2572a99012f3c.txt
Possibly a rogue php file: /home/workinh/workinhealth.ca/cache/dns-5eef6aab6ea341d2005113fde1e9021d.txt

[Peter]

Regan, please see my earlier reply that also applies to your situation regarding some items found by the Security Tools plugin.

[lithium]

Hi Peter,

I get exactly the same problem as Regan and although there is no risk, they are quite annoying especially the one that lists the cache files as it seems to get longer each time. Is there no way of fixing this or is it something that will be fixed in the next version?

Jamit: 3.6.8
Traffic Cop: 4.37

Cheers,

Chris.