The Joomla! Forum ™



Forum rules


Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.



Post new topic Reply to topic  [ 34 posts ]  Go to page 1, 2  Next
Author Message
PostPosted: Sun Dec 09, 2012 5:40 am 
User avatar
Joomla! Intern
Joomla! Intern

Joined: Thu Jun 29, 2006 11:44 am
Posts: 91
Location: Croatia
Main article is located here viewtopic.php?f=621&t=777957

This topic is intended for all users of the JAMSS script, in particularly:
  • discussion of the script
  • suggestions
  • issues with usage
  • etc.

This topic is not ment for analysis of your JAMSS results. You have to analyse and it yourself, or someone you trust and has enough PHP experience.

If you want to report a bug, please use our GitHub Bugtracker: https://github.com/btoplak/Joomla-Anti- ... ipt/issues


Thanks for all your feedback ;)

_________________
Croatian Joomla Translation coordinator | www.orion-web.hr
JAMSS author- viewtopic.php?f=621&t=777957
PHP/WebApp Security enthusiast (OWASP) & Linux Admin
don't PM me with requests (unless you want paid help), post in forum


Last edited by BernardT on Mon Dec 10, 2012 10:49 am, edited 2 times in total.

Top
 Profile  
 
PostPosted: Sun Dec 09, 2012 7:26 am 
User avatar
Joomla! Champion
Joomla! Champion
Online

Joined: Fri Aug 19, 2005 10:46 am
Posts: 5634
Location: Roma
i was looking for that kind of scan script 4 joomla from sometimes

i've read this on your todo list
Quote:
* build in a command line interface option (to let it run via Cronjob)


i'm working on this matter starting from the CLI Platform example cron plugin https://github.com/joomla/joomla-platform-examples/tree/master/cli/cron-plugins

here are my work
https://github.com/alikon/Jchecksum

so could we cooperate "to zoombiefy" your scan script

let me know...

_________________
Nicola Galgano
my knowledge is know to not know
www.alikonweb.it


Top
 Profile  
 
PostPosted: Sun Dec 09, 2012 9:15 am 
User avatar
Joomla! Intern
Joomla! Intern

Joined: Thu Jun 29, 2006 11:44 am
Posts: 91
Location: Croatia
alikon wrote:
i'm working on this matter starting from the CLI Platform example cron plugin https://github.com/joomla/joomla-platform-examples/tree/master/cli/cron-plugins

here are my work
https://github.com/alikon/Jchecksum

so could we cooperate "to zoombiefy" your scan script


Hi!

Thanks for your suggestion, it sounds interesting. Contact me on PM for details ...

_________________
Croatian Joomla Translation coordinator | www.orion-web.hr
JAMSS author- viewtopic.php?f=621&t=777957
PHP/WebApp Security enthusiast (OWASP) & Linux Admin
don't PM me with requests (unless you want paid help), post in forum


Top
 Profile  
 
PostPosted: Sun Dec 09, 2012 9:39 am 
User avatar
Joomla! Champion
Joomla! Champion
Online

Joined: Fri Aug 19, 2005 10:46 am
Posts: 5634
Location: Roma
just sended PM

...playing with your script...

_________________
Nicola Galgano
my knowledge is know to not know
www.alikonweb.it


Top
 Profile  
 
PostPosted: Sun Dec 09, 2012 10:46 am 
User avatar
Joomla! Intern
Joomla! Intern

Joined: Thu Jun 29, 2006 11:44 am
Posts: 91
Location: Croatia
alikon wrote:
just sended PM
...playing with your script...

TNX ... just replying you ;)

_________________
Croatian Joomla Translation coordinator | www.orion-web.hr
JAMSS author- viewtopic.php?f=621&t=777957
PHP/WebApp Security enthusiast (OWASP) & Linux Admin
don't PM me with requests (unless you want paid help), post in forum


Top
 Profile  
 
PostPosted: Mon Dec 10, 2012 10:03 am 
Joomla! Apprentice
Joomla! Apprentice

Joined: Sat Dec 01, 2012 11:42 am
Posts: 17
Location: coimbatore
im so naive to Joomla .. i attached the result generated by jamss.php in my localhost machine

_________________
rsb


Last edited by mandville on Mon Dec 10, 2012 9:53 pm, edited 1 time in total.
removed attatchment to prevent off topic posting


Top
 Profile  
 
PostPosted: Mon Dec 10, 2012 10:44 am 
User avatar
Joomla! Intern
Joomla! Intern

Joined: Thu Jun 29, 2006 11:44 am
Posts: 91
Location: Croatia
bala_rs wrote:
im so naive to Joomla .. i attached the result generated by jamss.php in my localhost machine

Hello bala_rs,

I'm sorry, but this topic is not ment for analysis of the results from JAMSS. You have to analyse them by yourself or someone more experienced with PHP.

_________________
Croatian Joomla Translation coordinator | www.orion-web.hr
JAMSS author- viewtopic.php?f=621&t=777957
PHP/WebApp Security enthusiast (OWASP) & Linux Admin
don't PM me with requests (unless you want paid help), post in forum


Top
 Profile  
 
PostPosted: Mon Dec 10, 2012 2:54 pm 
Joomla! Guru
Joomla! Guru

Joined: Sat Aug 13, 2011 6:27 am
Posts: 583
Thanks! I have just tested the script on my site that don't contain malware and I got a lot of false positives. Extensions that gave false positives were especially jcomments, but also jfusion and acymailing. This script can despite false positives be valuable to identify malware as I have 13000 files on my site and this script might be good as a screening for malware although it don't seem to be able to directly find it.


Top
 Profile  
 
PostPosted: Mon Dec 10, 2012 3:03 pm 
User avatar
Joomla! Master
Joomla! Master

Joined: Sat Apr 05, 2008 9:58 pm
Posts: 25002
Location: @Webdongle
A very informative post. Like the way it starts with
Quote:
!!! DISCLAIMER !!!
THIS SCRIPT IS NOT A "ONE-CLICK" CURE, IT'S ONLY A TOOL TO AID IDENTIFICATION OF (POSSIBLY) MALICIOUS FILES !
. IMHO it blends well with the official advice given by the 'sticky' in the security forum. Am looking forward to testing it.

Addendum
@Slackervaara
How do you know the site was clean and the results were false positives ? Did it show the exact same result when testing other sites that had those extensions ?

Addendum 2
(to explain why this post may appear out of sequence)
This post was originally made on a discussion thread that was started by ooffick. The thread was later locked and my post was moved to this thread.

_________________
'When I'm right nobody remembers when I'm wrong nobody forgets.'

http://weblinksonline.co.uk/joomla-faq.html


Last edited by Webdongle on Wed Dec 12, 2012 9:49 am, edited 2 times in total.

Top
 Profile  
 
PostPosted: Mon Dec 10, 2012 3:58 pm 
Joomla! Guru
Joomla! Guru

Joined: Sat Aug 13, 2011 6:27 am
Posts: 583
I know the site is clean after checks with Sucuri, Google, Eyesite and MD5 Comparison tool. Some false positives were evidently false like .ru URLs in jcomments, which is a russian extension with russians urls in almost every file. I found one suspicious file in the gallery coppermine with base code, but when I checked original files it contained just that code. It was very interesting and simple to use this tool, so it was worth testing it and very interesting.

Edit: Maybe the developer could make exceptions in the script for legitimate .ru addresses like http://www.joomlatune.ru/
Many uses jcomments as extension.


Top
 Profile  
 
PostPosted: Tue Dec 11, 2012 2:16 pm 
User avatar
Joomla! Explorer
Joomla! Explorer

Joined: Sun Mar 12, 2006 9:01 pm
Posts: 351
Like with jcomments, there is a false positive with Akeeba Backup. I was just notified about it by a concerned party:

In file ./administrator/components/com_akeeba/akeeba/utils/securesettings.php-> we found 1 occurence(s) of Pattern #17 - PHP: double GZINFLATE||GZUNCOMPRESS||B64||ROT13
---> Details: "Detected a highly encoded (and malicious) code hidden under a loop of gzinflate/gzuncompress/base64_decode calls. After decoded, it goes through an eval call to execute the code."

I understand how the scanning works (I've written my own PHP FIle Scanner for Admin Tools Pro) and why it cannot be 100% accurate. I understand that my code is, of course, not malicious. In fact, it is the code which encrypts the users settings with AES-128 encryption to prevent them from being an easy target to hackers who successfully employ a SQL Injection or upload a malicious script on the user's site.

I am, however, VERY concerned on the unnecessarily very strong and utterly misleading language used for the scan results. My code is DEFINITELY not malicious, it's DEFINITELY not hidden and it's DEFINITELY not going through eval. The language used does not in any way suggest that the scanner may have screwed up. Instead it very strongly and positively marks my software as malicious, going as far as to give a FAKE analysis of what the code does. This kind of strong language will cause unnecessary support requests for me and hurt my business (because the majority of users who are going to use such a scanner script are in no position to understand its results, more so when you use strong and misleading language like that). Please rectify this by changing the language in a way which prompts the user to examine the subject in more depth and suggests that this code is sometimes used for this kind of nefarious activity, but the scanner is unable to assess if the actual code it did scan actually is nefarious or benign. Misleading the user frustrates the user, makes him not trust either his scanning tools or the developer of the software he's using and ends up creating a much bigger problem than the one it aims to solve. Thank you in advance for looking into this.

PS: If you want my help with the messages, I can volunteer my time. Please note that I am not a native English speaker. It would be a good idea to find a native English speaker with Joomla! security experience who will volunteer to do the proof-reading before releasing the script.

_________________
Nicholas K. Dionysopoulos
Director, Akeeba Ltd


Top
 Profile  
 
PostPosted: Tue Dec 11, 2012 3:21 pm 
User avatar
Joomla! Master
Joomla! Master

Joined: Sat Apr 05, 2008 9:58 pm
Posts: 25002
Location: @Webdongle
nikosdion is a trustworthy developer and for his code to be marked as 'malicious' is clearly a false positive.

In light of 'false positives' marking legitimate software as malicious ... perhaps the links to the 'Anti-Malware Scan Script (JAMSS)' should be removed from the OP ? More testing by developers is obviously needed before the script is ready for 'Joe user' to test !

_________________
'When I'm right nobody remembers when I'm wrong nobody forgets.'

http://weblinksonline.co.uk/joomla-faq.html


Top
 Profile  
 
PostPosted: Tue Dec 11, 2012 3:32 pm 
User avatar
Joomla! Explorer
Joomla! Explorer

Joined: Sun Mar 12, 2006 9:01 pm
Posts: 351
Webdongle, you know how much I value your opinion but I have to respectfully disagree with the view of needing the script to be unpublished. All it needs is some work on the wording it uses so that it's not misleading.

There is absolutely no scanner script or service which is suitable for Joe Average to use. The best we can do in such scanner software/services is have wording which helps power users and professionals and is mildly baffling to newbie users, hopefully serving as a warning that this is beyond their pay grade. The goal is to have newbie users either educate themselves, becoming power users, or hire someone to assess the security of their sites.

_________________
Nicholas K. Dionysopoulos
Director, Akeeba Ltd


Top
 Profile  
 
PostPosted: Tue Dec 11, 2012 4:01 pm 
User avatar
Joomla! Master
Joomla! Master

Joined: Sat Apr 05, 2008 9:58 pm
Posts: 25002
Location: @Webdongle
nikosdion wrote:
... but I have to respectfully disagree with the view of needing the script to be unpublished. All it needs is some work on the wording it uses so that it's not misleading.....

I meant until the wording was edited (and agreed on by devs) ... did not mean it to sound that it should be permanent.

_________________
'When I'm right nobody remembers when I'm wrong nobody forgets.'

http://weblinksonline.co.uk/joomla-faq.html


Top
 Profile  
 
PostPosted: Tue Dec 11, 2012 5:13 pm 
User avatar
Joomla! Hero
Joomla! Hero

Joined: Sat Oct 21, 2006 10:20 pm
Posts: 2721
Location: Wisconsin USA
Nicholas is correct the script will not be "unpublished". Both BrenardT and myself understand that it could use some work. However, scripts of this sort will ALWAYS return false positives and those positives will have to be interpreted by the end user.

JAMSS wrote:
-false positives are very likely due to the fact that many valid scripts make use of the same logic/technologies as the hacker scripts do to achieve their required activities. Some interpretation must be applied to the results. The code is still "work in progress", so be cautious!


Reasonable suggestions of better wording for the pattern match results will probably be accepted.

The script does not 'mark' software as malicious as much as it matches patterns. The same code that the patterns 'find' are used in malicious software and scripts as well as in many legitimate extensions and web software. The results list where the pattern matched in the scan in a file. There really is no practicable way around this.

Nicholas is correct that the script is not really for users who can not interpret the results as they relate to their particular site. Inexperienced persons should use alternative methods of site remediation such as the methods posted here viewtopic.php?f=621&t=582854 or request help in the professional services forum.

The JAMSS php script is an replacement of the sploitfinder script that has been a sticky on the security forums for years. That script was the script written by RUSSW. Having tested sploitfinder, it returned quite a few positives. Very few people ever used the sploitfinder script as most do not really know how to use ssh (or cron) to run scripts and so I don't think many ever really used (94 downloads) the sploitfinder script. The sploit finder script has been kept for historical reasons and is still available for those who may want to use it. https://github.com/PhilD13/sploitFinder ... master.zip I have no plans at this time to make any edits or additions to it.

The JAMSS script used RussW's suggestion (within his sploitfinder instructions) to make a php version. The JAMSS incorporates some of the same patterns that the RussW script did.

Both authors are giving something back to the community. I would rather have one script that I know operates in a certain fashion and is supported than have some users posting "here, run this script (grep, or whatever) to find all your problems, just delete everything it finds" which has been popping up lately in security forums and is a quite dangerous statement.

_________________
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator


Top
 Profile  
 
PostPosted: Tue Dec 11, 2012 5:29 pm 
User avatar
Joomla! Explorer
Joomla! Explorer

Joined: Sun Mar 12, 2006 9:01 pm
Posts: 351
I can give an example of better wording.

Current wording: Detected a highly encoded (and malicious) code hidden under a loop of gzinflate/gzuncompress/base64_decode calls. After decoded, it goes through an eval call to execute the code.

The problem is that this wording, if read by someone with insufficient knowledge, is perceived as a detailed analysis of what the scanned code actually does. In the case of a false positives it marks the extension as malicious to the mind of the user. Sadly, these are the people who are most likely to read this explanation.

Proposed wording: This pattern is often used by mischievous people (hackers) in highly encoded, malicious, code hidden under a loop of gzinflate/gzuncompress/base64_decode calls. In those cases the decoded code goes through an eval call to execute it. Sometimes it's also used for legitimate purposes, e.g. storing configuration information or serialised object data. Please inspect the code manually to verify that this is not a false positive.

This wording is more subtle and implies that the scanner is not 100% sure about what is going on. It merely states the facts (how this code is commonly used, what are the true and false positive scenarios) and prompts the user to evaluate the code herself. It may be a little confusing to a newbie, but this is our intention: subtly hint the newbie that he's well out of his safe depth.

If you would like me to contribute further such changes I am willing to donate my time. Just let me know what is the preferred way to contribute. Send you a patch by email? Do a pull request in a GitHub repository? Something else?

_________________
Nicholas K. Dionysopoulos
Director, Akeeba Ltd


Top
 Profile  
 
PostPosted: Tue Dec 11, 2012 5:34 pm 
User avatar
Joomla! Master
Joomla! Master

Joined: Sat Apr 05, 2008 9:58 pm
Posts: 25002
Location: @Webdongle
PhilD wrote:
Nicholas is correct that the script is not really for users who can not interpret the results as they relate to their particular site. Inexperienced persons should use alternative methods of site remediation such as the methods posted here viewtopic.php?f=621&t=582854 or request help in the professional services forum.
Yes ... but it is in a thread that is open for discussion by anyone and thus many inexperienced users will try it.


PhilD wrote:
The JAMSS php script is an replacement of the sploitfinder script that has been a sticky on the security forums for years...
And how often do inexperienced users bother with 'stickies' ?(Just look at the number of times you need to refer users to the 'Read this Before you post' sticky !)


PhilD wrote:
... Very few people ever used the sploitfinder script as most do not really know how to use ssh (or cron) to run scripts ...
But they know how to unzip and ftp and point their Browser at the JAMSS script.

Sorry PhilD but you comparing spoiltfinder with JAMSS only adds to the 'aurgument' that JAMSS should not be for public consumption (at least until the wording is corrected).

_________________
'When I'm right nobody remembers when I'm wrong nobody forgets.'

http://weblinksonline.co.uk/joomla-faq.html


Last edited by mandville on Tue Dec 11, 2012 5:43 pm, edited 1 time in total.
reformatted for readability


Top
 Profile  
 
PostPosted: Tue Dec 11, 2012 6:16 pm 
User avatar
Joomla! Hero
Joomla! Hero

Joined: Sat Oct 21, 2006 10:20 pm
Posts: 2721
Location: Wisconsin USA
@webdongle
The script is not going to be removed.

Contributions to the project to help improve some aspect of it is welcome.

The comparison to sploitfinder was only to show that there has been a similar script posted publicly for years and to show where an inspiration came from for the JAMSS, not as a reinforcement or argument for or against either script.

@Nicholas
To be honest I never considered the results wording when I reviewed the script.

I think it would be easiest and best to make a pull request from GitHub.

Quote:
Proposed wording: This pattern is often used by mischievous people (hackers) in highly encoded, malicious, code hidden under a loop of gzinflate/gzuncompress/base64_decode calls. In those cases the decoded code goes through an eval call to execute it. Sometimes it's also used for legitimate purposes, e.g. storing configuration information or serialised object data. Please inspect the code manually to verify that this is not a false positive.


How about something along these lines:
This pattern is often used in highly encoded, malicious code hidden under a loop of gzinflate/gzuncompress/base64_decode calls. In these cases the decoded hacker code goes through an eval call to execute it. This pattern is also used for legitimate purposes, e.g. storing configuration information or serialised object data. Please inspect the file manually and compare it with the one in the original extension or Joomla package to verify that this is not a false positive.

_________________
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator


Top
 Profile  
 
PostPosted: Tue Dec 11, 2012 6:33 pm 
User avatar
Joomla! Explorer
Joomla! Explorer

Joined: Sun Mar 12, 2006 9:01 pm
Posts: 351
Yes, sure, what is the URL of the GitHub repo?

_________________
Nicholas K. Dionysopoulos
Director, Akeeba Ltd


Top
 Profile  
 
PostPosted: Tue Dec 11, 2012 8:44 pm 
User avatar
Joomla! Hero
Joomla! Hero

Joined: Sat Oct 21, 2006 10:20 pm
Posts: 2721
Location: Wisconsin USA
The url to the GitHub repo is https://github.com/btoplak/Joomla-Anti- ... can-Script

_________________
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator


Top
 Profile  
 
PostPosted: Tue Dec 11, 2012 9:53 pm 
User avatar
Joomla! Intern
Joomla! Intern

Joined: Thu Jun 29, 2006 11:44 am
Posts: 91
Location: Croatia
Hello guys!

Let me pop in after a very busy day...

nikosdion wrote:
I am, however, VERY concerned on the unnecessarily very strong and utterly misleading language used for the scan results. My code is DEFINITELY not malicious, it's DEFINITELY not hidden and it's DEFINITELY not going through eval. The language used does not in any way suggest that the scanner may have screwed up.

@nikosdion: I can relate and understand your frustration, especially if your customer has taken the result as a 100% positive, despite many many remarks that (with help from Mandville and PhilD) I tried to emphasize in post, instructions, GitHub, readme file etc...

people just love not to RTFM ... I planned to include another warning block just before and after results block about the need of proper interpretation of the results, and the big possibility that results are false positives! I'm absolutely open for all suggestions and contributions from native English speakers in rephrasing the wordings in reports and all other aspects of JAMSS.

Also, the patterns will be refined in time, and this is also a point where (specially) other extensions developers can help us out here on JAMSS project - give us examples of code that JAMSS
signifies as positives! I'll try to see if there is some space for improvement in pattern to be more precise. But always keeping in mind one important thing that @PhilD says: it should be much more acceptable to see some false positives along the way, than having just one false negative!

I'll insert the alternate wording suggested by PhilD.
Update: the #17 report text has been changed in 'forum' and 'master' branches

P.S. For PHP-competent beta testers - you can find a newer beta version in 'master' branch, which should give much less false positives, especially on pattern #1 that is now (probably) improved. Compare the results from 'forum' branch with this beta in 'master' branch.
Comments and bug-reports are very welcome.

_________________
Croatian Joomla Translation coordinator | www.orion-web.hr
JAMSS author- viewtopic.php?f=621&t=777957
PHP/WebApp Security enthusiast (OWASP) & Linux Admin
don't PM me with requests (unless you want paid help), post in forum


Top
 Profile  
 
PostPosted: Mon Dec 31, 2012 6:08 pm 
Joomla! Guru
Joomla! Guru

Joined: Sat Aug 13, 2011 6:27 am
Posts: 583
In my Joomla site I have a separate gallery and phpBB3 forum, where the members can upload pictures. This feature I am a bit worried about that a member might upload pictures cotaining malware or hacker code. JAMSS-script would be very helpful, if it would detect hacker code disguised in picture files. When I tested JAMSS-script on my site I did not get any positive response from the picture files, which was a relief. Can JAMSS-detect hacker code in picture files?


Top
 Profile  
 
PostPosted: Mon Dec 31, 2012 7:01 pm 
User avatar
Joomla! Hero
Joomla! Hero

Joined: Sat Oct 21, 2006 10:20 pm
Posts: 2721
Location: Wisconsin USA
no except for gif files. It looks for established patterns in certain file types. These are the types:
$fileExt = 'php|php3|php4|php5|phps|txt|html|htaccess|gif'; // file extensions

Photos in general can be hacked in several different ways.

Simplest (is not really a hack) is for the program or the administrator through misconfiguration of program options, to allow upload of file types that are not consistent with allowed types. Photos/graphics in this case.

Second Simplest is making the server think the php file is a photo by a double file type extension as in myphoto.php.jpg
The hacker simply drops the .jpg from the end to run the file.

Another way is to manipulate the metadata within the actual photo file in formats that can include metadata adding hack code to call other hack code.

_________________
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator


Top
 Profile  
 
PostPosted: Wed Jan 02, 2013 5:26 pm 
User avatar
Joomla! Master
Joomla! Master

Joined: Mon Aug 29, 2005 10:17 am
Posts: 13013
Location: Netherlands/ UK/ S'pore/Jakarta/ North America
Well I do applaud this script since it is good for 'corrective' maintenance on a server which is not that well protected. However in the end it simply comes down to server and site management and it has nothing to do with Joomla or extensions.

With much respect to either Nicholas (he knows) or to Bernard : These are tools to discover the holes in the initial security or the mistakes users make. For the latter the extensions are a help but nothing more. None of these tools will actually protect you as such but might or might not (false positives are everywhere in these kinds of scanners: Just take Securi.net as example).

As mentioned: In the end it comes down to good server setup and management with proper PHP-tweaks and online scanners such as CFS-Exploit Scanner/CFX Mail Scanner/CFS IPTables/suPHP (or mod_Ruid) and Mod-Security to mention a few with good PHP-Tweaks and latest Stable versions of cPanel as example).

If a server is configured properly one will never need to use any of these fancy extensions with all respect (since they have a clear target audience since many (even very big) hosters simply do not care properly or simply do not wish to spend descent money to safeguard their client base. Without this all these extensions would have no existence (they do because of poking on Joomla user-fear and lack of end-user knowledge about proper basic things as super user id, backups, etc: no offense in contrary!) )

I agree with PhilD. Take the PHP-Hide.php (hide code in a gif as example) ...CFS quarantines this crap on server entry before it even reaches an account...These kind of Joomla-extensions find them when they are already in the Joomla-site......THAT is a major difference

Leo 8)

_________________
--- Joomla Professional Support Services :: http://gws-desk.com ---
--- Joomla Professional and Specialized Hosting :: http://gws-host.com ---
--- Ready to Roll Joomla! Web Sites : 1 - 7 days only! :: @ gws-market.com ---


Top
 Profile  
 
PostPosted: Thu Jan 03, 2013 12:19 am 
User avatar
Joomla! Intern
Joomla! Intern

Joined: Thu Jun 29, 2006 11:44 am
Posts: 91
Location: Croatia
JAMSS is, as stated many times in description, only a tool to aid a detection of possibly malicious PHP files, only partly JavaScript (at this moment) ... and it's built to be heuristic as possible, to detect any suspect PHP code segment... and this heuristics (as in any other anti-malware script) brings also false positives

I am also an user of CXS script, it's a useful tool. But, it's also much more limited in detection degrees. CXS uses MD5 hash fingerprints (contrary to JAMSS RegExp patterns), which makes it very easy to deceive, eg. by only making one space more in the file - and file (MD5 hash) is not recognized anymore... so it works - if, and only if, a file that get's uploaded is unchanged(!) version of known malicious script.

BUT! Using (several) layers of security can't harm, if implemented right... with all other segments of webserver system prefixed with "proper" (proper OS config, proper PHP config etc.etc.)

_________________
Croatian Joomla Translation coordinator | www.orion-web.hr
JAMSS author- viewtopic.php?f=621&t=777957
PHP/WebApp Security enthusiast (OWASP) & Linux Admin
don't PM me with requests (unless you want paid help), post in forum


Top
 Profile  
 
PostPosted: Thu Jan 03, 2013 12:42 am 
User avatar
Joomla! Master
Joomla! Master

Joined: Mon Aug 29, 2005 10:17 am
Posts: 13013
Location: Netherlands/ UK/ S'pore/Jakarta/ North America
BernardT wrote:
JAMSS is, as stated many times in description, only a tool to aid a detection of possibly malicious PHP files, only partly JavaScript (at this moment) ...
And Bernard. I tested it on a client-infected site and it does precisely that what is stated which is helpful for many users. So cool with it for sure!

Leo 8)

_________________
--- Joomla Professional Support Services :: http://gws-desk.com ---
--- Joomla Professional and Specialized Hosting :: http://gws-host.com ---
--- Ready to Roll Joomla! Web Sites : 1 - 7 days only! :: @ gws-market.com ---


Top
 Profile  
 
PostPosted: Sat Jan 05, 2013 5:17 am 
Joomla! Guru
Joomla! Guru

Joined: Sat Aug 13, 2011 6:27 am
Posts: 583
I have tested the script again and I was very happy that it not anylonger detects http://www.joomlatune.ru/ in JComments, which is a legitimate ru address. Concerning the output of the script I would prefer some extra more lines with suspected code that the script has detected. I guess it would be easier then to detect hacker code.


Top
 Profile  
 
PostPosted: Sat Jan 05, 2013 8:45 am 
User avatar
Joomla! Intern
Joomla! Intern

Joined: Thu Jun 29, 2006 11:44 am
Posts: 91
Location: Croatia
@leolam: thank you for your comments!

Slackervaara wrote:
Concerning the output of the script I would prefer some extra more lines with suspected code that the script has detected. I guess it would be easier then to detect hacker code.

Thank you for suggestion, but I'm not sure that I quite understood what you mean? Do you talk about extra number of characters to show of the match ??

_________________
Croatian Joomla Translation coordinator | www.orion-web.hr
JAMSS author- viewtopic.php?f=621&t=777957
PHP/WebApp Security enthusiast (OWASP) & Linux Admin
don't PM me with requests (unless you want paid help), post in forum


Top
 Profile  
 
PostPosted: Sat Jan 05, 2013 11:53 am 
User avatar
Joomla! Hero
Joomla! Hero

Joined: Sat Oct 21, 2006 10:20 pm
Posts: 2721
Location: Wisconsin USA
The JAMSS script is a tool for experienced users to use to quickly scan a site looking for matches to certain patterns and does not need to give an extended amount of data about each match.

I think the code snip-it for each of the results is plenty sufficient. It gives the path to the file, the file in question, and enough of the code from the match area to very easily determine (in many cases) if the code needs further investigation. It also provides enough context to use a text (code) editor such as notepad++ to search and locate the part of the file in question if further investigation is needed on the file. One can also use notepad++ (or similar favorite editor) to compare and verify the file against a known good file.

_________________
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator


Top
 Profile  
 
PostPosted: Fri Feb 08, 2013 7:11 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Sat Jul 28, 2012 4:28 pm
Posts: 7
I've used JAMSS successfully before and it's a great tool. I'm using it on a newly built server with a site restored from an Akeeba Backup. The old server was hacked and I used a backup from well before the issue. JAMSS has been running for over 25 minutes with one core of my VPS at 100%. Is that normal and should I let it continue to run? It's never taken near this long before.

**Update** it ran fine in Chrome, but never ran right in Firefox.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 34 posts ]  Go to page 1, 2  Next



Who is online

Users browsing this forum: No registered users and 15 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group