JAMSS - Joomla! Anti-Malware Scan Script

Discussion regarding Joomla! 2.5 security issues.

Moderators: mandville, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Locked
User avatar
Bernard T
Joomla! Guru
Joomla! Guru
Posts: 782
Joined: Thu Jun 29, 2006 11:44 am
Location: Hrvatska
Contact:

JAMSS - Joomla! Anti-Malware Scan Script

Post by Bernard T » Sun Dec 09, 2012 6:14 am

JAMSS - Joomla! Anti-Malware Scan Script

script link: https://github.com/btoplak/Joomla-Anti- ... tree/forum
author: Bernard Toplak - bernard[At]orion-web.hr
author link: http://www.orion-web.hr


This script should be used for assistance in locating possibly infected or added malware/backdoor files in Joomla! installations.

!!! DISCLAIMER !!!
THIS SCRIPT IS NOT A "ONE-CLICK" CURE, IT'S ONLY A TOOL TO AID IDENTIFICATION OF (POSSIBLY) MALICIOUS FILES ! THIS SCRIPT WILL PRODUCE FALSE POSITIVES!

Patterns that are often used in highly encoded, malicious code are also used for legitimate purposes in both the Joomla core and within 3rd party extensions, e.g. storing configuration information or serialized object data.

Please inspect the reported file(s) manually and compare it/them with the one(s) in a freshly downloaded extension or freshly downloaded full Joomla package to verify that the result displayed is not a false positive.



General Notes (read it carefully!)

- JAMSS is tool intended just as a quick help in fast search and identification of POSSIBLY corrupted files in you web directory.

- JAMSS doesn't change anything on your site, and doesn't remove vulnerabilities you might have - sorry, you still have to do all the handwork by yourself

- false positives are very likely due to the fact that many valid scripts make use of the same logic/technologies as the hacker scripts do to achieve their required activities. Interpretation must be applied to the results as it is better to have a false positive than just one false negative. The code is still "work in progress", so be cautious!

- this script is intended for people with some degree of understanding of PHP code.

- don't simply go and delete all files it identifies, you will break your Joomla installation!!! (you have been warned... read on)

- don't simply go and notify an extension developer of files in their extension the JAMSS identifies unless you are 100% positive the identified code that is not legitimate to the extension.

- also, this script surely can't identify each and every possible malware, as it is with all other sorts AntiVirus/AntiMalware applications. Nothing's perfect, neither is the JAMSS. Don't rely 100% on it!

- the script is NOT approved, tested or verified by Joomla team, forum team, security team or anyone else - it is an assistant tool to use in addition to the use of other tools and recommendations found on the Joomla security forums.

- by downloading and using this script you confirm that you have read, do fully understand, accept and agree to all terms and conditions written here or in any other file belonging to JAMSS package.

- I DON'T ISSUE ANY WARRANTY for the script, it is given "as is" and you have to use it at your own risk alone

- the contact point for all your further questions and discussions about the bugs and development of the script is on GitHub https://github.com/btoplak/Joomla-Anti- ... ipt/issues

- any comments and suggestions are welcome


Discussion for JAMSS is located here:
http://forum.joomla.org/viewtopic.php?f=621&t=777960


Feedback & Bugs should be reported here
https://github.com/btoplak/Joomla-Anti- ... ipt/issues

ALL COMMENTS AND SUGGESTIONS ON CODE, BEHAVIOR, FINGERPRINTS ETC. ARE ALWAYS WELCOME!


Installation and Scanning:

- the installation and scanning with JAMSS is simple and pretty straightforward :

1) Download - you can choose between ZIP and TAR.GZ package, choose which suits you best. Use these links to download JAMSS:
https://github.com/btoplak/Joomla-Anti- ... /forum.zip
or
https://github.com/btoplak/Joomla-Anti- ... rum.tar.gz
and save the archive in a convenient place on your computer.

2) Unpack the downloaded archive to your local computer.

3) FTP/Copy jamss.php to the public_html or your servers publicly accessible directory for your domain. The script should be located in the webroot folder of your Joomla installation (if you find the configuration.php file in this folder - then that's the one!)

4) Just call the jamss.php file from your browser: http://yoursite.com/jamss.php


Interpreting the results:

0) The script might take up to minute or two to scan and finish if your server is under heavy load, or you have many files, so lean back and wait a moment.

1) The script inspects code contained within files and tries to identify possible malicious code in it using many fingerprints of known malware.

2) Once the script has finished running it will produce and display a report for review, and (as warned before) will likely produce also "false positives" that must be interpreted in order to determine if any particular result is a possible hijacked file.

3) For each potential issue, the report will list the path to the file in question, the pattern (and pattern internal number) that the file matched to, short description what this code could be doing, and the general area within the file that matched the pattern.

4.) If there is any question about a file(s) identified as possibly having an issue, the file(s) should be downloaded and inspected to determine if there is an issue with the file:
  1. - if suspected file(s) exists in original core Joomla package or is used in an extension package (download fresh ZIP/TAR.XX packages of extensions and Joomla, extract the file(s) and check), then verify the file JAMSS has matched a pattern on is the same as the freshly downloaded file(s). Replace the file with corresponding file from the freshly downloaded package if you are in doubt if the scanned file is valid.
  2. - even better - Properly clean your complete Joomla web directory with fresh Joomla files following the information and recommendations in the security forums http://forum.joomla.org/viewtopic.php?f=621&t=582854
  3. - if the suspected file(s) does/do not exist in original Joomla full installation files or the installed extensions files, then move the file(s) to a secure new folder (preferably: password-protected folder or push later to archive so the hacker has less chance of accessing it), and then delete it completely once it is determined it is a hack file and not a legitimate non hacked file needed for proper operation of your Joomla site.
After the cleanup:

- although you have now (hopefully) identified and removed all hijacked files (remember: it may not be 100% accurate), this still shouldn't be the end of your work!

- to be to the point: you have now (temporarily) cured "the headache pain" only, but you have not cured "the source of your pains" - you have to identify how those files were compromised in the first place. A topic with further steps, which you should follow to get to the bottom of this issue and help properly clean and repair your website is here: http://forum.joomla.org/viewtopic.php?f=621&t=582854



DeepScan (ONLY FOR VERY ADVANCED USERS - PHP KNOWLEDGE IS ESSENTIAL!!)

If you want to perform a "deep scan", you can pass the "deepscan=1" parameter to the script via the url.
Eg. http://yoursite.com/jamss.php?deepscan=1

The deepscan method will search files for many PHP functions known to be used for malicious scripts, which may detect more recent/unknown versions of PHP malware, and this DEFINTELY WILL give many false positives. You have to be a experienced PHP programmer to interpret the results properly.


You found malicious code that JAMSS didn't recognize?
There are so many malicious scripts out there, and every day new ones are coded and spread - it will take us much effort to get the JAMSS recognise most of them - so help us if you can, report and send (via PM or e-mail) the samples of malicious code that JAMSS misses to recognize. Thanks


Licensing and Warranty
License http://opensource.org/licenses/gpl-3.0.html
This program is free software; you can redistribute it and/or modify it under
the terms of the GNU General Public License as published by the Free Software
Foundation; either version 3 of the License, or (at your option) any later
version.

This program is distributed in the hope that it will be useful, but WITHOUT
ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
more details. http://opensource.org/licenses/gpl-3.0.html

IT DOESN'T HURT TO REPEAT ON THE END - YOU SHOULD BE ABSOLUTELY SURE WHAT YOU'RE DOING - IF YOU BREAK YOUR JOOMLA IN ANY WAY - YOU ARE SOLELY LIABLE FOR IT! NOT ME, NOT JAMSS, NOR ANYONE ELSE!
Last edited by Bernard T on Sun Dec 09, 2012 6:23 am, edited 2 times in total.
VEL Team || Security Forum || PHP/Web Security Specialist || OWASP member
JAMSS author http://forum.joomla.org/viewtopic.php?f=621&t=777957
Twitter: @toplak

Locked

Return to “Security in Joomla! 2.5”