JAMSS - Joomla! Anti-Malware Scan Script - Joomla! Forum - community, help and support
jamss - joomla! anti-malware scan script
script link: https://github.com/btoplak/joomla-anti- ... tree/forum
author: bernard toplak - bernard[at]orion-web.hr
author link: http://www.orion-web.hr
this script should used assistance in locating possibly infected or added malware/backdoor files in joomla! installations.
!!! disclaimer !!!
this script not "one-click" cure, it's tool aid identification of (possibly) malicious files ! script produce false positives!
patterns used in highly encoded, malicious code used legitimate purposes in both joomla core , within 3rd party extensions, e.g. storing configuration information or serialized object data.
please inspect reported file(s) manually , compare it/them one(s) in freshly downloaded extension or freshly downloaded full joomla package verify result displayed not false positive.
general notes (read carefully!)
- jamss tool intended quick in fast search , identification of possibly corrupted files in web directory.
- jamss doesn't change on site, , doesn't remove vulnerabilities might have - sorry, still have handwork yourself
- false positives likely due fact many valid scripts make use of same logic/technologies hacker scripts achieve required activities. interpretation must applied results better have false positive 1 false negative. code still "work in progress", cautious!
- script intended people degree of understanding of php code.
- don't go , delete files identifies, break joomla installation!!! (you have been warned... read on)
- don't go , notify extension developer of files in extension jamss identifies unless 100% positive identified code not legitimate extension.
- also, script surely can't identify each , every possible malware, other sorts antivirus/antimalware applications. nothing's perfect, neither jamss. don't rely 100% on it!
- script not approved, tested or verified joomla team, forum team, security team or else - assistant tool use in addition use of other tools , recommendations found on joomla security forums.
- downloading , using script confirm have read, understand, accept , agree terms , conditions written here or in other file belonging jamss package.
- don't issue warranty script, given "as is" , have use @ own risk alone
- contact point further questions , discussions bugs , development of script on github https://github.com/btoplak/joomla-anti- ... ipt/issues
- comments , suggestions welcome
discussion jamss located here:
viewtopic.php?f=621&t=777960
feedback & bugs should reported here
https://github.com/btoplak/joomla-anti- ... ipt/issues
all comments , suggestions on code, behavior, fingerprints etc. welcome!
installation , scanning:
- installation , scanning jamss simple , pretty straightforward :
1) download - can choose between zip , tar.gz package, choose suits best. use these links download jamss:
https://github.com/btoplak/joomla-anti- ... /forum.zip
or
https://github.com/btoplak/joomla-anti- ... rum.tar.gz
and save archive in convenient place on computer.
2) unpack downloaded archive local computer.
3) ftp/copy jamss.php public_html or servers publicly accessible directory domain. the script should located in webroot folder of joomla installation (if find configuration.php file in folder - that's one!)
4) call jamss.php file browser: http://yoursite.com/jamss.php
interpreting results:
0) script might take minute or 2 scan , finish if server under heavy load, or have many files, lean , wait moment.
1) script inspects code contained within files , tries identify possible malicious code in using many fingerprints of known malware.
2) once script has finished running produce , display report review, , (as warned before) produce "false positives" must interpreted in order determine if particular result possible hijacked file.
3) each potential issue, report list path file in question, pattern (and pattern internal number) file matched to, short description code doing, , general area within file matched pattern.
4.) if there question file(s) identified possibly having issue, file(s) should downloaded , inspected determine if there issue file:
after cleanup:
- although have (hopefully) identified , removed hijacked files (remember: may not 100% accurate), still shouldn't end of work!
- to point: have (temporarily) cured "the headache pain" only, have not cured "the source of pains" - have identify how files compromised in first place. topic further steps, should follow bottom of issue , clean , repair website here: viewtopic.php?f=621&t=582854
deepscan (only advanced users - php knowledge essential!!)
if want perform "deep scan", can pass "deepscan=1" parameter script via url.
eg. http://yoursite.com/jamss.php?deepscan=1
the deepscan method search files many php functions known used malicious scripts, may detect more recent/unknown versions of php malware, , defintely give many false positives. have experienced php programmer interpret results properly.
you found malicious code jamss didn't recognize?
there many malicious scripts out there, , every day new ones coded , spread - take effort jamss recognise of them - if can, report , send (via pm or e-mail) samples of malicious code jamss misses recognize. thanks
licensing , warranty
license http://opensource.org/licenses/gpl-3.0.html
this program free software; can redistribute and/or modify under
the terms of gnu general public license published free software
foundation; either version 3 of license, or (at option) later
version.
this program distributed in hope useful, without
any warranty; without implied warranty of merchantability or
fitness particular purpose. see gnu general public license for
more details. http://opensource.org/licenses/gpl-3.0.html
it doesn't hurt repeat on end - should absolutely sure you're doing - if break joomla in way - solely liable it! not me, not jamss, nor else!
script link: https://github.com/btoplak/joomla-anti- ... tree/forum
author: bernard toplak - bernard[at]orion-web.hr
author link: http://www.orion-web.hr
this script should used assistance in locating possibly infected or added malware/backdoor files in joomla! installations.
!!! disclaimer !!!
this script not "one-click" cure, it's tool aid identification of (possibly) malicious files ! script produce false positives!
patterns used in highly encoded, malicious code used legitimate purposes in both joomla core , within 3rd party extensions, e.g. storing configuration information or serialized object data.
please inspect reported file(s) manually , compare it/them one(s) in freshly downloaded extension or freshly downloaded full joomla package verify result displayed not false positive.
general notes (read carefully!)
- jamss tool intended quick in fast search , identification of possibly corrupted files in web directory.
- jamss doesn't change on site, , doesn't remove vulnerabilities might have - sorry, still have handwork yourself
- false positives likely due fact many valid scripts make use of same logic/technologies hacker scripts achieve required activities. interpretation must applied results better have false positive 1 false negative. code still "work in progress", cautious!
- script intended people degree of understanding of php code.
- don't go , delete files identifies, break joomla installation!!! (you have been warned... read on)
- don't go , notify extension developer of files in extension jamss identifies unless 100% positive identified code not legitimate extension.
- also, script surely can't identify each , every possible malware, other sorts antivirus/antimalware applications. nothing's perfect, neither jamss. don't rely 100% on it!
- script not approved, tested or verified joomla team, forum team, security team or else - assistant tool use in addition use of other tools , recommendations found on joomla security forums.
- downloading , using script confirm have read, understand, accept , agree terms , conditions written here or in other file belonging jamss package.
- don't issue warranty script, given "as is" , have use @ own risk alone
- contact point further questions , discussions bugs , development of script on github https://github.com/btoplak/joomla-anti- ... ipt/issues
- comments , suggestions welcome
discussion jamss located here:
viewtopic.php?f=621&t=777960
feedback & bugs should reported here
https://github.com/btoplak/joomla-anti- ... ipt/issues
all comments , suggestions on code, behavior, fingerprints etc. welcome!
installation , scanning:
- installation , scanning jamss simple , pretty straightforward :
1) download - can choose between zip , tar.gz package, choose suits best. use these links download jamss:
https://github.com/btoplak/joomla-anti- ... /forum.zip
or
https://github.com/btoplak/joomla-anti- ... rum.tar.gz
and save archive in convenient place on computer.
2) unpack downloaded archive local computer.
3) ftp/copy jamss.php public_html or servers publicly accessible directory domain. the script should located in webroot folder of joomla installation (if find configuration.php file in folder - that's one!)
4) call jamss.php file browser: http://yoursite.com/jamss.php
interpreting results:
0) script might take minute or 2 scan , finish if server under heavy load, or have many files, lean , wait moment.
1) script inspects code contained within files , tries identify possible malicious code in using many fingerprints of known malware.
2) once script has finished running produce , display report review, , (as warned before) produce "false positives" must interpreted in order determine if particular result possible hijacked file.
3) each potential issue, report list path file in question, pattern (and pattern internal number) file matched to, short description code doing, , general area within file matched pattern.
4.) if there question file(s) identified possibly having issue, file(s) should downloaded , inspected determine if there issue file:
- - if suspected file(s) exists in original core joomla package or used in extension package (download fresh zip/tar.xx packages of extensions , joomla, extract file(s) , check), verify file jamss has matched pattern on same freshly downloaded file(s). replace file corresponding file freshly downloaded package if in doubt if scanned file valid.
- - better - clean complete joomla web directory fresh joomla files following information , recommendations in security forums viewtopic.php?f=621&t=582854
- - if suspected file(s) does/do not exist in original joomla full installation files or installed extensions files, move file(s) secure new folder (preferably: password-protected folder or push later archive hacker has less chance of accessing it), , delete once determined hack file , not legitimate non hacked file needed proper operation of joomla site.
after cleanup:
- although have (hopefully) identified , removed hijacked files (remember: may not 100% accurate), still shouldn't end of work!
- to point: have (temporarily) cured "the headache pain" only, have not cured "the source of pains" - have identify how files compromised in first place. topic further steps, should follow bottom of issue , clean , repair website here: viewtopic.php?f=621&t=582854
deepscan (only advanced users - php knowledge essential!!)
if want perform "deep scan", can pass "deepscan=1" parameter script via url.
eg. http://yoursite.com/jamss.php?deepscan=1
the deepscan method search files many php functions known used malicious scripts, may detect more recent/unknown versions of php malware, , defintely give many false positives. have experienced php programmer interpret results properly.
you found malicious code jamss didn't recognize?
there many malicious scripts out there, , every day new ones coded , spread - take effort jamss recognise of them - if can, report , send (via pm or e-mail) samples of malicious code jamss misses recognize. thanks
licensing , warranty
license http://opensource.org/licenses/gpl-3.0.html
this program free software; can redistribute and/or modify under
the terms of gnu general public license published free software
foundation; either version 3 of license, or (at option) later
version.
this program distributed in hope useful, without
any warranty; without implied warranty of merchantability or
fitness particular purpose. see gnu general public license for
more details. http://opensource.org/licenses/gpl-3.0.html
it doesn't hurt repeat on end - should absolutely sure you're doing - if break joomla in way - solely liable it! not me, not jamss, nor else!
Comments
Post a Comment