Support

Admin Tools

#14230 The PHP file scanner

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by nicholas on Monday, 03 December 2012 03:18 CST

Sunday, 02 December 2012 16:01 CST

user69824

Mandatory information about my setup:

Have I read the related troubleshooter articles above before posting (which pages?)? No
Have I searched the tickets before posting? No
Have I read the documentation before posting (which pages?)? No
Joomla! version: (unknown)
PHP version: (unknown)
MySQL version: (unknown)
Host: (optional, but it helps us help you)
Admin Tools version: 2.4.3

Description of my issue:

 

Hi Nicholas,

How do I read the report? What is the meaning of the Threat Score?

 Admin Tools – PHP File Change Scanner Report #1

 I see numbers in Pink, Red  & Yellow (even admin tool with red number).

 

Best,

David

 

 

Sunday, 02 December 2012 16:34 CST

nicholas

Hello David,

Have I read the documentation before posting (which pages?)? No

Yup, I already knew that reading your question. What you ask is the exact contents of our documentation for the PHP File Scanner :) Please read that page and feel free to come back to this thread and ask me any clarification questions you may need.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Sunday, 02 December 2012 17:39 CST

user69824

Thank you Nicholas. 

Now I  get it :)

BTW, I asked my host to run their security scanner (two weeks ago, more or less), and they didn't find anything. From your own  experience -- the security scanner is good? accurate? (and I'm not asking just about my host, but in general)

Sunday, 02 December 2012 23:55 CST

user69824

Edit:

I have a problem with the Red Flag button:

There was a security exception -- Reason: Admin Query String; clicking the button -- I get a blank page, no error message,  and the IP is not blocked of course.

 

Monday, 03 December 2012 01:45 CST

user69824

I solved it (the problem with the Red Flag button/blank page); I saw your post/thread: 

 https://www.akeebabackup.com/support/admin-tools/14225-security-exceptions-log-2.htm

Monday, 03 December 2012 01:48 CST

nicholas

Regarding file scanners, they are very useful tools as long as you know how to use them. Since they do a generic pattern matching they can't be 100% correct. There are a lot of false positives and you have to manualyl sort them out. PHP source code scanners, unlike antivirus applications, have to read and understand source code, not compiled machine code. The problem with source code is that there are usually dozens of ways to do something, making scanning an order of magnitude more difficult than a traditional antivirus scan. Keep that in mind and continue periodically scanning your site, especially right before and right after upgrading something on it.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Monday, 03 December 2012 02:34 CST

user69824

 ...continue periodically scanning your site, especially right before and right after upgrading something on it.

Thanks for the advice. 

A quick way to see if a file is compromised is to quickly scan its top and bottom 20 lines... (The PHP File Scanner/ Reading the reports)

What do I need to look for?  maybe... some starnge URL/ links to external sites?  That's the goal of the hacker, right? 

So, If I understand it now -- an anti-virus scan  will rarely detect this redirect code/URL/link? 

 

Monday, 03 December 2012 03:18 CST

nicholas

If you have a compromised file, you'll quickly understand why I'm telling you to look at the top and bottom lines. You'll see some code which looks like line noise. That's a hacking script. Or you'll see some Javascript referencing shady sites. That's a hack too.

Regarding anti-virus products, they rarely support scanning source code files, like .php files, for what could potentially be a hack. This is due to the nature of the anti-virus software and the PHP code. They will most likely detect some well-known, very old hacks but that's all. Most modern hacks will go by undeteced.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!