Support

Mandatory information about my setup:

Have I read the related troubleshooter articles above before posting (which pages?)? Yes
Have I searched the tickets before posting? Yes
Have I read the documentation before posting (which pages?)? Yes
Joomla! version: 3.0.3 and 1.5.26
PHP version: 5.3.13
MySQL version: 5.5.20
Host: OSX
Admin Tools version: 2.5.3 Pro

Description of my issue:

I found a malicious PHP shell on an old unused hosting account.

I've run the file through Maldet, clamav, virustotal.com, etc and nothing detects it.

I was hoping Admin Tools' PHP scanner would detect it because it's actually quite a common exploit.  I've tried pasting the code into pastebin.com & pastie.org but they're rejecting it.  Instead, here's a link to someone who posted the code (top comment):  https://discussion.dreamhost.com/thread-134262-page-5.html

If you Google search for part of that code you'll see how prevalent it is (over 43k results):  \x63\x72\x65\x61\x74\x65\x5f\x66\x75\x6e\x63\x74\x69\x6f\x6e
https://www.google.com/search?q=%5Cx63%5Cx72%5Cx65%5Cx61%5Cx74%5Cx65%5Cx5f%5Cx66%5Cx75%5Cx6e%5Cx63%5Cx74%5Cx69%5Cx6f%5Cx6e&aq=f&oq=%5Cx63%5Cx72%5Cx65%5Cx61%5Cx74%5Cx65%5Cx5f%5Cx66%5Cx75%5Cx6e%5Cx63%5Cx74%5Cx69%5Cx6f%5Cx6e

Unfortunately PHP Scanner rated it a threat score of zero.  It seems with that much none PHP within <?php ?> tags you could classify that as a major threat.

Again nothing else detected this code but I hold Akeeba to a very high standard and thought I'd pass this on. :)

Eitherway thanks for producing such great tools.

Joomla Anti-Malware Scan Script also fails to detect this PHP Shell.

It's quite a fasinating script because throughout the entire script there are no PHP statements (only <?php).  Everything is encoded or encrypted.

The code was decrypted by the top answer here:  http://stackoverflow.com/questions/9467610/php-encoded-shell-code

I ran the following command from the command line to scan code that included Joomla 3, Joomla 1.5, Admin Tools, Akeebabackup, etc. and only the PHP Backdoor was detected:

egrep -r '<\?php.*[A-Za-z0-9]{100}.*\?>' .

What I tried to do with that regex (probably not too well) was detect 100+ characters of base64 within PHP tags.  It may be suffienct to just look for 100+ chars of base64 within .php files.

Thanks for looking into this Nicholas.  I'll take your advice and disable this function on my servers.