Support

Admin Tools

#28886 PHP file scanner

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by on Wednesday, 14 February 2018 17:17 CST

wbgraphics
Hi, I've scanned one of my client's website with Admin Tools file change scanner. Only one file was marked with threat score 100 (This file was 103571.php and it is attached in ZIP file among others). I've check server log files and found out that there are more files like this one (also attached). I've found out that the scanner marked these files with threat score "0" or "1" and they contain this kind of lines: "@include "\x2fv\x61r\x2fc\x68r\x6fo\x74/\x68o\x6de\x2fc\x6fn\x74e\x6et\x2f2\x37/\x396\x346\x392\x37/\x68t\x6dl\x2f0\x31w\x6fm\x65n\x6ff\x65x\x63e\x6cl\x65n\x63e\x2fl\x69b\x72a\x72i\x65s\x2ff\x6ff\x2fl\x65s\x73/\x66a\x76i\x63o\x6e_\x35c\x33b\x383\x2ei\x63o";" while this: "document.write(unescape(" gets threat score "10" and file is marked as suspicious. Please, see the attachement also for files that went "unnoticed". I've found them manually and do not know how many more are there and if there are on my other websites. I would like to trust that the scanner will warn me about such files wich it failed to do so. Is there any way to set up more rigorous scanning and threat scoring? Please, help. Thank you.

Victor

nicholas
Akeeba Staff
Manager
There is indeed no rule for PHP includes. Using hex encoding to obfuscate the name of the included file is most certainly something that nobody up to anything good will be using. We will add a rule about this and we will release a new version of Admin Tools pretty soon - probably within next week.

Your attachment, however, didn't make it since it contains .php file and we've set up our site to reject such attachments. Can you please email it to me using the address nicholas at akeeba backup dot com?

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

wbgraphics
Thank you for your prompt response. I've sent you requested files via email. Your mailbox rejected HEX.php files, so I protected them with password - included in the email.

nicholas
Akeeba Staff
Manager
Thank you for the files! I am adding detection code for these cases as well.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

wbgraphics
Hi, I've sent you some PHP files with examples of obfuscated code that Admin Tools didn't detect as threats.
You wrote me that you will be releasing new version (with new detecting rules) very soon. That was a month ago.
Any changes on that? Please, let me know. Thank you very much.

tampe125
Akeeba Staff
Hello,

I'm answering this ticket since Nicholas is currently unavailable.
We really wanted to release a new version, but the advent of Joomla 4 really messed up our plans. We're working hard to add support for the new version of Joomla (which basically changes everything in the backend), resulting on other projects being left behind.
That said, I think a new release will be published by the end of the month.

Thank you very much for your patience.

Davide Tampellini

Developer and Support Staff

🇮🇹Italian: native 🇬🇧English: good • 🕐 My time zone is Europe / Rome (UTC +1)
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

System Task
system
This ticket has been automatically closed. All tickets which have been inactive for a long time are automatically closed. If you believe that this ticket was closed in error, please contact us.

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!