Support

Hi,
I created a cron job to run php scanner for the first time ever for overnight. My site is hosted on godaddy linux shared hosting.
In the morning there was no emailed status (I enterd my email) and no entry in the php scanner logs. But there was a large amount of new security exceptions. many of which are from my ip address that I do my admin work from. I'm concerned that I've unleashed something bad.

Your thoughts?

Paul

Paul,

The PHP File Scanner doesn't do anything except gather some data and produce a report. It never renames or quarantines files like an antivirus program would. If you're really short on disk space it is theoretically possible that it could use it all up with the data that it gathers in the database, but that is not a usual problem. So your scan has not done any harm.

What sort of exceptions are you seeing in the Security Exceptions Log? Are ALL of the exceptions from the same IP address? If they are all from the same address, that means there's a setting wrong.

Correction: The exceptions coming from my own IP are likely from when I forgot my URL password.

But I still am curious about all the others. Nearly 80 that occurred last night when I had scheduled the PHP scan to run (I never got a log or email about those results).

Attached are lots of images that should help. Your thoughts are appreciated.

Thank you very much. I'm hoping to make use of most if not all of the Admins tools features as I'm getting attempted hacks frequently.

Paul

Here are two more attachments. (I was over your limit of attachments)

Thanks!

You seem to be getting a lot of repeat exceptions from the same IP addresses. You may want to review your auto ban settings to make sure they are tight enough. Looser settings let bad guys retry more, tighter settings catch good guys who can't type. It's a trade off.

If you are using the jsn_metro_pro template you may need to set "Allow site templates" to yes in WAF. You're getting a lot of hits and they may be legitimate users, depending on the template and settings.

Do you have a component named something like "content history"? I see several hits on that too. These hacker scripts just try exploits blindly on sites. You frequently see the one for JCE that dates back to the J! 1.5 days. If you really have that component, we may need to investigate more to see if a real user is being blocked.

I can't see any reason why the scan would cause the hits on the log. It wouldn't be trying to log in, it just runs a particular program out of the cli folder, which is allowed. Do we know if the CRON job ran?

I will look at your suggestions when I get back to my desk. I don't know how to look for evidence of whether the Cron job ran or not. GoDaddy doesn't have any evidence and I don't know if the scanner sends an email if there are no errors. What do you think?
Thank you very much.

Unless your CRON job ends with ">null" the service itself usually sends a message. The redirect to null sends the output to never never land so you never see it. If your job does end like that, we need to take the redirect off so we get the output messages.

Hi Dale,

I was wrong I didn't set a cron job to run that night like I thought. I had set it to run each Saturday midnight (which hadn't happened yet.) ; > The cron I use is: /usr/bin/php /home/fairfieldpros/public_html/FairfieldProfessionals/cli/admintools-filescanner.php

I did a "Scan Now" and am now reviewing the results. The first few are shown in this attachment. I assume the idea is that I should look through the High Threat ones and mark them safe if I know they're okay? Is there a simple method of looking them up somewhere?

I followed your advice and:

- Increased my rules for auto-ban repeat offenders (image attached).

- I do use the jsn_metro_pro pro template. I set "Allow site templates" and tested a few of those URLs flagged as exceptions. They're all "email page to a friend" forms that I do not have on my site. They must be attempted hacks so I turned "Allow site templates" back off.

- The Content History component is standard with Joomla 3x. I searched and found that it was found to havea vulnerability. So your exception reporting is doing well at stopping these.

-

You are exactly right, you need to examine the high risk ones and make a determination. There is no easy way. The computer can look for telltale signs, but it really can't see if it is dangerous. It's like spam emails, a human can spot them a mile off, but it is very difficult for the computer.

You can replace the flagged file with a fresh copy from the extension's distribution archive. But even that assumes that the distribution archive is clean and hasn't been tampered with. If you don't program in PHP, reading the files is like reading a book in a language you don't speak. You can see the words but you don't really understand them. If you come to a section that is just gibberish, like a binary file, that is a warning sign. Someone is trying to hide something. Once again, it is not always bad. We use that technique in Admin Tools' files to hide the virus signatures that we use. They need to be there to flag infected files, but hosts' virus checkers kept flagging our files as infected so we hid them. Evaluating the flagged files is a judgement call.

The first one is the worst. After that, you only have updates to worry about and the volume is much lower.

That first flagged php is "libraries/joomla/google/embed/analytics.php" which is, or seems to be, google analytics code. I guess I can't just assume that if it says "google" it must be safe.... I'll search around.

You're help has been wonderful. Thank you very much!

You're welcome!

This ticket has been automatically closed. All tickets which have been inactive for a long time are automatically closed. If you believe that this ticket was closed in error, please contact us.