Support

Admin Tools

#31877 PHP file change scanner - interpreting results after running for the first time

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by on Sunday, 17 November 2019 17:17 CST

Thursday, 17 October 2019 08:21 CDT

[email protected]
I have just installed Admin Tools and run the PHP file scanner for the first time. I have read the documentation on the scanner and I still don't understand how to interpret the results.
There are 90 possible threats reported. The one with the highest score (300) is:
libraries/vendor/simplepie/simplepie/library/SimplePie/Misc.php
I am not a power user, so in simple terms, how can I find out whether the change to this file is a threat or not?

Friday, 18 October 2019 03:29 CDT

nicholas
The PHP File Change Scanner's results are meant to be interpreted from the second run onwards. The whole concept of this feature is that PHP files may be added or changed in one of two ways: 1. because you did that yourself (e.g. upgraded Joomla and / or its extensions) or 2. you got hacked.

The first scan is meant to provide a baseline for your site, i.e. the initial state to which the second etc scan will be compared against.

When you take the first scan you need to be fairly certain that your site is "clean". If your site does not exhibit any unintentional behavior you can be fairly certain that this is the case. So go ahead and mark all files with a non-zero Threat Score as safe.

The next scans should show no changes to your files. If a .php file appears as changed or added the Threat Score will help you understand how likely it is for the file to be malicious. Chances are that in most sites you won't see any such changes.

Then you will eventually need to upgrade Joomla or one of its extensions. First take a scan. You should see no changes. Upgrade Joomla and / or its extensions. Immediately run another scan. Right now you can be sure that all of the changed and added files happened as a result of your upgrade action. So go ahead and mark all files with a non-zero Threat Score as safe.

As you may have gathered by now, you only need to worry about changed / added files in the scans you take between subsequent upgrades to Joomla and / or its extensions. The idea is that if you didn't upgrade something there should be no reason for .php files to magically appear or be modified. Some extensions may do that, though -- for example, when you enable the settings encryption in Akeeba Backup it does generate a .php file with the encryption key. That's why you have the Threat Score, to help you understand if the unexpected new or modified file is safe or not.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Sunday, 17 November 2019 17:17 CST

System Task
system
This ticket has been automatically closed. All tickets which have been inactive for a long time are automatically closed. If you believe that this ticket was closed in error, please contact us.
Edited by on 2019-11-17 17:17 CST

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!