joomla/jedchecker
33
2
Fork 0
mirror of https://github.com/joomla-extensions/jedchecker.git synced 2024-12-29 04:42:36 +00:00
Code Issues Releases Activity

Merge PR #106 into develop

Browse Source
This commit is contained in:
Llewellyn van der Merwe 2021-09-01 10:28:08 +02:00
commit f436afc2b8
Signed by: Llewellyn
GPG Key ID: EFC0C720A240551C
2 changed files with 35 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
administrator/components/com_jedchecker/libraries/rules/jamss.ini
View File

@ -19,4 +19,4 @@ fileExt="php|php3|php4|php5|phps|html|htaccess|gif"
; These format the output: ; These format the output:
code="<span class='jamss_tooltip code' title='%s'>code</span>&nbsp;" code="<span class='jamss_tooltip code' title='%s'>code</span>&nbsp;"
info="<span class='jamss_tooltip info' title='%s'>info</span>&nbsp;" info="<span class='jamss_tooltip info badge bg-warning me-1 mb-1' title='%s' data-bs-toggle="tooltip">?</span> "

50
administrator/components/com_jedchecker/libraries/rules/jamss.php
View File

@ -15,6 +15,9 @@ defined('_JEXEC') or die('Restricted access');
// Include the rule base class // Include the rule base class
require_once JPATH_COMPONENT_ADMINISTRATOR . '/models/rule.php'; require_once JPATH_COMPONENT_ADMINISTRATOR . '/models/rule.php';
// Include the helper class
require_once JPATH_COMPONENT_ADMINISTRATOR . '/libraries/helper.php';
/** /**
* JedcheckerRulesJamss * JedcheckerRulesJamss
* *
@ -111,13 +114,13 @@ class JedcheckerRulesJamss extends JEDcheckerRule
$jamssStrings .= 'phpremoteview|directmail|bash_history|multiviews|cwings|vandal|bitchx|'; $jamssStrings .= 'phpremoteview|directmail|bash_history|multiviews|cwings|vandal|bitchx|';
$jamssStrings .= 'eggdrop|guardservices|psybnc|dalnet|undernet|vulnscan|spymeta|raslan58|'; $jamssStrings .= 'eggdrop|guardservices|psybnc|dalnet|undernet|vulnscan|spymeta|raslan58|';
$jamssStrings .= 'Webshell|str_rot13|FilesMan|FilesTools|Web Shell|ifrm|bckdrprm|'; $jamssStrings .= 'Webshell|str_rot13|FilesMan|FilesTools|Web Shell|ifrm|bckdrprm|';
$jamssStrings .= 'hackmeplz|wrgggthhd|WSOsetcookie|Hmei7|Inbox Mass Mailer|HackTeam|Hackeado'; $jamssStrings .= 'hackmeplz|wrgggthhd|WSOsetcookie|Hmei7|Inbox Mass Mailer|HackTeam|Hackeado|';
$jamssStrings .= 'Janissaries|Miyachung|ccteam|Adminer|OOO000000|$GLOBALS|findsysfolder'; $jamssStrings .= 'Janissaries|Miyachung|ccteam|Adminer|OOO000000|$GLOBALS|findsysfolder';
// These patterns will be used if GET parameter ?deepscan=1 is set while calling jamss.php file // These patterns will be used if GET parameter ?deepscan=1 is set while calling jamss.php file
$jamssDeepSearchStrings = 'eval|base64_decode|base64_encode|gzdecode|gzdeflate|'; $jamssDeepSearchStrings = 'eval|base64_decode|base64_encode|gzdecode|gzdeflate|';
$jamssDeepSearchStrings .= 'gzuncompress|gzcompress|readgzfile|zlib_decode|zlib_encode|'; $jamssDeepSearchStrings .= 'gzuncompress|gzcompress|readgzfile|zlib_decode|zlib_encode|';
$jamssDeepSearchStrings .= 'gzfile|gzget|gzpassthru|iframe|strrev|lzw_decompress|strtr'; $jamssDeepSearchStrings .= 'gzfile|gzget|gzpassthru|iframe|strrev|lzw_decompress|strtr|';
$jamssDeepSearchStrings .= 'exec|passthru|shell_exec|system|proc_|popen'; $jamssDeepSearchStrings .= 'exec|passthru|shell_exec|system|proc_|popen';
// The patterns to search for // The patterns to search for
@ -313,6 +316,8 @@ class JedcheckerRulesJamss extends JEDcheckerRule
} }
else else
{ {
$content = JEDCheckerHelper::cleanPhpCode($content, JEDCheckerHelper::CLEAN_COMMENTS);
// Do a search for fingerprints // Do a search for fingerprints
foreach ($patterns As $pattern) foreach ($patterns As $pattern)
{ {
@ -346,18 +351,34 @@ class JedcheckerRulesJamss extends JEDcheckerRule
{ {
$count++; $count++;
if (is_array($pattern))
{
// Then it has some additional comments
foreach ($all_results as $match) foreach ($all_results as $match)
{ {
// Output the line of malware code, but sanitize it before // Output the line of malware code, but sanitize it before
// The offset is in $match[1] // The offset is in $match[1]
$first_code = substr($content, $match[1], 200); $offset = $match[1];
$first_line = $this->calculate_line_number($match[1], $content); // Note: negative 3rd argument is used for right-to-left search
$start = strrpos($content, "\n", -(strlen($content) - $offset));
if ($start === false)
{
$start = 0;
}
$end = strpos($content, "\n", $offset);
if ($end === false)
{
$end = strlen($content);
}
$first_code = substr($content, $start, min($end - $start, 200));
$first_line = $this->calculate_line_number($offset, $content);
break; break;
} }
if (is_array($pattern))
{
// Then it has some additional comments
$this->jamssWarning( $this->jamssWarning(
$path, $path,
JText::_('COM_JEDCHECKER_ERROR_JAMSS_PATTERN') . "#$pattern[2] - $pattern[1]", JText::_('COM_JEDCHECKER_ERROR_JAMSS_PATTERN') . "#$pattern[2] - $pattern[1]",
@ -369,16 +390,6 @@ class JedcheckerRulesJamss extends JEDcheckerRule
else else
{ {
// It's a string, no comments available // It's a string, no comments available
$first_content = "";
foreach ($all_results as $match)
{
// Output the line of malware code, but sanitize it before
$first_code = substr($content, $match[1], 200);
$first_line = $this->calculate_line_number($match[1], $content);
break;
}
$this->jamssWarning( $this->jamssWarning(
$path, $path,
JText::_('COM_JEDCHECKER_ERROR_JAMSS_STRING') . $pattern, JText::_('COM_JEDCHECKER_ERROR_JAMSS_STRING') . $pattern,
@ -429,8 +440,7 @@ class JedcheckerRulesJamss extends JEDcheckerRule
*/ */
private function jamssWarning($path, $title, $info, $code, $line) private function jamssWarning($path, $title, $info, $code, $line)
{ {
$info = !empty($info)?sprintf($this->params->get('info'), htmlentities($info, ENT_QUOTES)):""; $info = !empty($info) ? sprintf($this->params->get('info'), htmlentities($info, ENT_QUOTES)) : '';
$code = !empty($code)?sprintf($this->params->get('code'), htmlentities($code, ENT_QUOTES)):""; $this->report->addWarning($path, $info . $title, $line, $code);
$this->report->addWarning($path, $info . $code . $title, $line);
} }
} }