Closed kenetik closed 9 years ago
chris001
commented
9 years ago I've also seen many false positives on clean joomla 2.5 and 3.x sites. The patterns and pattern matching code used by JAMSS probably could use an update, to reduce or eliminate the false positives...
btoplak
commented
9 years ago Hi @kenetik and @chris001,
thanks for your time to leave your feedback.
If you take a closer look at the Readme text, you will notice warnings that there are expected false positives. JAMSS is, at least in this version 1.x, intended to be scanner for suspicious code snippets in a heuristic fashion. False positives are normal, and should be expected. Some legitimate core files are constructed in the same way as some (possible) malwares are too. Restricting patterns could easily lead to false negatives, as the present heuristics approach enables us to identify currently unknown malware (in contrast to many "file hash" based scanners).
So, this tool is intended for users with some basic PHP knowledge, sufficient to recognize and identify false positives from real threats.
Version 2 will include hash white-listing feature, which will prevent core files from being suspicious. But, for that we need to make a database of all core files of all joomla versions up until now. I started doing that, but still there is a lot of time until that will be production-ready.
kenetik
commented
9 years ago Hey @btoplak
Thanks for your time to reply and explain. Certainly appreciate the efforts and I can understand the difficulties and time consumed by your 'version 2' feature. I've started working on a similar project for WordPress, and we're talking 62034 inodes. =/ Further, I haven't been able to find a copy of every release of Joomla. Are you familiar with a repository containing this?
robwent
commented
9 years ago You can find all Joomla versions at the joomlacode site http://joomlacode.org/gf/project/joomla/frs/?action=index It's possible to find all releases there. eg: http://joomlacode.org/gf/project/joomla/frs/?action=FrsReleaseBrowse&frs_package_id=5241
chris001
commented
9 years ago If it'd be helpful, you should have a look at other joomla based file modification detector extensions/components, which calculate the hash of all the core joomla files, compare to the expected value, and warn the joomla admin when different. See how their code does it, and with that understanding, see if you can implement more quickly, or improve on it. One extension is by Sourcecoast, called Version Verification Tool. The second is RSFirewall. RSJoomla actually even has a public download server that offers the hashes of all joomla versions. I don't know whether they would welcome other applications using downloading their joomla core file hash databases, but maybe yes to this open source project, because fighting joomla PHP malware is purely in the interest of the public good, less malware benefits the entire internet community. Here's the link to RSFirewall's changelog mentioning the feature. https://www.rsjoomla.com/support/documentation/view-article/219-rsfirewall-changelog.html Here's the link to Version Verification Tool. https://www.sourcecoast.com/index.php?option=com_ars&view=release&Itemid=250
btoplak
commented
9 years ago File Hash comparing functionality is already implemented in JAMSS for a long time, but it's not used for Joomla as there is no final and trusted hash source (that I know of). @chris001 thanks for pointing out RSFirewall, I will take a look into this. For Wordpress hashes are available through their official API, and @szepeviktor implemented a patch 7b5678f6c69fb58497735949bc048173c91d6b38 to JAMSS that enables Wordpress scanning with md5 core checks. @robwent unfortunately not all Joomla versions are present in a single place anymore. I also thought so, but it's not so easy. Older Joomla 1.0 versions is hard to dig out, some flawed release versions even harder. But I managed to gather them all on my hard drive (two sleepless nights with deep web-search, SVN deep-diving and repackaging involved). The problems start with no free time last months as I am over-occupied with project bringing some cash to my pockets. Anyway, maybe this winter season will leave me some time to implement everything into a alpha/beta 2.x release...
kenetik
commented
9 years ago All sounds good, feel free to close out this issue.
btoplak
commented
9 years ago Sure, thanks @kenetik. Stay tuned for future versions
919 suspicious spots on a clean/fresh install of 3.3.6.
We found 919 suspicious malware code spots in 271 different files! Please analyze the results and interpret them according to README file. Scanning time was 35.7612330914 sec!