Joomla! (and Wordpress) Anti-Malware Scan Script (JAMSS)

The Joomla! (and Wordpress) Anti-Malware Scan Script is a self-service script that will be continually programmed to assist all Joomla! owners to check their Joomla! installation for various website-malware. The script currently uses RegEx fingerprint patterns to identify the most common fingerprints, traces and indices that some files have/could've be compromised.

This script still doesn't do any cleanup on its own, it's only informative about some suspicious code in your Joomla! installation.

This script is far from being 100% accurate. It has just a few patterns at this moment, and the false-positives are very well to be expected. So you may only use it wisely and with caution. I do not take any resposibility for any damages you might suffer by following some advices or results of this script.

Usage instructions

The usage is pretty simple and straightforward:

• upload jamss.php to the webroot of your hosting account
• open the scanner file in your browser using URL like this http://www.your-joomla-site.com/jamss.php
• the script will run for several seconds, maybe even minutes, depending on number of your files and load on your webserver

DeepScan If you want to perform a "deep scan", which may detect more recent/unknown versions of PHP malware you can pass the deepscan=1 parameter. That will search files for PHP functions known to be used for malicious scripts.

Eg. http://www.your-joomla-site.com/jamss.php?deepscan=1

Interpreting the results:

0) The script might take up to minute or two to scan and finish if your server is under heavy load, or you have many files, so lean back and wait a moment. 0) The script inspects code contained within files and tries to identify possible malicious code in it using many fingerprints of known malware. 1) Once the script has finished running it will produce and display a report for review, and (as warned before) will likely produce also "false positives" that must be interpreted in order to determine if any particular result is a possible hijacked file. 2) For each potential issue, the report will list the path to the file in question, the pattern (and pattern internal number) that the file matched to, short description what this code could be doing, and the general area within the file that matched the pattern. If there is any question about a file(s) identified as possibly having an issue, the file(s) should be downloaded and inspected to determine if there is an issue with the file:

• if suspected file exists in original Joomla or used extensions files (download all ZIP/TAR.XX packages and check it), then replace the file with the file of corresponding Joomla! version (the same you have running)
• even better - Properly clean your complete Joomla webdir with fresh Joomla files following the information and recommendations in the security forums http://forum.joomla.org/viewtopic.php?f=621&t=582854
• if the suspected file(s) does/do not exist in original Joomla full installation files or the installed extensions files, then move the file(s) to a secure new folder (preferably: password-protected folder or push later to archive so the hacker has less chance of accessing it), and then delete it completely once it is determined it is a hack file and not needed for your Joomla site.

DISCLAIMER !!!

• THIS SCRIPT IS NOT A "ONE-CLICK" CURE
• go to official Joomla Forum and Joomla Documentation/Wiki to find help and the suggested documented steps and proceedings when your Joomla has been hacked
• it is intended just as a quick help in fast search and identification of POSSIBLY corrupted files in you webdir
• this code doesn't change anything on your site, and doesn't remove vulnerabilities you might have - you have to do it all by yourself (if you know what you're doing)
• don't simply go and delete all files it identifies, you might break your Joomla
• this script gives out many false-positive files, as it is not "ironed out" yet, so be cautious
• this script is intended for people with some degree of understanding of PHP code
• a fast and probably safe tip for your proceeding with cleanup (after gathering all evidence for later log's investigation) would be:
  • if suspected file exists in original Joomla or extensions files (download ZIP/TARx package and check), then replace the file with the file of corresponding Joomla version (the same you have running)
  • even better - rewrite your complete Joomla webdir with fresh Joomla files (except /installation dir) of corresponding version (the same you have running, or doing upgrade to newest version)
  • if suspected file doesn't exist in original Joomla or extensions files = backup the file in a secure new folder (preferably: password-protected folder or push later to archive), and then delete it completely
• the script is NOT approved, tested or verified by Joomla team, forum team, security team or anyone else - it's given just as a possible assistant tool
• I issue NO WARRANTY for the script and you use it at your own risk
• the contact point for all your further questions and discussions about the bugs and development of the script is GitHub
• any comments and suggestions are welcome

Status

BETA - This is a "work in progress" so let me know if you have any problems, found bug, have questions or wish to help in some way.

Further reading - useful links

• http://forum.joomla.org
• http://forum.joomla.org/viewtopic.php?f=621&t=582854
• http://docs.joomla.org/Vulnerable_Extensions_List
• http://docs.joomla.org/Security_Checklist_7