btoplak / Joomla-Anti-Malware-Scan-Script--JAMSS-

a Joomla! and WordPress Security script that automatically scans the Joomla! or Wordpress files for some patterns and "fingerprints" of malware, trojans or other injections into PHP code
146 stars 102 forks source link

Joomla! (and Wordpress) Anti-Malware Scan Script (JAMSS)


The Joomla! (and Wordpress) Anti-Malware Scan Script is a self-service script that will be continually programmed to assist all Joomla! owners to check their Joomla! installation for various website-malware. The script currently uses RegEx fingerprint patterns to identify the most common fingerprints, traces and indices that some files have/could've be compromised.

This script still doesn't do any cleanup on its own, it's only informative about some suspicious code in your Joomla! installation.

This script is far from being 100% accurate. It has just a few patterns at this moment, and the false-positives are very well to be expected. So you may only use it wisely and with caution. I do not take any resposibility for any damages you might suffer by following some advices or results of this script.


Usage instructions

The usage is pretty simple and straightforward:

DeepScan If you want to perform a "deep scan", which may detect more recent/unknown versions of PHP malware you can pass the deepscan=1 parameter. That will search files for PHP functions known to be used for malicious scripts.

Eg. http://www.your-joomla-site.com/jamss.php?deepscan=1


Interpreting the results:

0) The script might take up to minute or two to scan and finish if your server is under heavy load, or you have many files, so lean back and wait a moment. 0) The script inspects code contained within files and tries to identify possible malicious code in it using many fingerprints of known malware. 1) Once the script has finished running it will produce and display a report for review, and (as warned before) will likely produce also "false positives" that must be interpreted in order to determine if any particular result is a possible hijacked file. 2) For each potential issue, the report will list the path to the file in question, the pattern (and pattern internal number) that the file matched to, short description what this code could be doing, and the general area within the file that matched the pattern. If there is any question about a file(s) identified as possibly having an issue, the file(s) should be downloaded and inspected to determine if there is an issue with the file:

DISCLAIMER !!!


Status

BETA - This is a "work in progress" so let me know if you have any problems, found bug, have questions or wish to help in some way.


Further reading - useful links