Monday, 30 June 2014

Script for detecting malicious injected script in joomla databases

Many malicious individuals exploit loopholes in forms on your website to try to gain  control of your website, using it as a zombie to send out spam mails, or for other malevolant purposes.

Such scripts are often stored and hidden deep in your Joomla database, but the problem is finding them, which can take a great deal of time. Once you have found them, you can gain valuable information about any vulnerabilities you might have on your website and correct your website accordingly.

The problem is, there dont seem to be that many (free) facilities out there for scanning your website database, so I thought i'd write a very simple script to do just this. Please note, you also need to have the Jumi application installed for it to work properly (though with some modifications you might be able to run it as a standalone PHP script).

Instructions are,

  1. Open up the Jumi component
  2. Create new application
  3. Copy code below into the code window  
  4. Save application 
  5. Add the application to one of your menus (assigning it as only executable by admin if necessary) 
  6. Run the application from the front end by clicking on the menu point
 The program is extremely basic, and will only provide the record number in the database, providing that the first column of the table being scanned contains a unique numeric identifier for the record (most, but not all do).

Depending on interest, I may try to improve it, perhaps with hyperlinks from the record numbers to display a javascript popup containing the questionable code, but for now, this shall do.  

In any case, it should help you detect if you have any hidden problems on your website. You can also use it to run general string searches on your webiste, if for example, you need to globally change any phone numbers etc.

Here is the code


/* A short script for detecting site injections, or generally searching for specific strings, in your entire database. If you have Jumi for Joomla, simply create a new Jumi application from the Jumi Component, paste this code into the code window, save it, and assign this application to a menu so you can run it from the front end of your site.
this is a very basic script slapped up in a couple of hours, and is ony intended to help those who may be looking fior problems in their database. I make no guarantees, and users use it at their own risk.     
Copyright 2014 Dr. Julian P. Keogh

//The search form

echo '
<H3>Injected code detector:</H3>
<form name="variable" action="" method="post">
Use this form to sniff out nasty script injections in your joomla database. Search for terms such as php, script or eval which are often used by miscreants to create general havoc on your website. 
This script searches each field of each table for the string, and then returns the first column value if a match is found (usually, but not always the record number in your database).   
Enter the string to search for below:
<input type="text" name="varname" SIZE="40" MAXLENGTH="40" value=""><br>
<input type="submit" NAME="findstring" VALUE="Search for string">

//Once the form is submitted, the page reloads executing the script below
if(isset($_POST["findstring"])) {

$varname = $_POST["varname"];

echo "Results<br>";
$db2    = &JFactory::getDBO();
$tables = $db2->getTableList();

//script below scans each table for columns
foreach($tables as $table)
      $db3    = &JFactory::getDBO();

      $showcolumns = "SHOW COLUMNS FROM ".$table."";

      $columns = $db3->loadAssocList();

//script below scans each column row for dodgy text
      foreach($columns as $column)
              if (is_array($column)) {
              foreach ($column as $field)
              $db4    = &JFactory::getDBO();
              $showrows = "SELECT * FROM ".$table." WHERE `".$field."` LIKE '%".$varname."%'";
              $rownum = $db4->getNumRows();
              $rows = $db4->loadRowList();
 //if no rows are repoerted containing string, loop breaks, otherwise instances are printed out
              if ($rownum==0) {break 1;}
              else {echo $table." ".$field."<br><font-color='red'>"; foreach ($rows as $row){echo $row[0]." ";}}              
              echo "<p><font-color='black'>";
              break 1;}





No comments:

Post a Comment