Script to find files following acymailing vulnerability: Page 2

Script to find files following acymailing vulnerability

Dax

@joomleb The v8.7.1 has been released 13 days ago, the script didn't exist yet.
I'm preparing a v8.7.2 that will use it but it takes a bit more time to do and test than sharing the code here.

joomleb

Dax Thank you

A - Would be good to add here (and in the Blog Article) for the download the "new" listing.php file

B - Would be good also to show a "Success" message when no auspicious infected files are not detected (so we know the script is running)

gatomadrid

I added the lines as indicated i´ve got a blank page.

i delete these lines:

if (!empty($lastSlashPos) && strpos($oneFileName, ACYM_UPLOAD_FOLDER_THUMBNAIL) !== false && preg_match('/.*thumbnail.*php.*$/', substr($oneFileName, $lastSlashPos + 1))) { $infectedFiles[] = $oneFileName; } else { $fileContent = file_get_contents($oneFileName); if (preg_match('/^<\?php\n\$[a-z]+\s*=\s*\$_COOKIE\s*;/Ui', $fileContent) || preg_match('/^<\?php echo "jm"\."te"\."st"; \?>$/U', $fileContent)) { $infectedFiles[] = $oneFileName; } }

and it "worked" but i cannot obviously get a list of infected files. What can be wrong in these lines? I updated to Enterprise 8.7.1.

Thank you,

gatomadrid

IN my case i found manually a file created the 5th May. I deleted it. CAn be this file be realted to this vulnerability? Must i change passwords?

Dax

@joomleb
A - You're right it's easier to share the modified file, here it is: https://fromsmash.com/OjXHpg6gzz-ct
The link is available 13 days, but a new version should be released by then with an auto-cleaner.
B - I changed a bit the script to do that

@gatomadrid some file editors may automatically change the quotes when copy-pasting, could you use the file in my link to see if it works better?

joomleb

Dax
Would be good to add to the script also an automatic email reporting to you to collect statistics on all suspicious infected files...

Dax

There's a limit to what I can do with this script, we've got to release it at some point and each modification pushes back the release date.

gatomadrid

@Dax

I still have the same blank page although I downloaded from the link that you gave us. The error is in this part of the code because if i delted it i don´t get the message.

&& strpos($oneFileName, ACYM_UPLOAD_FOLDER_THUMBNAIL) !== false && preg_match(
'/.thumbnail.php.*$/',
substr($oneFileName, $lastSlashPos + 1)

What can be wrong? the variable ACYM_UPLOAD_FOLDER_THUMBNAIL is not empty. I delete the first parte ( strpos($oneFileName, ACYM_UPLOAD_FOLDER_THUMBNAIL) !== false ) and then the second part (preg_match(
'/.thumbnail.php.*$/',
substr($oneFileName, $lastSlashPos + 1))

and in both cases i still have the same error: Blan ppage. A problem with the variable $oneFileName?

Dax

It may have been because of scanned files size, I modified the script and the download link accordingly.

gatomadrid

Ahora si funciona. Gracias!

HDcms

Hi
I've just downloaded version 8.7.3.µwhere will I find the new button to test if acymailing is infected?

« Previous Page