New scan engine that works better on large file systems

I released the new scan engine in version 1.2.10.05 today. This is the scan process that I've had available as a BETA for a couple months but it was not ready for release until now. It take longer because it breaks the scan into smaller processes that complete independently of the scan initiation process. This has a better success rate (especially on server with lots of files or minimal memory) and allows for better error handling.

So there are now two types of scans:

• Quick Scan - Good for small file systems, fast servers, or sites that have post restriction.
• Complete Scan - Good for large file systems, servers with irregular permission issues, or low memory allocation.

The Automatic Fix process and File Viewer have been improved too. It loads nicer now and you can move this new pop-up window around on the page .

Please give me feedback on these new features and scan options.

A WordPress plugin is born

I made my PHP scripts into a WordPress plugin and installed it on a couple of different servers to test it. Over the next few weeks I will be testing, refining, and improving the plugin to get it ready for release to the WordPress community. Anyone interested in testing it on their WordPress site should contact me and I will set you up with a pre-release version.

Zero Day Vulnerability in timthumb.php is the main problem

I was able to find and trace one of the hacks back to thumb.php file. This turned out to be an old version (1.08, 1.14, etc.) of the popular TimThumb script. It turned out there were a lot of old TimThumb script on the server. Many were found in plugins and others were in themes.

I wrote a script to identify old TimThumb files and upgrade them automatically. Now it looks like we finally have a secure server again.

Discovered PHP files with some nasty “eval” code in them

We found some rotten PHP code in some random file throughout the server. Some were new files but some were there before and just had this line added to them. This code uses the eval PHP function to execute the given code. To make it harder to identify what the code does it has be encoded and the additional PHP function base64_decode is needed to decode the gibberish. I didn't even bother to decode this and find out what it does. It was so obvious to my that it was malicious that I added this pattern to my one-click removal script and repaired all the corrupted files at once.

.htaccess hacked again! It’s time for a counter attack.

Well, the hack was back. All our hard work for nothing. I knew we needed an automated repair to clean the infected .htaccess files with one click. So I wrote this quick little PHP script to clean all the infections out for us (see picture above). It was a good start but we obviously still had a vulnerability on our server and needed to figure out where it was.