The Joomla! Forum ™

Download

Demo


Board index » Joomla! Older Version Support » Joomla! 1.5 » Security in Joomla! 1.5

Forum rules


Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.



Post new topic Reply to topic  Page 1 of 1
  [ 4 posts ] 
  Print view Previous topic | Next topic 
Author Message
mario2710
 Post subject: hacked?
PostPosted: Fri Aug 10, 2012 2:41 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Tue Sep 28, 2010 7:05 pm
Posts: 5
Got several messages our site contains suspicious malware. Cleaned out several times but keeps returning. Noticed a suspicous file called .cache_m4gvjc.php in http://domain/images/stories/.cache_m4gvjc.php. Entering this file in a browser gives a passwordbox. The file seems te be a Joomla core file but at the end is the next code, which I don't understand so maybe some techguys could explain that? Maybe it suppose to be that way but I don't know. I attached the file in txt format, it suppose to be a php file


Last edited by mandville on Fri Aug 10, 2012 3:50 pm, edited 1 time in total.
file removed for safety reasons


Top
 Profile  
 
mandville
 Post subject: Re: hacked?
PostPosted: Fri Aug 10, 2012 3:52 pm 
User avatar
Joomla! Master
Joomla! Master
Online

Joined: Mon Mar 20, 2006 1:56 am
Posts: 11634
Location: The Girly Side of Joomla in Sussex
there should be no file like that in the images stories folder.
run the fpa and print the results.
it may be worthwhile to treat your site as fully hacked and then follow checklist 7 safe route to recovery

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}
Top
 Profile  
 
mario2710
 Post subject: Re: hacked?
PostPosted: Mon Aug 13, 2012 12:45 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Tue Sep 28, 2010 7:05 pm
Posts: 5
FPA mentions version 1.5.25, after running FPA I've updated to 1.5.26

Forum Post Assistant (v1.2.1) : 13th August 2012 wrote:
Basic Environment :: wrote:
Joomla! Instance :: Joomla! 1.5.25-Stable (senu takaa ama mamni) 14-November-2011
Joomla! Configured :: Yes | Writable (644) | Owner: (uid: /gid: ) | Group: (gid: ) | Valid For: 1.5
Configuration Options :: Offline: 0 | SEF: 1 | SEF Suffix: 0 | SEF ReWrite: 0 | .htaccess/web.config: Yes | GZip: 0 | Cache: 0 | FTP Layer: 0 | SSL: 0 | Error Reporting: 0 | Site Debug: 0 | Language Debug: 0 | Database Credentials Present: Yes

Host Configuration :: OS: Linux | OS Version: 2.6.32-5-vserver-amd64 | Technology: x86_64 | Web Server: Apache/2.2.16 (Debian) | Encoding: gzip, deflate | Doc Root: /public/sites/www.scoutingduiven.nl | System TMP Writable: No

PHP Configuration :: Version: 5.3.3-7+squeeze3 | PHP API: apache2handler | Session Path Writable: Unknown | Display Errors: 1 | Error Reporting: 30711 | Log Errors To: | Last Known Error: | Register Globals: 0 | Magic Quotes: | Safe Mode: 0 | Open Base: | Uploads: 1 | Max. Upload Size: 16M | Max. POST Size: 16M | Max. Input Time: 60 | Max. Execution Time: 30 | Memory Limit: 64M

MySQL Configuration :: Version: 5.1.61-0+squeeze1 (Client:5.1.49) | Host: --protected-- (--protected--) | Collation: latin1_swedish_ci (Character Set: latin1) | Database Size: 32.62 MiB | #of _FPA_TABLE: 357
Detailed Environment :: wrote:
PHP Extensions :: Core (5.3.3-7+squeeze3) | date (5.3.3-7+squeeze3) | ereg () | libxml () | openssl () | pcre () | zlib (1.1) | bcmath () | bz2 () | calendar () | ctype () | dba () | dom (20031129) | hash (1.0) | fileinfo (1.0.5-dev) | filter (0.11.0) | ftp () | gettext () | session () | iconv () | json (1.2.1) | mbstring () | standard (5.3.3-7+squeeze3) | posix () | Reflection ($Revision: 300393 $) | SPL (0.2) | shmop () | SimpleXML (0.1) | soap () | sockets () | Phar (2.0.1) | exif (1.4 $Id: exif.c 293036 2010-01-03 09:23:27Z sebastian $) | sysvmsg () | sysvsem () | sysvshm () | tokenizer (0.1) | wddx () | xml () | xmlreader (0.1) | xmlwriter (0.1) | zip (1.9.1) | apache2handler () | curl () | gd () | imagick (3.0.0RC1) | imap () | ldap () | mcrypt () | memcache (3.0.4) | mysql (1.0) | mysqli (0.1) | PDO (1.0.4dev) | pdo_mysql (1.0.2) | suhosin (0.9.32.1) | xsl (0.1) | mhash () | Zend Engine (2.3.0) |
Potential Missing Extensions ::

Switch User Environment (Experimental) :: PHP CGI: No | Server SU: No | PHP SU: No | Custom SU (LiteSpeed/Cloud/Grid): Yes
Potential Ownership Issues: No

Apache Modules :: core | mod_log_config | mod_logio | prefork | http_core | mod_so | mod_backend | mod_cgi | mod_php5 | Apache/2.2.16 (Debian) |
Potential Missing Modules :: mod_rewrite | mod_expires | mod_deflate | mod_security | mod_evasive | mod_dosevasive | mod_ssl | mod_qos | mod_userdir |
Folder Permissions :: wrote:
Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) |

Elevated Permissions (First 10) :: None
Extensions Discovered :: wrote:
Components :: SITE :: System - Akela CronEmul Plug-i (0.9b) | Default (1.4.0) | MailTo (1.5.0) | Default (1.0.0) | User (1.5.0) | Wrapper (1.5.0) |
Components :: ADMIN :: JCE (1.5.7.5) | Akela (1.5.15) | Banners (1.5.0) | Cache Manager (1.5.0) | Configuration Manager (1.5.0) | Contact Items (1.0.0) | Content Page (1.5.0) | Control Panel (1.5.0) | docman (1.4.0.stable) | DOCman Standard Buttons (1.4.0.stable) | Unapproved Documents - admin m (1.4.0) | Latest added documents - admin (1.4.0) | Latest logged downlods - admin (1.4.0) | Latest news from http://www.joomlatoo (1.4.0) | Most downloaded documents - ad (1.4.0) | forme (1.0.5) | Frontpage (1.5.0) | Installation Manager (1.5.0) | JEvents (1.5.3 (B1629)) | JUpdateMan (1.5.1) | JXplorer (1.5 Beta 4) | Language Manager (1.5.0) | Mass Mail (1.5.0) | Media Manager (1.5.0) | Menus Manager (1.5.0) | Messaging (1.5.0) | Module Manager (1.5.0) | Newsfeeds (1.5.0) | PhocaGallery (2.6.1) | PhocaGuestbook (1.4.4) | Plugin Manager (1.5.0) | Polls (1.5.0) | Akeeba (3.4.3) | AcyMailing Plugin (1.0.0) | Contacts Plugin (1.0.1) | SOBI2 Plugin (1.5.1) | Content Plugin (1.5.1) | Eventlist Plugin (1.0.0) | DOCman Plugin (1.5.0) | Gallery2 Bridge Plugin (1.0.2) | Glossary Plugin (-) | Hot Property Plugin (1.0.1) | JCALPro Plugin (1.0.0) | JDownloads Plugin (1.5.1) | JEvents Plugin (1.0.3) | JMovies Plugin (1.5.0) | Jomres Plugin (1.0) | JoomDOC Extension (1.0.0) | JoomGallery Plugin (1.5.1) | KnowledgeBase Plugin (1.0.0) | Kunena Plugin (1.0.1) | Mosets Tree Plugin (1.0.1) | lknAnswers Plugin (1.5.0) | MyBlog Plugin (1.5.1) | Rapid Recipe Plugin (1.0.0) | Remository Plugin (1.0.3) | JoomSuite Resources Plugin (1.0.0) | Rokdownloads Plugin (1.0.4) | RSGallery2 Extension (1.0.0) | SectionEx Plugin (1.0.2) | CMS Shop Builder Plugin (1.5.0) | Virtuemart Plugin (1.1.4) | Web Links Plugin (1.0.0) | Agora Plugin (1.0.0) | Xmap (1.2.9b) | Search (1.5.0) | Template Manager (1.5.0) | Trash (1.0.0) | User Manager (1.5.0) | Weblinks (1.5.0) | wgPicasa (1.0.7) | idoblog (v 1.1 (build ) | JComments (2.2.0.2) |

Modules :: SITE :: Archived Content (1.5.0) | Banner (1.5.0) | Birthday (1.5.7) | Breadcrumbs (1.5.0) | ImageSlideShow (1.0) | Custom HTML (1.5.0) | Feed Display (1.5.0) | Footer (1.5.0) | RSform! (1.0.4) | JEvents Calendar (1.5.3) | Latest JEvents (1.5.3) | Latest News (1.5.0) | Login (1.5.0) | Menu (1.5.0) | Most Read Content (1.5.0) | Newsflash (1.5.0) | Poll (1.5.0) | Random Image (1.5.0) | Related Items (1.0.0) | Search (1.0.0) | Sections (1.5.0) | Statistics (1.5.0) | Syndicate (1.5.0) | Who\'s Online (1.0.0) | Wrapper (1.0.0) | Dinamods (2.0.1) | TweetXT (0.09.05) | Twitter Widget (1.0.0) | Template Selector (1.1.0) | IDOBlog Tags (1.0.0) | Lof ArticlesSroller Module (1.1) | JomLand Stick (0.1) | ITPFacebookLikeBox (1.2) |
Modules :: ADMIN :: Custom HTML (1.5.0) | Unapproved Documents - admin m (1.4.0) | Latest added documents - admin (1.4.0) | Latest logged downlods - admin (1.4.0) | Latest news from http://www.joomlatoo (1.4.0) | Most downloaded documents - ad (1.4.0) | Feed Display (1.5.0) | Footer (1.0.0) | Latest News (1.0.0) | Logged in Users (1.0.0) | Login Form (1.0.0) | Admin Menu (1.0.0) | Online Users (1.0.0) | Popular Items (1.0.0) | Quick Icons (1.0.0) | Items Stats (1.0.0) | User Status (1.5.0) | Admin Submenu (1.0.0) | Title (1.0.0) | Toolbar (1.0.0) | Unread Items (1.0.0) | Akeeba Backup Notification Mod (3.4.3) |

Plugins :: SITE :: Authentication - Example (1.5) | Authentication - GMail (1.5) | Authentication - Joomla (1.5) | Authentication - LDAP (1.5) | Authentication - OpenID (1.5) | Content - Email Cloaking (1.5) | Content - Example (1.0) | Content - Code Highlighter (Ge (1.5) | Content - Load Modules (1.5) | Content - mosforme (1.0.4) | Content - Pagebreak (1.5) | Content - Page Navigation (1.5) | Content - Vote (1.5) | Content - Sexy Bookmarks (1.1.0) | Content - TweetMe (1.5.8) | Content - JComments (1.0) | DOCman Standard Buttons (1.4.0.stable) | Editor - TinyMCE 3 (3.2.6) | Editor - XStandard Lite for Jo (1.0) | Advanced Code Editor (1.5.7.5) | Joomla! Links for Advanced Lin (1.2.1) | Advanced Link (1.5.7.5) | File Browser (1.5.7.5) | Paste (1.5.7.5) | Image Manager (1.5.7.5) | Media Object support (1.5.7.5) | Paste (1.5.7.5) | JCE SPELLCHECKER TITLE (1.5.7.5) | Editor - JCE (1.5.7.5) | Button - Image (1.0.0) | Button - Pagebreak (1.5) | Button - Readmore (1.5) | Editor Button - JComments ON (1.0) | Editor Button - JComments OFF (1.0) | Search - Categories (1.5) | Search - Contacts (1.5) | Search - Content (1.5) | Search - Newsfeeds (1.5) | Search - Sections (1.5) | Search - Weblinks (1.5) | Search - JComments (1.0) | System - Backlinks (1.5) | System - Cache (1.5) | System - Debug (1.5) | System - Legacy (1.5) | System - Log (1.5) | System - Mootools Upgrade (1.5) | System - Remember Me (1.5) | System - SEF (1.5) | System - Tweetboard (1.5.3) | System - TemplateSelector (1.0.1) | System - JComments (1.0) | Akeeba Backup Lazy Scheduling (3.3) | User - Example (1.0) | User - Joomla! (1.5) | User - JComments (1.0) | XML-RPC - Blogger API (1.0) | XML-RPC - Joomla API (1.0) |
Templates Discovered :: wrote:
Templates :: SITE :: beez (1.0.0) | js_education (1.0) | dieker (1.0.0) | JA_Purity (1.2.0) | themza_j15_08 (1.0.2) | rhuk_milkyway (1.0.2) | js_fresh (1.0.3) | Newsflash (1.5.0) | themza_j15_08 (1.0.2) | js_jamba (1.6.1) | js_optimus_free (1.3) |
Templates :: ADMIN :: Khepri (1.0) |


Top
 Profile  
 
mandville
 Post subject: Re: hacked?
PostPosted: Mon Aug 13, 2012 1:38 pm 
User avatar
Joomla! Master
Joomla! Master
Online

Joined: Mon Mar 20, 2006 1:56 am
Posts: 11634
Location: The Girly Side of Joomla in Sussex
1. did you follow the suggestions of treating your site as hacked?
viewtopic.php?f=432&t=475313 is the place to look.
2. now you have "updated" joomla, please look at updating and removing dead extensions.
eg phoca gallery you have is 2.6.1, current version is 2.8.1

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}
Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  Page 1 of 1
  [ 4 posts ] 


Board index » Joomla! Older Version Support » Joomla! 1.5 » Security in Joomla! 1.5

Who is online

Users browsing this forum: No registered users and 21 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group