Spamming Script. Cannot get rid of it
Moderators: mandville, General Support Moderators
Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
-
- Joomla! Apprentice
- Posts: 6
- Joined: Thu Dec 11, 2014 3:27 pm
Spamming Script. Cannot get rid of it
Greetings,
Someone keeps uploading a spammer script (php). I find it, I delete it, and then another is uploaded in it's place. The upload locations is always in a different directory.
How can I find where the hole is that is allowing these php scripts to be uploaded?
Running: Joomla! 2.5.27 Stable [ Ember ] 30-September-2014 14:00 GMT
Thank you
Someone keeps uploading a spammer script (php). I find it, I delete it, and then another is uploaded in it's place. The upload locations is always in a different directory.
How can I find where the hole is that is allowing these php scripts to be uploaded?
Running: Joomla! 2.5.27 Stable [ Ember ] 30-September-2014 14:00 GMT
Thank you
-
- Joomla! Virtuoso
- Posts: 4025
- Joined: Mon Nov 25, 2013 4:35 pm
- Location: Montreal, Canada
- Contact:
Re: Spamming Script. Cannot get rid of it
It seems that you are addressing the consequences, but not the cause. Either you have a vulnerable extension or there is a script that was uploaded previously to your site that allows control over your filesystem.
Check your logs and see if you can find a suspicious call to a php file around the same time where that spam PHP script was uploaded/created.
Check your logs and see if you can find a suspicious call to a php file around the same time where that spam PHP script was uploaded/created.
http://www.itoctopus.com - Joomla consulting at its finest
https://twitter.com/itoctopus - Follow us on Twitter
https://twitter.com/itoctopus - Follow us on Twitter
- mandville
- Joomla! Master
- Posts: 15152
- Joined: Mon Mar 20, 2006 1:56 am
- Location: The Girly Side of Joomla in Sussex
Re: Spamming Script. Cannot get rid of it
Also check . Cron jobs and follow checklist 7=
Post your fpa
Post your fpa
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
-
- Joomla! Apprentice
- Posts: 6
- Joined: Thu Dec 11, 2014 3:27 pm
Re: Spamming Script. Cannot get rid of it
Problem Description :: Forum Post Assistant (v1.2.4) : 11th December 2014 wrote:Someone uploading php spamming script
Actions Taken To Resolve by Forum Post Assistant (v1.2.4) 11th December 2014 wrote:Cannot find anything in my logfiles
Forum Post Assistant (v1.2.4) : 11th December 2014 wrote:Basic Environment :: wrote:Joomla! Instance :: Joomla! 2.5.27-Stable (Ember) 30-September-2014
Joomla! Platform :: Joomla Platform 11.4.0-Stable (Brian Kernighan) 03-Jan-2012
Joomla! Configured :: Yes | Read-Only (644) | Owner: 10000 (uid: /gid: ) | Group: 505 (gid: ) | Valid For: 1.5
Configuration Options :: Offline: 0 | SEF: 1 | SEF Suffix: 0 | SEF ReWrite: 0 | .htaccess/web.config: Yes | GZip: 0 | Cache: 0 | FTP Layer: 0 | SSL: 0 | Error Reporting: -1 | Site Debug: 0 | Language Debug: 0 | Default Access: N/A | Unicode Slugs: N/A | Database Credentials Present: Yes
Host Configuration :: OS: Linux | OS Version: 2.6.32-431.29.2.el6.x86_64 | Technology: x86_64 | Web Server: Apache | Encoding: gzip, deflate | Doc Root: /var/www/vhosts/XXX/httpdocs | System TMP Writable: Yes
PHP Configuration :: Version: 5.3.3 | PHP API: apache2handler | Session Path Writable: No | Display Errors: | Error Reporting: 22527 | Log Errors To: | Last Known Error: | Register Globals: | Magic Quotes: | Safe Mode: 0 | Open Base: /var/www/vhosts/XXX/:/tmp/ | Uploads: 1 | Max. Upload Size: 128M | Max. POST Size: 8M | Max. Input Time: 60 | Max. Execution Time: 60 | Memory Limit: 128M
MySQL Configuration :: Version: 5.1.73 (Client:5.1.73) | Host: --protected-- (--protected--) | Collation: utf8_general_ci (Character Set: utf8) | Database Size: 3.78 MiB | #of Tables: 125Detailed Environment :: wrote:PHP Extensions :: Core (5.3.3) | date (5.3.3) | ereg () | libxml () | openssl () | pcre () | zlib (1.1) | bz2 () | calendar () | ctype () | hash (1.0) | filter (0.11.0) | ftp () | gettext () | gmp () | session () | iconv () | Reflection ($Revision: 300393 $) | standard (5.3.3) | shmop () | SPL (0.2) | SimpleXML (0.1) | sockets () | exif (1.4 $Id: exif.c 293036 2010-01-03 09:23:27Z sebastian $) | tokenizer (0.1) | xml () | apache2handler () | curl () | dom (20031129) | fileinfo (1.0.5-dev) | gd () | imap () | json (1.2.1) | mbstring () | mysql (1.0) | mysqli (0.1) | PDO (1.0.4dev) | pdo_mysql (1.0.2) | pdo_sqlite (1.0.1) | Phar (2.0.1) | sqlite3 (0.7-dev) | wddx () | xmlreader (0.1) | xmlwriter (0.1) | xsl (0.1) | zip (1.9.1) | ionCube Loader () | Zend Engine (2.3.0) |
Potential Missing Extensions :: mcrypt | suhosin |
Switch User Environment (Experimental) :: PHP CGI: No | Server SU: No | PHP SU: No | Custom SU (LiteSpeed/Cloud/Grid): No
Potential Ownership Issues: Maybe
Apache Modules :: core | prefork | http_core | mod_so | mod_auth_basic | mod_auth_digest | mod_authn_file | mod_authn_alias | mod_authn_anon | mod_authn_dbm | mod_authn_default | mod_authz_host | mod_authz_user | mod_authz_owner | mod_authz_groupfile | mod_authz_dbm | mod_authz_default | util_ldap | mod_authnz_ldap | mod_include | mod_log_config | mod_logio | mod_env | mod_ext_filter | mod_mime_magic | mod_expires | mod_deflate | mod_headers | mod_usertrack | mod_setenvif | mod_mime | mod_dav | mod_status | mod_autoindex | mod_info | mod_dav_fs | mod_vhost_alias | mod_negotiation | mod_dir | mod_actions | mod_speling | mod_userdir | mod_alias | mod_substitute | mod_rewrite | mod_proxy | mod_proxy_balancer | mod_proxy_ftp | mod_proxy_http | mod_proxy_ajp | mod_proxy_connect | mod_cache | mod_suexec | mod_disk_cache | mod_cgi | mod_version | mod_aclr2 | mod_fcgid | mod_perl | mod_php5 | mod_python | mod_rpaf-2 | mod_ssl | Apache |
Potential Missing Modules :: mod_security | mod_evasive | mod_dosevasive | mod_qos | mod_userdir |
Folder Permissions :: wrote:Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) |
Elevated Permissions (First 10) ::Extensions Discovered :: wrote:Components :: SITE :: CB ProfileBook (1.3) | Yanc Integration (1.2) | CB Mamblog Tab (1.2) | Rating Field (1.2) | CB Profile Gallery (1.2) | CB Mambo Author Tab (1.2) | CB Captcha (1.3) | com_mailto (2.5.0) | com_wrapper (2.5.0) | WF_ANCHOR_TITLE (2.3.4.4) | WF_BROWSER_TITLE (2.3.4.4) | WF_INLINEPOPUPS_TITLE (2.3.4.4) | WF_MEDIA_TITLE (2.3.4.4) | WF_PREVIEW_TITLE (2.3.4.4) | WF_ARTICLE_TITLE (2.3.4.4) | WF_SPELLCHECKER_TITLE (2.3.4.4) | WF_CLIPBOARD_TITLE (2.3.4.4) | WF_FULLSCREEN_TITLE (2.3.4.4) | WF_DIRECTIONALITY_TITLE (2.3.4.4) | WF_TEXTCASE_TITLE (2.3.4.4) | WF_NONBREAKING_TITLE (2.3.4.4) | WF_LAYER_TITLE (2.3.4.4) | WF_CHARMAP_TITLE (2.3.4.4) | WF_IMGMANAGER_TITLE (2.3.4.4) | WF_XHTMLXTRAS_TITLE (2.3.4.4) | WF_SOURCE_TITLE (2.3.4.4) | WF_KITCHENSINK_TITLE (2.3.4.4) | WF_PRINT_TITLE (2.3.4.4) | WF_LISTS_TITLE (2.3.4.4) | WF_TABLE_TITLE (2.3.4.4) | WF_STYLE_TITLE (2.3.4.4) | WF_SEARCHREPLACE_TITLE (2.3.4.4) | WF_AUTOSAVE_TITLE (2.3.4.4) | WF_VISUALBLOCKS_TITLE (2.3.4.4) | WF_CONTEXTMENU_TITLE (2.3.4.4) | WF_VISUALCHARS_TITLE (2.3.4.4) | WF_LINK_TITLE (2.3.4.4) | WF_CLEANUP_TITLE (2.3.4.4) | WF_AGGREGATOR_VINE_TITLE (2.3.4.4) | WF_AGGREGATOR_[youtube]_TITLE (2.3.4.4) | WF_AGGREGATOR_GOOGLEMAPS_TITLE (2.3.4.4) | WF_AGGREGATOR_VIMEO_TITLE (2.3.4.4) | K2 Links for JCE Link (2.2) | WF_LINKS_JOOMLALINKS_TITLE (2.3.4.4) | WF_LINK_SEARCH_TITLE (2.3.4.4) | WF_FILESYSTEM_JOOMLA_TITLE (2.3.4.4) | WF_POPUPS_WINDOW_TITLE (2.3.4.4) | WF_POPUPS_JCEMEDIABOX_TITLE (2.3.4.4) | WF_MEDIAPLAYER_JCEPLAYER_TITLE (2.3.4.4) |
Components :: ADMIN :: com_users (2.5.0) | com_search (2.5.0) | com_languages (2.5.0) | COM_K2 (2.6.8) | mod_k2_comments (-) | mod_k2_comments (-) | com_installer (2.5.0) | com_redirect (2.5.0) | com_xmap (2.3.2) | comprofiler (1.9.1) | comprofiler (1.9.1) | com_newsfeeds (2.5.0) | COM_CONTACTENHANCED (2.5.17) | com_cache (2.5.0) | com_plugins (2.5.0) | com_cpanel (2.5.0) | com_messages (2.5.0) | eXtplorer (2.1.0) | com_admin (2.5.0) | com_categories (2.5.0) | com_banners (2.5.0) | RokGallery (2.22) | com_config (2.5.0) | com_login (2.5.0) | com_content (2.5.0) | com_media (2.5.0) | Gantry (4.1.26) | com_joomlaupdate (2.5.0) | com_modules (2.5.0) | com_checkin (2.5.0) | JCE (2.3.4.4) | Unknown (-) | Akeeba (3.6.9) | com_finder (2.5.0) | com_menus (2.5.0) | com_templates (2.5.0) | com_weblinks (2.5.0) | RokSprocket (2.1.2) |
Modules :: SITE :: CB Login (1.9.1) | mod_articles_categories (2.5.0) | CB Online (1.9) | mod_footer (2.5.0) | CB Workflows (1.9) | mod_articles_popular (2.5.0) | mod_banners (2.5.0) | RokNavMenu (2.0.7) | K2 User (2.6.8) | mod_login (2.5.0) | mod_articles_category (2.5.0) | Contact Information Module (2.5) | Latestweet (4.3) | RokTwittie (1.8) | RokSprocket Module (2.1.2) | Contact Enhanced Alpha Index (3.0) | mod_search (2.5.0) | mod_syndicate (2.5.0) | Rapid Contact (1.2) | CB Gallery Module (1.2.2) | mod_feed (2.5.0) | mod_ce_category (2.5.12) | mod_menu (2.5.0) | K2 Content (2.6.8) | mod_languages (2.5.0) | mod_custom (2.5.0) | mod_wrapper (2.5.0) | mod_random_image (2.5.0) | RokGallery Module (2.22) | mod_articles_archive (2.5.0) | K2 Tools (2.6.8) | mod_articles_news (2.5.0) | Contact Enhanced Form (2.5.15) | mod_finder (2.5.0) | CB Activity (2.4.1) | mod_users_latest (2.5.0) | K2 Comments (2.6.8) | Contact Enhanced Latest Submit (3.0) | Contact Enhanced Search (2.5.10) | CB PB Latest (1.3) | mod_whosonline (2.5.0) | mod_related_items (2.5.0) | Contact Enhanced Slideshow (2.5.10) | Contact Enhanced Birthday (3.0) | mod_weblinks (2.5.0) | mod_breadcrumbs (2.5.0) | K2 Users (2.6.8) | mod_articles_latest (2.5.0) | CB GroupJive (2.7.0) | mod_stats (2.5.0) |
Modules :: ADMIN :: K2 Quick Icons (admin) (2.6.8) | K2 Stats (admin) (2.6.8) | Contact Enhanced Latest Submit (3.0) | mod_login (2.5.0) | mod_toolbar (2.5.0) | mod_feed (2.5.0) | mod_menu (2.5.0) | mod_submenu (2.5.0) | mod_logged (2.5.0) | mod_custom (2.5.0) | mod_status (2.5.0) | Contact Enhanced Statistics (3.0) | mod_popular (2.5.0) | mod_multilangstatus (2.5.0) | Community Builder Admin menu (1.0) | mod_quickicon (2.5.0) | mod_latest (2.5.0) | mod_title (2.5.0) | mod_version (2.5.0) |
Plugins :: SITE :: Contact Enhanced - Custom Code (3.1.0) | Josetta - K2 Items (2.6.8) | Josetta - K2 Categories (2.6.8) | User - K2 (2.6.8) | plg_user_joomla (2.5.0) | plg_user_contactcreator (2.5.0) | plg_user_ce_contactcreator (3.0.0) | plg_user_profile (2.5.0) | plg_search_contactenhanced (2.5.12) | Search - GroupJive (2.7.0) | plg_search_contacts (2.5.0) | plg_search_content (2.5.0) | plg_search_categories (2.5.0) | plg_search_newsfeeds (2.5.0) | Search - Community Builder (1.1.0) | Search - K2 (2.6.8) | plg_search_weblinks (2.5.0) | Content - Contact Enhanced For (2.5.15) | plg_content_pagebreak (2.5.0) | plg_content_loadmodule (2.5.0) | plg_content_vote (2.5.0) | plg_content_pagenavigation (2.5.0) | Content - Community Builder Au (1.0.1) | Content - RokInjectModule (1.6) | plg_content_geshi (2.5.0) | plg_content_joomla (2.5.0) | plg_content_emailcloak (2.5.0) | plg_content_finder (2.5.0) | Button - Contact Enhanced Form (2.5.10) | plg_editors-xtd_pagebreak (2.5.0) | plg_editors-xtd_image (2.5.0) | plg_editors-xtd_article (2.5.0) | plg_editors-xtd_readmore (2.5.0) | Button - RokGallery (2.22) | plg_quickicon_jcefilebrowser (2.3.4.4) | plg_quickicon_extensionupdate (2.5.0) | plg_quickicon_joomlaupdate (2.5.0) | Xmap - Content Plugin (2.0.4) | Xmap - Mosets Tree Plugin (2.0.2) | Xmap - Virtuemart Plugin (2.0.1) | Xmap - Kunena Plugin (2.0.3) | Xmap - SobiPro Plugin (2.0.2) | Xmap - WebLinks Plugin (2.0.1) | PLG_JMONITORING_AKEEBABACKUP_T (1.0) | plg_editors_jce (2.3.4.4) | plg_editors_tinymce (3.5.4.1) | plg_editors_codemirror (1.0) | plg_authentication_gmail (2.5.0) | plg_authentication_joomla (2.5.0) | plg_authentication_ldap (2.5.0) | PLG_SYSTEM_MODALS (4.12.3FREE) | plg_system_sef (2.5.0) | System - Contact Enhanced (CE) (3.1) | plg_system_languagecode (2.5.0) | System - RokCommon (3.1.11) | plg_system_highlight (2.5.0) | System - CB Core Redirect (1.0.0) | PLG_SYSTEM_NNFRAMEWORK (14.8.6) | System - RokSprocket (2.1.2) | PLG_ECC (2.5-8) | Google Maps (2.20) | System - Gantry (4.1.26) | plg_system_logout (2.5.0) | plg_system_p3p (2.5.0) | System - RokExtender (2.0.0) | System - Mail Links to Contact (2.5.10) | System - K2 (2.6.8) | plg_system_languagefilter (2.5.0) | System - Autologin (2.5.0) | System - Contact Enhanced (CE) (2.5.16) | System - RokGallery (2.22) | plg_system_remember (2.5.0) | plg_system_redirect (2.5.0) | plg_system_log (2.5.0) | plg_system_cache (2.5.0) | System - iSeKeywords (2.5.10) | plg_system_debug (2.5.0) | plg_captcha_recaptcha (2.5.0) | Captcha - SecurImage (3.2.2) | plg_finder_contactenhanced (2.5.0) | plg_finder_contacts (2.5.0) | plg_finder_content (2.5.0) | plg_finder_categories (2.5.0) | plg_finder_newsfeeds (2.5.0) | plg_finder_k2 (2.6.8) | plg_finder_weblinks (2.5.0) | plg_extension_joomla (2.5.0) |Templates Discovered :: wrote:Templates :: SITE :: beez_20 (2.5.0) | beez5 (2.5.0) | rt_metropolis (1.1) | atomic (2.5.0) |
Templates :: ADMIN :: bluestork (2.5.0) | hathor (2.5.0) |
Last edited by mandville on Fri Dec 12, 2014 10:22 am, edited 1 time in total.
Reason: disbled smilies for clarity
Reason: disbled smilies for clarity
-
- Joomla! Apprentice
- Posts: 6
- Joined: Thu Dec 11, 2014 3:27 pm
Re: Spamming Script. Cannot get rid of it
Not finding anything in the logs related to an FTP upload.
The only thing I can find is the script by putting a wrapper on postfix and logging it
Everytime I find the script and remove it, a new script gets used to spam Same script though:
X-Additional-Header: /var/www/vhosts/XXX/httpdocs/cache/Gantry
To: [email protected]
Subject: Lol She's a Screamer
X-PHP-Originating-Script: 48:model.php
From: "Lacy Bray" <[email protected]>
Reply-To:"Lacy Bray" <[email protected]>
X-Priority: 3 (Normal)
MIME-Version: 1.0
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
The only thing I can find is the script by putting a wrapper on postfix and logging it
Everytime I find the script and remove it, a new script gets used to spam Same script though:
X-Additional-Header: /var/www/vhosts/XXX/httpdocs/cache/Gantry
To: [email protected]
Subject: Lol She's a Screamer
X-PHP-Originating-Script: 48:model.php
From: "Lacy Bray" <[email protected]>
Reply-To:"Lacy Bray" <[email protected]>
X-Priority: 3 (Normal)
MIME-Version: 1.0
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
-
- Joomla! Virtuoso
- Posts: 4025
- Joined: Mon Nov 25, 2013 4:35 pm
- Location: Montreal, Canada
- Contact:
Re: Spamming Script. Cannot get rid of it
Which logs are you checking? Are you checking the Apache access logs? These are the logs that I'm talking about. The file doesn't have to be uploaded through FTP, it can be uploaded using the malicious file that you possibly have on your server. The Apache logs will probably tell you which one it is.
Also, don't forget to change all the passwords.
Also, don't forget to change all the passwords.
http://www.itoctopus.com - Joomla consulting at its finest
https://twitter.com/itoctopus - Follow us on Twitter
https://twitter.com/itoctopus - Follow us on Twitter
-
- Joomla! Apprentice
- Posts: 6
- Joined: Thu Dec 11, 2014 3:27 pm
Re: Spamming Script. Cannot get rid of it
I'm looking at all logs (apache, ftp, etc..). I am pretty certain the script is being uploaded via http, I just cannot find anything in the apache logs.
I've changed the password, and have even deployed a brand new server where the only thing that wasn't new was the web content and mysql database.
I've changed the password, and have even deployed a brand new server where the only thing that wasn't new was the web content and mysql database.
-
- Joomla! Apprentice
- Posts: 6
- Joined: Thu Dec 11, 2014 3:27 pm
Re: Spamming Script. Cannot get rid of it
So I think I have narrowed this down, but I don't know enough about php to determine which script has the security issue.
I removed the latest spam script, and as usual, within 24 hours, a new script has been uploaded elsewhere within the site.
I searched through the http access logfile for the first instance of the spam script, and then greped for the IP associated.
The spam script in question: ---------- 1 apache apache 64890 Dec 13 09:53 view.php
The 09:53 time associated with the first instance (a GET) in my apache log:
91.121.160.169 - - [13/Dec/2014:09:53:12 +0000] "GET /libraries/gantry/core/params/view.php HTTP/1.0" 200 207 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
But the IP associated has some activity right before the GET:
91.121.160.169 - - [13/Dec/2014:07:13:05 +0000] "POST /plugins/quickicon/index.php HTTP/1.0" 200 3349 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
91.121.160.169 - - [13/Dec/2014:07:13:05 +0000] "POST /libraries/gantry/facets/menu/themes/touch/general.php HTTP/1.0" 200 3349 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
91.121.160.169 - - [13/Dec/2014:07:13:06 +0000] "POST /modules/mod_ce_form/language/code.php HTTP/1.0" 200 3349 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
91.121.160.169 - - [13/Dec/2014:07:13:06 +0000] "POST /libraries/gantry/core/gantryfeature.class.php HTTP/1.0" 200 3349 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
91.121.160.169 - - [13/Dec/2014:08:24:18 +0000] "POST /libraries/gantry/core/renderers/gantryfeaturerenderer.class.php HTTP/1.0" 200 226 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
91.121.160.169 - - [13/Dec/2014:09:53:12 +0000] "POST /modules/mod_contactinfo/mod_contactinfo.php HTTP/1.0" 200 602 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
This is where I get lost. I do not have the skills to determine how these scripts work together (if at all), and/or which one could be the issue.
I removed the latest spam script, and as usual, within 24 hours, a new script has been uploaded elsewhere within the site.
I searched through the http access logfile for the first instance of the spam script, and then greped for the IP associated.
The spam script in question: ---------- 1 apache apache 64890 Dec 13 09:53 view.php
The 09:53 time associated with the first instance (a GET) in my apache log:
91.121.160.169 - - [13/Dec/2014:09:53:12 +0000] "GET /libraries/gantry/core/params/view.php HTTP/1.0" 200 207 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
But the IP associated has some activity right before the GET:
91.121.160.169 - - [13/Dec/2014:07:13:05 +0000] "POST /plugins/quickicon/index.php HTTP/1.0" 200 3349 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
91.121.160.169 - - [13/Dec/2014:07:13:05 +0000] "POST /libraries/gantry/facets/menu/themes/touch/general.php HTTP/1.0" 200 3349 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
91.121.160.169 - - [13/Dec/2014:07:13:06 +0000] "POST /modules/mod_ce_form/language/code.php HTTP/1.0" 200 3349 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
91.121.160.169 - - [13/Dec/2014:07:13:06 +0000] "POST /libraries/gantry/core/gantryfeature.class.php HTTP/1.0" 200 3349 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
91.121.160.169 - - [13/Dec/2014:08:24:18 +0000] "POST /libraries/gantry/core/renderers/gantryfeaturerenderer.class.php HTTP/1.0" 200 226 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
91.121.160.169 - - [13/Dec/2014:09:53:12 +0000] "POST /modules/mod_contactinfo/mod_contactinfo.php HTTP/1.0" 200 602 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
This is where I get lost. I do not have the skills to determine how these scripts work together (if at all), and/or which one could be the issue.
- mandville
- Joomla! Master
- Posts: 15152
- Joined: Mon Mar 20, 2006 1:56 am
- Location: The Girly Side of Joomla in Sussex
Re: Spamming Script. Cannot get rid of it
well contact enhanced is several versio n out of date. whats your cron jobs like? whyt has your host said
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
- Webdongle
- Joomla! Master
- Posts: 44093
- Joined: Sat Apr 05, 2008 9:58 pm
Re: Spamming Script. Cannot get rid of it
You only find what they want you to find. You need to delete all the folders/files on the server and http://forum.joomla.org/viewtopic.php?f=621&t=582854chikagoh wrote:...
Someone keeps uploading a spammer script (php). I find it, I delete it, and then another is uploaded in it's place. ...
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
- Slackervaara
- Joomla! Ace
- Posts: 1115
- Joined: Sat Aug 13, 2011 6:27 am
Re: Spamming Script. Cannot get rid of it
The free security extension JHackGuard has an option to disable file upload for guests.