Problems with site generating spam emails

tonytimms · Post by **tonytimms** » Tue Jan 05, 2016 2:13 pm

It seems that the account on my VPS has been compromised and the system is sending out spam emails, and the script that is generating this spam is located in public_html/tmp/javascript98.php. This is probably because Joomla version 2.5 has numerous security vulnerabilities but my question is whether it is possible to remove or replace this file without causing problems with the site. I don't really want to upgrade to another version at the moment as the site is quite heavy.

itoctopus · Post by **itoctopus** » Tue Jan 05, 2016 3:14 pm

You should secure your website if you don't want to update it. In any case, deleting this file shouldn't affect your website, unless there is a core file "requiring" this file. I suggest you rename the file, check your website (after emptying the cache) and then delete the file if everything goes well. If it doesn't go well, then you should find where that file is being called from.

There are no guarantees that removing this file will clean your website or fix the problem. Additionally, the problem will definitely return unless you apply the latest security patches and all the security best practices.

tonytimms · Post by **tonytimms** » Thu Jan 07, 2016 10:11 am

Hi itoctopus, thanks for the reply. Looking at the files in the backend of my installation and it's a mess. The tmp file is full of .php files marked as .suspected. Can I empty the tmp file, are any of these required for the system to work?

Post by **toivo** » Thu Jan 07, 2016 10:24 am

Files in the tmp folder can be deleted. However, the question is how those files got there and which vulnerability allowed them to the created in the first place. Were the files perhaps moved by your host from other folders or did the hacker post them to the tmp folder directly?

Follow the instructions in this sticky post at the 2.5 Security forum: http://forum.joomla.org/viewtopic.php?f=621&t=582854

You should also plan to upgrade to a supported version of Joomla.

tonytimms · Post by **tonytimms** » Mon Jan 11, 2016 4:48 pm

I am trying to resolve this with my host but they are not very responsive. There were over a 100,000 files in the public_html directory alone! I see that a lot of other files and directories have been created since the middle of December 2015, is this a good indication of the files I should target?

itoctopus · Post by **itoctopus** » Tue Jan 12, 2016 5:45 am

First you will need to block access to the website, you will the need to clean it, and then you will need to allow access to it. It's really hard to clean the website in your case without temporarily blocking access to it.

tonytimms · Post by **tonytimms** » Tue Jan 12, 2016 3:06 pm

Hi, I am taking the website down for a few hours to remove some of the files identified as suspect. Has anyone seen these files/folders before - josefte, jeylors, lookuper, uboners, runnerks

Regards

Post by **toivo** » Tue Jan 12, 2016 4:10 pm

Has anyone seen these files/folders before - josefte, jeylors, lookuper, uboners, runnerks

No.

tonytimms · Post by **tonytimms** » Tue Jan 12, 2016 4:23 pm

Thanks, I guess therefore these files are not required by Joomla and can be deleted

Regards

Bernard T · Post by **Bernard T** » Tue Jan 12, 2016 6:50 pm

How can you be sure you will find all of the malicious files all by yourself? If you miss only one of them your website will get hacked again.

Please follow the proper cleanup instructions in the topic that Toivo already linked

The Joomla! Forum™

Problems with site generating spam emails

Problems with site generating spam emails

Re: Problems with site generating spam emails

Re: Problems with site generating spam emails

Re: Problems with site generating spam emails

Re: Problems with site generating spam emails

Re: Problems with site generating spam emails

Re: Problems with site generating spam emails

Re: Problems with site generating spam emails

Re: Problems with site generating spam emails

Re: Problems with site generating spam emails