Injection of PHP file sending spam

[MaIcOl01]

Hello, i'm having an issue with my Joomla installation.

One day i received an spam abuse notification from my server. I couldn't identify the file or script that was sending the emails until i activated a header for spam abuse that indicates the file or path that is sending it. When i identified the file (attachments) it's an encrypted php (i think) that is sending email (i think)

All started in July 4th 2015, on this date i received the first abuse notification. It seems the hacker (or robot) uploaded the php file with the script. In sendmail log, i identified this:



In that path, i found the 2 files attached on this post. The first time i detected the ini.php file and erased it, i deleted a lot of unused plugins and everything was working fine... until i received another abuse notification with the second php file (inc.php) uploaded in a different location.

php file injection?

I already followed all the security steps (i think) and i ran the FPA:

Injection of PHP file sending spam emails

spam abuse

- Changed all passwords
- Update joomla
- Delete extensions
- Verify current extensions
- Verify folders permission

Joomla! Instance :: Joomla! 3.4.3-Stable (Ember) 2-July-2015
Joomla! Platform :: Joomla Platform 13.1.0-Stable (Curiosity) 24-Apr-2013
Joomla! Configured :: Yes | Read-Only (444) | Owner: nenasric (uid: 1/gid: 1) | Group: nenasric (gid: 1) | Valid For: 3.4
Configuration Options :: Offline: 0 | SEF: 1 | SEF Suffix: 0 | SEF ReWrite: 0 | .htaccess/web.config: Yes | GZip: 0 | Cache: 0 | FTP Layer: 0 | SSL: 0 | Error Reporting: default | Site Debug: 0 | Language Debug: 0 | Default Access: 1 | Unicode Slugs: 0 | Database Credentials Present: Yes

Host Configuration :: OS: Linux | OS Version: 2.6.32-042stab088.4 | Technology: x86_64 | Web Server: Apache/2.4.9 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 | Encoding: gzip, deflate | Doc Root: /home/nenasric/public_html | System TMP Writable: Yes

PHP Configuration :: Version: 5.4.29 | PHP API: cgi-fcgi | Session Path Writable: Yes | Display Errors: 1 | Error Reporting: 24567 | Log Errors To: error_log | Last Known Error: 25th August 2015 21:40:42. | Register Globals: | Magic Quotes: | Safe Mode: | Open Base: | Uploads: 1 | Max. Upload Size: 250M | Max. POST Size: 500M | Max. Input Time: 1000 | Max. Execution Time: 120 | Memory Limit: 128M

MySQL Configuration :: Version: 5.5.42-cll (Client:5.5.42) | Host: --protected-- (--protected--) | Collation: latin1_swedish_ci (Character Set: latin1) | Database Size: 9.43 MiB | #of Tables:  133

PHP Extensions :: Core (5.4.29) | date (5.4.29) | ereg () | libxml () | openssl () | pcre () | sqlite3 (0.7) | zlib (2.0) | bcmath () | calendar () | ctype () | curl () | dom (20031129) | fileinfo (1.0.5) | filter (0.11.0) | ftp () | gd () | gettext () | hash (1.0) | iconv () | SPL (0.2) | json (1.2.1) | mbstring () | mcrypt () | session () | mysql (1.0) | mysqli (0.1) | standard (5.4.29) | Phar (2.0.1) | posix () | Reflection ($Id: f6367cdb4e3f392af4a6d441a6641de87c2e50c4 $) | mysqlnd (mysqlnd 5.0.10 - 20111026 - $Id: c85105d7c6f7d70d609bb4c000257868a40840ab $) | SimpleXML (0.1) | sockets () | imap () | tokenizer (0.1) | xml () | xmlreader (0.1) | xmlwriter (0.1) | zip (1.11.0) | cgi-fcgi () | XCache (3.0.3) | PDO (1.0.4dev) | pdo_sqlite (1.0.1) | pdo_mysql (1.0.2) | XCache Cacher (3.0.3) | ionCube Loader () | Zend Engine (2.4.0) |
Potential Missing Extensions :: suhosin |

Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: Yes | PHP SU: Yes | Custom SU (LiteSpeed/Cloud/Grid): Yes
Potential Ownership Issues: No

Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) |

Elevated Permissions (First 10) ::

Database _FPA_STATS :: Uptime: 1855113 | Threads: 4 | Questions: 20047691 | Slow queries: 461 | Opens: 316070 | Flush tables: 1 | Open tables: 2047 | Queries per second avg: 10.806 |

Components :: SITE :: com_wrapper (3.0.0) | com_mailto (3.0.0) |
Components :: ADMIN :: com_checkin (3.0.0) | Spider Video Player (2.8.5) | com_menus (3.0.0) | com_users (3.0.0) | joautotwitter (3.2) | com_admin (3.0.0) | com_postinstall (3.2.0) | com_ajax (3.2.0) | com_messages (3.0.0) | com_redirect (3.0.0) | com_content (3.0.0) | com_login (3.0.0) | com_banners (3.0.0) | com_modules (3.0.0) | com_newsfeeds (3.0.0) | com_tags (3.1.0) | com_joomlaupdate (3.0.0) | com_phocagallery (4.1.2) | com_tagmeta (1.7.2) | com_finder (3.0.0) | com_contenthistory (3.2.0) | offlajn_installer (1.0) | com_templates (3.0.0) | com_search (3.0.0) | com_installer (3.0.0) | com_cpanel (3.0.0) | com_categories (3.0.0) | FW Gallery (2.3.2) | com_cache (3.0.0) | com_config (3.0.0) | com_media (3.0.0) | com_languages (3.0.0) | com_plugins (3.0.0) |

Modules :: SITE :: mod_login (3.0.0) | mod_random_image (3.0.0) | mod_footer (3.0.0) | mod_breadcrumbs (3.0.0) | Spider Video Player Module (2.8.5) | mod_custom (3.0.0) | mod_articles_category (3.0.0) | mod_languages (3.0.0) | mod_search (3.0.0) | mod_feed (3.0.0) | mod_articles_popular (3.0.0) | mod_articles_categories (3.0.0) | mod_users_latest (3.0.0) | mod_tags_similar (3.1.0) | mod_stats (3.0.0) | mod_articles_archive (3.0.0) | mod_articles_news (3.0.0) | mod_finder (3.0.0) | mod_whosonline (3.0.0) | mod_menu (3.0.0) | mod_related_items (3.0.0) | mod_tags_popular (3.1.0) | mod_syndicate (3.0.0) | mod_banners (3.0.0) | Flexi Custom Code (1.3) | mod_articles_latest (3.0.0) | mod_wrapper (3.0.0) |
Modules :: ADMIN :: mod_login (3.0.0) | mod_popular (3.0.0) | mod_version (3.0.0) | mod_custom (3.0.0) | mod_feed (3.0.0) | mod_stats_admin (3.0.0) | mod_toolbar (3.0.0) | mod_latest (3.0.0) | mod_status (3.0.0) | mod_title (3.0.0) | mod_logged (3.0.0) | mod_menu (3.0.0) | mod_submenu (3.0.0) | mod_multilangstatus (3.0.0) | mod_quickicon (3.0.0) |

Plugins :: SITE :: plg_finder_categories (3.0.0) | plg_finder_contacts (3.0.0) | plg_finder_content (3.0.0) | plg_finder_newsfeeds (3.0.0) | plg_finder_tags (3.0.0) | plg_editors-xtd_pagebreak (3.0.0) | plg_editors-xtd_readmore (3.0.0) | plg_editors-xtd_article (3.0.0) | plg_editors-xtd_image (3.0.0) | plg_editors-xtd_phocagallery (4.1.2) | plg_system_redirect (3.0.0) | plg_system_cache (3.0.0) | PLG_SYSTEM_HEADERTAGS (3.1.9) | plg_system_log (3.0.0) | plg_system_languagecode (3.0.0) | System - JO Auto Post Twitter (3.1) | plg_system_p3p (3.0.0) | Offlajn Joomla 3.0 compatibili (1.0) | System - Marco's SQL Injection (1.4) | plg_system_logout (3.0.0) | Offlajn Dojo Loader (1.0) | plg_system_tagmeta (1.7.2) | System - Offlajn Params (1.0.0) | plg_system_debug (3.0.0) | plg_system_sef (3.0.0) | plg_system_highlight (3.0.0) | plg_system_remember (3.0.0) | plg_system_languagefilter (3.0.0) | plg_authentication_gmail (3.0.0) | plg_authentication_joomla (3.0.0) | plg_authentication_cookie (3.0.0) | plg_authentication_ldap (3.0.0) | FW Gallery - Batch Upload (1.3.0) | plg_user_contactcreator (3.0.0) | plg_user_joomla (3.0.0) | plg_user_profile (3.0.0) | plg_captcha_recaptcha (3.4.0) | plg_quickicon_extensionupdate (3.0.0) | plg_quickicon_joomlaupdate (3.0.0) | plg_content_emailcloak (3.0.0) | plg_content_finder (3.0.0) | plg_content_pagebreak (3.0.0) | plg_content_vote (3.0.0) | plg_content_joomla (3.0.0) | plg_content_loadmodule (3.0.0) | Content - Load Spider Video Pl (2.8.5) | plg_content_pagenavigation (3.0.0) | plg_content_phocagallery (4.1.2) | plg_search_categories (3.0.0) | plg_search_contacts (3.0.0) | plg_search_content (3.0.0) | plg_search_newsfeeds (3.0.0) | plg_search_tags (3.0.0) | plg_editors_codemirror (5.3) | plg_editors_tinymce (4.1.7) | plg_extension_joomla (3.0.0) | plg_twofactorauth_yubikey (3.2.0) | plg_twofactorauth_totp (3.2.0) | plg_installer_webinstaller (1.0.5) |

Templates :: SITE :: protostar (1.0) | beez3 (3.1.0) |
Templates :: ADMIN :: hathor (3.0.0) | isis (1.0) |

Any help? Thank you!

[leolam]

You will need to follow up on all the steps as outlined http://forum.joomla.org/viewtopic.php?f=714&t=757645 or use a service aka myjoomla.com

Leo

[Bernard T]

Hi MaIcOl01,

if you didn't clean up website following instructions in a sticky post (already linked here by Leolam) since the site was hacked it is very possible your website still has some undiscovered malicious files.

Also, a plus would be to identify how your website was hacked in the first place.
I just wanted to emphasize I noticed you are using "Spider Video" which had SQLi vulnerability in previous versions (http://vel.joomla.org/resolved/1410-joo ... 2-8-3-sqli), that might be the case if you had this version installed at the time of hacking.

[MaIcOl01]

Hello Bernard and leolam

I did follow some steps you mentioned (from the link i mean) besides all this:

1) similar issue i had -> http://stackoverflow.com/questions/1794 ... oomla-site

2) I also use auto tweet -> http://forum.joomla.org/viewtopic.php?f=621&t=839778

3) With this, i identified all the infected files -> http://www.warriorforum.com/search-engi ... links.html

4) but the tool that helped me was myjoomla.com it helped me to identify several issues in my site.

Some of the infected files were:

Code: Select all

/administrator/includes/defines.php
/includes/defines.php
/administrator/components/com_config/controllers/application.php
/administrator/components/com_finder/helpers/indexer/indexer.php
/administrator/components/com_redirect/models/fields/redirect.php

The source showed me this code:

Code: Select all

malicious code removed

And more...

Code: Select all

malicious code removed

Thank you leolam!

Until now my site has not been hacked again, i paid one site in myjoomla for monitoring this month.

I hope this helps someone else.

Regards!

[MaIcOl01]

BTW...

The solution was applying the proposed solution from myjoomla.com, for my site:

- Changed default joomla template (i was ussing it)
- Creating an htaccess to /administrator/ folder (https://www.itsupportguides.com/joomla- ... directory/)
- Modifying robots.txt
- And erasing and fixing Suspect/Malicious Content In Files proposed and identified by myjoomla.com

You can run for free at myjoomla.com the audit and deep audit and it will help to identify and show how to fix the detected issues.

Edit: I found these interesting articles:

http://www.itoctopus.com/are-all-php-fi ... ite-hacked
http://www.itoctopus.com/why-suphp-is-i ... la-website
http://www.itoctopus.com/why-you-should ... a-websites

[Bernard T]

Hi MaIcOl01,

your case is not just similar to this case you linked. It is actually similar to thousands of websites that get re-hacked every day while using popular and powerful CMS systems: Joomla, Drupal, WP etc.

Sites get hacked because owners don't update core CMS and all extensions regularly. So their websites get to be a sitting duck, waiting attackers to come and use publicly known vulnerability in outdated versions present on the victimized website. Sometimes those vulnerabilities are several years old. I leave 2.5% for the sites being hacked as a collateral victim of compromised server, and maybe 0.5% for all other cases, including being a "lucky winner" in a 0-day vulnerability attack spree.

Sites get perpetually re-hacked in 100% of the cases because of unsatisfactorily cleanup procedure.
The cleanup must ensure only two things:

• every piece of malicious code should be removed
• the way of initial infection has to be identified and eliminated (eg. upgrade, uninstall)

The method of cleanup advised here by security forum team is by replacing old files with new trustedly clean ones is the best way anyone could go http://forum.joomla.org/viewtopic.php?f=621&t=582854. It's fast (depending of site complexity), simple, and free.

Also note this. Any honest malware scanning tool manufacturer, be it computer antivirus soft or online tool, should honestly state it isn't in any way 100% reliable in automatically finding each and every vulnerable file. But they do try. I have used tens of programs, scripts, tested many services, and also have developed one such script myself. So I can tell you with big a certainty that even the automated tools marketed as "best available" fail to find every malicious file. Tools are tremendous help, but only the extra factor of human (or AI ) can ensure all details are taken care of.

- Changed default joomla template (i was ussing it)
- Creating an htaccess to /administrator/ folder (https://www.itsupportguides.com/joomla- ... directory/)
- Modifying robots.txt
- And erasing and fixing Suspect/Malicious Content In Files proposed and identified by myjoomla.com

All that are just generic advice, you could have found them in Joomla Security Checklists, linked directly from the cleanup checklist link you already got from us before ... and you could've saved some bucks.

And on the subject of PHP handler, I don't have the time at this moment so I have to finish up the post, but I will definitely post my point of view why this approach is astronomically wrong equation. Don't follow it.