Findind Legitimate Files in Joomla

[muddauber]

Is there a quick way to verify legitimate files on a Joomla Install?

I have 3.6 installed, yet have 2 suspect files:

/components/com_content/867bti.php

/includes/litecache.php

I would like to delete them if they are not legitimate files.
Thanks for any reviews or comments

[Per Yngve Berg]

They are not present in the distribution package.

[muddauber]

Thanks, Per Yngve, I successfully removed these files from my system

[toivo]

It is also important to find out how those files got to your site.

Follow the instructions in this sticky post: http://forum.joomla.org/viewtopic.php?f=714&t=757645

[abernyte]

litecache.php is from a Wordpress plug-in. Toivo's warning should be heeded.

[muddauber]

Yes, I understand that and working on it

[itoctopus]

If you are on a VPS, then run a maldet scan on your website, I suspect these are not the only malicious files on your website. Also, it's a good idea to install a firewall such as RSFirewall, which will alert you of anything (for example, when a core file's MD5 signature is changed).

[muddauber]

Thanks ITOCTPUS, I have AdminTools WAF firewall installed. I'll check out maldet scan. Do you consider RSFirewall better than Akeeba Firewall?

I found 3 additional suspect files on another site, showing that the files were modified core files. I replaced 2 of them, but one is not even in the core 3.6 package. The file name is \media\mon_languages\images\si_lk.gif
I would think it would be save to remove that one.

And another file in logs/defines.php which I don't believe belongs on my site. Should there be any php files in the /logs folder?

[abernyte]

si_lk.gif is the Sinhala language flag which is subject of discussion in the Devs world. It seems to have been left out of some of the 3.5 changes so it at least should be a Joomla file.
If you suspect you are hacked, you do realise that you are simply playing whack a mole and you would be far better to clean out and replace the installation as per standing advice in Security?

[muddauber]

While I have removed several of the suspect files and ran checks on Sucuri and MyJoomla which report my site as clean, I still get message from Google webtools that my site is compromised. Can anyone recommend a malware removal tool that can help me find the problem. I am getting messages on Google webmaster that my site generates things like
/index.php?a=brahmi-powder-online
/index.php?a=order-vermox-online-russia-s
index.php?a=paxil-online-overnight-delivery

[leolam]

Configserver Exploit Scanner finds these files (assuming your have cPanel running and you are hosted on a VPS or Dedi since the Configserver suite only works with cPanel servers.

All files you have posted are dirt...... your server/site is (again?) severely breached. Maldet is notorious for missing a lot of issues and producing false positives. If you run of a VPS/Dedi have the Config suite installed and especially http://configserver.com/cp/cxs.html will work out very nicely for you

We are running these systems on all of our servers (the entire CFS-suite available) and they work marvelous

Leo

[PhilTaylor-Prazgod]

MyJoomla which report my site as clean

No it doesnt.

myJoomla.com clearly shows the hacked files in your site http://www.w********n.com/ however understanding the results, code and hacks takes experience - I will go and mark the files I see with a massive warning for you now by adding their specific hashes to our database even though they are not generic.

Your site is still hacked right now at the time of writing.

[muddauber]

I found file /includes/joomla_rss.php on my recent audit that does not
appear to be in my core system 3.6.0

I do not have any rss feeds or extensions added to this system.

Is this a legitimate core file? I did find it mentioned in other hacked sites.

[toivo]

It is not a legitimate core file.

As mentioned earlier, follow the instructions in this sticky post: http://forum.joomla.org/viewtopic.php?f=714&t=757645