Findind Legitimate Files in Joomla
Moderators: mandville, General Support Moderators
Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Windows Defender SmartScreen Issues <-- please read this if using Windows 10.
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Windows Defender SmartScreen Issues <-- please read this if using Windows 10.
- muddauber
- Joomla! Ace
- Posts: 1618
- Joined: Thu Jun 08, 2006 11:26 pm
Findind Legitimate Files in Joomla
Is there a quick way to verify legitimate files on a Joomla Install?
I have 3.6 installed, yet have 2 suspect files:
/components/com_content/867bti.php
/includes/litecache.php
I would like to delete them if they are not legitimate files.
Thanks for any reviews or comments
I have 3.6 installed, yet have 2 suspect files:
/components/com_content/867bti.php
/includes/litecache.php
I would like to delete them if they are not legitimate files.
Thanks for any reviews or comments
- Per Yngve Berg
- Joomla! Master
- Posts: 30929
- Joined: Mon Oct 27, 2008 9:27 pm
- Location: Romerike, Norway
Re: Findind Legitimate Files in Joomla
They are not present in the distribution package.
- muddauber
- Joomla! Ace
- Posts: 1618
- Joined: Thu Jun 08, 2006 11:26 pm
Re: Findind Legitimate Files in Joomla
Thanks, Per Yngve, I successfully removed these files from my system
- toivo
- Joomla! Master
- Posts: 17439
- Joined: Thu Feb 15, 2007 5:48 am
- Location: Sydney, Australia
Re: Findind Legitimate Files in Joomla
It is also important to find out how those files got to your site.
Follow the instructions in this sticky post: http://forum.joomla.org/viewtopic.php?f=714&t=757645
Follow the instructions in this sticky post: http://forum.joomla.org/viewtopic.php?f=714&t=757645
Toivo Talikka, Global Moderator
- abernyte
- Joomla! Virtuoso
- Posts: 4189
- Joined: Fri May 15, 2009 2:01 pm
- Location: Écosse - Scozia - Escocia - Škotija -स्कॉटलैंड
Re: Findind Legitimate Files in Joomla
litecache.php is from a Wordpress plug-in. Toivo's warning should be heeded.
"Those who expect to reap the blessings of freedom must, like men, undergo the fatigue of supporting it." Thomas Paine
- muddauber
- Joomla! Ace
- Posts: 1618
- Joined: Thu Jun 08, 2006 11:26 pm
Re: Findind Legitimate Files in Joomla
Yes, I understand that and working on it
-
- Joomla! Virtuoso
- Posts: 4025
- Joined: Mon Nov 25, 2013 4:35 pm
- Location: Montreal, Canada
- Contact:
Re: Findind Legitimate Files in Joomla
If you are on a VPS, then run a maldet scan on your website, I suspect these are not the only malicious files on your website. Also, it's a good idea to install a firewall such as RSFirewall, which will alert you of anything (for example, when a core file's MD5 signature is changed).
http://www.itoctopus.com - Joomla consulting at its finest
https://twitter.com/itoctopus - Follow us on Twitter
https://twitter.com/itoctopus - Follow us on Twitter
- muddauber
- Joomla! Ace
- Posts: 1618
- Joined: Thu Jun 08, 2006 11:26 pm
Re: Findind Legitimate Files in Joomla
Thanks ITOCTPUS, I have AdminTools WAF firewall installed. I'll check out maldet scan. Do you consider RSFirewall better than Akeeba Firewall?
I found 3 additional suspect files on another site, showing that the files were modified core files. I replaced 2 of them, but one is not even in the core 3.6 package. The file name is \media\mon_languages\images\si_lk.gif
I would think it would be save to remove that one.
And another file in logs/defines.php which I don't believe belongs on my site. Should there be any php files in the /logs folder?
I found 3 additional suspect files on another site, showing that the files were modified core files. I replaced 2 of them, but one is not even in the core 3.6 package. The file name is \media\mon_languages\images\si_lk.gif
I would think it would be save to remove that one.
And another file in logs/defines.php which I don't believe belongs on my site. Should there be any php files in the /logs folder?
- abernyte
- Joomla! Virtuoso
- Posts: 4189
- Joined: Fri May 15, 2009 2:01 pm
- Location: Écosse - Scozia - Escocia - Škotija -स्कॉटलैंड
Re: Findind Legitimate Files in Joomla
si_lk.gif is the Sinhala language flag which is subject of discussion in the Devs world. It seems to have been left out of some of the 3.5 changes so it at least should be a Joomla file.
If you suspect you are hacked, you do realise that you are simply playing whack a mole and you would be far better to clean out and replace the installation as per standing advice in Security?
If you suspect you are hacked, you do realise that you are simply playing whack a mole and you would be far better to clean out and replace the installation as per standing advice in Security?
"Those who expect to reap the blessings of freedom must, like men, undergo the fatigue of supporting it." Thomas Paine
- muddauber
- Joomla! Ace
- Posts: 1618
- Joined: Thu Jun 08, 2006 11:26 pm
Re: Findind Legitimate Files in Joomla
While I have removed several of the suspect files and ran checks on Sucuri and MyJoomla which report my site as clean, I still get message from Google webtools that my site is compromised. Can anyone recommend a malware removal tool that can help me find the problem. I am getting messages on Google webmaster that my site generates things like
/index.php?a=brahmi-powder-online
/index.php?a=order-vermox-online-russia-s
index.php?a=paxil-online-overnight-delivery
/index.php?a=brahmi-powder-online
/index.php?a=order-vermox-online-russia-s
index.php?a=paxil-online-overnight-delivery
- leolam
- Joomla! Master
- Posts: 20652
- Joined: Mon Aug 29, 2005 10:17 am
- Location: Netherlands/ Germany/ S'pore/Bogor/ North America
- Contact:
Re: Findind Legitimate Files in Joomla
Configserver Exploit Scanner finds these files (assuming your have cPanel running and you are hosted on a VPS or Dedi since the Configserver suite only works with cPanel servers.
All files you have posted are dirt...... your server/site is (again?) severely breached. Maldet is notorious for missing a lot of issues and producing false positives. If you run of a VPS/Dedi have the Config suite installed and especially http://configserver.com/cp/cxs.html will work out very nicely for you
We are running these systems on all of our servers (the entire CFS-suite available) and they work marvelous
Leo
All files you have posted are dirt...... your server/site is (again?) severely breached. Maldet is notorious for missing a lot of issues and producing false positives. If you run of a VPS/Dedi have the Config suite installed and especially http://configserver.com/cp/cxs.html will work out very nicely for you
We are running these systems on all of our servers (the entire CFS-suite available) and they work marvelous
Leo
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
- PhilTaylor-Prazgod
- Joomla! Ace
- Posts: 1402
- Joined: Sat Aug 20, 2005 12:32 pm
- Location: Jersey, Channel Islands
- Contact:
Re: Findind Legitimate Files in Joomla
No it doesnt.MyJoomla which report my site as clean
myJoomla.com clearly shows the hacked files in your site http://www.w********n.com/ however understanding the results, code and hacks takes experience - I will go and mark the files I see with a massive warning for you now by adding their specific hashes to our database even though they are not generic.
Your site is still hacked right now at the time of writing.
Phil Taylor
- https://mySites.guru - Manage Multiple Joomla/WordPress Sites In One Dashboard for Security, Audits, Backups and more....
- https://www.phil-taylor.com/
- https://mySites.guru - Manage Multiple Joomla/WordPress Sites In One Dashboard for Security, Audits, Backups and more....
- https://www.phil-taylor.com/
- muddauber
- Joomla! Ace
- Posts: 1618
- Joined: Thu Jun 08, 2006 11:26 pm
New suspicious file found joomla_rss.php is it a hacked file
I found file /includes/joomla_rss.php on my recent audit that does not
appear to be in my core system 3.6.0
I do not have any rss feeds or extensions added to this system.
Is this a legitimate core file? I did find it mentioned in other hacked sites.
appear to be in my core system 3.6.0
I do not have any rss feeds or extensions added to this system.
Is this a legitimate core file? I did find it mentioned in other hacked sites.
Last edited by toivo on Wed Aug 10, 2016 6:15 am, edited 1 time in total.
Reason: mod note: merged with your previous topic - the issue is related
Reason: mod note: merged with your previous topic - the issue is related
- toivo
- Joomla! Master
- Posts: 17439
- Joined: Thu Feb 15, 2007 5:48 am
- Location: Sydney, Australia
Re: New suspicious file found joomla_rss.php is it a hacked file
It is not a legitimate core file.
As mentioned earlier, follow the instructions in this sticky post: http://forum.joomla.org/viewtopic.php?f=714&t=757645
As mentioned earlier, follow the instructions in this sticky post: http://forum.joomla.org/viewtopic.php?f=714&t=757645
Toivo Talikka, Global Moderator