The correct link (which shows 90% of the time) is just /features/main/3519-the-great-screenwriters-part-8-the-epstein-brothers, so not only is there some malicious looking code in there, but the URLs are also being garbled with a bunch of junk after them./index.php/screenwriting-101/screenplay/screenwriting-;print(md5(acunetix_wvs_security_test));/screenplay/from-script-to-screen/component/banners/click/screenwriting-101/screenplay/five-plot-point-breakdowns/screenwriting-101/screenwriting/script-tips/screenplay/what-is-a-screenplay/component/banners/click/screenwriting-101/screenplay/five-plot-point-breakdowns/component/banners/click/feature/category/review/category/home/movie-reviews/screenwriting-101/screenplay/129-sequence-breakdowns/feature/category/screenwriting-101/screenplay/screenwriting-101/screenplay/screenwriting-101/screenplay/sequence-breakdowns/features/main/review/category/movies/screenwriting-101/screenwriting/structure/three-acts/screenplay/131-five-plot-point-breakdowns/screenwriting-101/screenplay/21-what-is-a-screenplay/review/category/screenwriting-101/screenplay/features/main/3519-the-great-screenwriters-part-8-the-epstein-brothers
sometimes, `pg_select(30);` is there instead of the`print(md5(`, or sometimes I see a `$a=` in there.
I've scanned the site with Centrora and didn't find anything. I don't think the links are being manipulated client-side because when I view source, the bad links still show up sometimes.
Any ideas?
My FPA is below. I'm aware of the elevated permissions for allmode-tsl - they are not the issue. Thanks for any assistance.
Last PHP Error(s) Reported :: Forum Post Assistant (v1.2.7) : 23rd September 2016 wrote:[23-Sep-2016 02:45:55 UTC] PHP Warning: date(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone. in /var/www/html/f.php on line 581
Forum Post Assistant (v1.2.7) : 23rd September 2016 wrote:Basic Environment :: wrote:Joomla! Instance :: Joomla! 3.6.2-Stable (Noether) 4-August-2016
Joomla! Platform :: Joomla Platform 13.1.0-Stable (Curiosity) 24-Apr-2013
Joomla! Configured :: Yes | Read-Only (444) | Owner: apache (uid: 1/gid: 1) | Group: apache (gid: 1) | Valid For: 1.5
Configuration Options :: Offline: 0 | SEF: 1 | SEF Suffix: 0 | SEF ReWrite: 1 | .htaccess/web.config: Yes | GZip: 1 | Cache: 1 | FTP Layer: 0 | SSL: 0 | Error Reporting: default | Site Debug: 0 | Language Debug: 0 | Default Access: N/A | Unicode Slugs: N/A | Database Credentials Present: Yes
Host Configuration :: OS: Linux | OS Version: 4.4.19-29.55.amzn1.x86_64 | Technology: x86_64 | Web Server: Apache/2.4.23 (Amazon) OpenSSL/1.0.1k-fips PHP/5.4.45 | Encoding: gzip, deflate | Doc Root: /var/www/html | System TMP Writable: Yes
PHP Configuration :: Version: 5.4.45 | PHP API: fpm-fcgi | Session Path Writable: Yes | Display Errors: | Error Reporting: 22527 | Log Errors To: /var/log/php-fpm/www-error.log | Last Known Error: 23rd September 2016 02:46:40. | Register Globals: | Magic Quotes: | Safe Mode: | Open Base: | Uploads: 1 | Max. Upload Size: 64M | Max. POST Size: 64M | Max. Input Time: 60 | Max. Execution Time: 30 | Memory Limit: 128M
MySQL Configuration :: Version: 5.6.27-log (Client:5.5.51) | Host: --protected-- (--protected--) | Collation: latin1_swedish_ci (Character Set: latin1) | Database Size: 562.63 MiB | #of Tables: 178Detailed Environment :: wrote:PHP Extensions :: Core (5.4.45) | date (5.4.45) | ereg () | libxml () | openssl () | pcre () | zlib (2.0) | bz2 () | calendar () | ctype () | hash (1.0) | filter (0.11.0) | ftp () | gettext () | gmp () | SPL (0.2) | iconv () | Reflection ($Id: f6367cdb4e3f392af4a6d441a6641de87c2e50c4 $) | session () | standard (5.4.45) | shmop () | SimpleXML (0.1) | sockets () | mbstring () | tokenizer (0.1) | xml () | cgi-fcgi () | apc (3.1.15-dev) | curl () | dom (20031129) | fileinfo (1.0.5) | gd () | json (1.2.1) | exif (1.4 $Id: 05041c5f0094cb46d9b516bd624d593b90cc38f9 $) | mysql (1.0) | mysqli (0.1) | PDO (1.0.4dev) | pdo_mysql (1.0.2) | pdo_sqlite (1.0.1) | Phar (2.0.1) | posix () | sqlite3 (0.7) | sysvmsg () | sysvsem () | sysvshm () | wddx () | xmlreader (0.1) | xmlwriter (0.1) | xsl (0.1) | zip (1.11.0) | mhash () | Zend Engine (2.4.0) |
Potential Missing Extensions :: mcrypt | suhosin |
Switch User Environment (Experimental) :: PHP CGI: No | Server SU: No | PHP SU: No | Custom SU (LiteSpeed/Cloud/Grid): No
Potential Ownership Issues: MaybeFolder Permissions :: wrote:Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) |
Elevated Permissions (First 10) :: modules/mod_raxo_allmode/tmpl/allmode-tsl/ (775) |Extensions Discovered :: wrote:Components :: SITE :: com_mailto (3.0.0) | Unknown (-) | com_wrapper (3.0.0) |
Components :: ADMIN :: com_sectionex (2.5.104) | com_users (3.0.0) | com_contenthistory (3.2.0) | com_newsfeeds (3.0.0) | com_finder (3.0.0) | com_joomlaupdate (3.6.1) | com_dbreplacer (5.1.3) | com_autotweet (6.6.1) | com_ajax (3.2.0) | com_redirect (3.0.0) | com_tags (3.1.0) | com_pixsearch (0.0.2) | com_modules (3.0.0) | JW_DISQUS (3.4) | FlexBanners (4.0.17) | com_jaamazons3 (2.5.7) | com_languages (3.0.0) | com_checkin (3.0.0) | Akeeba (3.9.2) | com_content (3.0.0) | com_weblinks (3.5.0) | COM_FAVICON (1.16) | com_cpanel (3.0.0) | Unknown (-) | com_regularlabsmanager (6.0.6) | com_redj (1.7.10) | com_banners (3.0.0) | OSE_FIREWALL (6.5.12) | com_xmap (2.3.3) | com_categories (3.0.0) | com_templates (3.0.0) | System - obRSS (3.1.0) | obRSS (1.8.13) | obRSS (2.0.0) | Content (3.1.7) | Weblinks (3.1.10) | Content - Load obRSS (3.1.0) | obRSS (3.1.0) | obRSS (3.1.19) | com_admin (3.0.0) | com_postinstall (3.2.0) | com_cache (3.0.0) | com_rereplacer (7.1.3) | com_login (3.0.0) | COM_[youtube] (3.5.1) | com_media (3.0.0) | JotCache (5.2.1) | com_search (3.0.0) | Canonical (3.3) | com_advancedmodules (6.2.4) | com_menus (3.0.0) | com_messages (3.0.0) | com_gnosis (1.1.0) | com_installer (3.0.0) | com_config (3.0.0) | com_plugins (3.0.0) | Admintools (4.0.1) |
Modules :: SITE :: [youtube] Gallery Module (3.5.1) | mod_whosonline (3.0.0) | mod_articles_archive (3.0.0) | mod_jse_megamenu (3.1.1) | mod_pixsearch (0.5) | FlexBanners (4.0.17) | mod_footer (3.0.0) | mod_stats (3.0.0) | mod_custom (3.0.0) | RAXO All-mode PRO (1.0) | RAXO Module Template - All-mod (1.4) | RAXO Module Template - All-mod (1.4) | RAXO Module Template - All-mod (1.5) | RAXO Module Template - All-mod (1.4) | RAXO Module Template - All-mod (1.4) | mod_search (3.0.0) | mod_banners (3.0.0) | mod_breadcrumbs (3.0.0) | mod_languages (3.5.0) | Flexi Custom Code (1.3) | mod_articles_news (3.0.0) | mod_articles_popular (3.0.0) | mod_articles_category (3.0.0) | RokAjaxSearch (2.0.1) | Ads Elite (3.10.0) | mod_login (3.0.0) | mod_news_pro_gk4 (GK4 3.3.7.1) | mod_finder (3.0.0) | AddThis Follow (2.0.0) | mod_tags_popular (3.1.0) | mod_related_items (3.0.0) | AutoTweetNG TW Follow (6.5.0) | mod_feed (3.0.0) | mod_weblinks (3.5.0) | obRSS (3.1.0) | mod_syndicate (3.0.0) | mod_wrapper (3.0.0) | mod_articles_categories (3.0.0) | mod_random_image (3.0.0) | mod_users_latest (3.0.0) | mod_articles_latest (3.0.0) | mod_tags_similar (3.1.0) | mod_menu (3.0.0) |
Modules :: ADMIN :: mod_title (3.0.0) | mod_latest (3.0.0) | mod_toolbar (3.0.0) | mod_autotweet_latest (6.4.0) | mod_stats_admin (3.0.0) | mod_multilangstatus (3.0.0) | mod_popular (3.0.0) | mod_custom (3.0.0) | mod_cachecleaner (5.2.0) | mod_quickicon (3.0.0) | mod_version (3.0.0) | Earnings Dashboard (1.2.1) | mod_login (3.0.0) | mod_feed (3.0.0) | mod_submenu (3.0.0) | mod_status (3.0.0) | mod_logged (3.0.0) | Google Analytics Dashboard (2.6) | mod_menu (3.0.0) |
Plugins :: SITE :: plg_authentication_gmail (3.0.0) | plg_authentication_ldap (3.0.0) | plg_authentication_cookie (3.0.0) | plg_authentication_joomla (3.0.0) | PLG_INSTALLER_URLINSTALLER (3.6.0) | plg_installer_webinstaller (1.0.5) | plg_installer_packageinstaller (3.6.0) | PLG_INSTALLER_FOLDERINSTALLER (3.6.0) | Content (3.1.7) | plg_extension_joomla (3.0.0) | plg_quickicon_joomlaupdate (3.0.0) | plg_quickicon_extensionupdate (3.0.0) | plg_twofactorauth_totp (3.2.0) | plg_twofactorauth_yubikey (3.2.0) | plg_finder_contacts (3.0.0) | plg_finder_tags (3.0.0) | plg_finder_newsfeeds (3.0.0) | plg_finder_categories (3.0.0) | plg_finder_weblinks (3.5.0) | plg_finder_content (3.0.0) | plg_search_contacts (3.0.0) | plg_search_tags (3.0.0) | plg_search_newsfeeds (3.0.0) | plg_search_categories (3.0.0) | plg_search_weblinks (3.5.0) | plg_search_content (3.0.0) | plg_user_contactcreator (3.0.0) | plg_user_profile (3.0.0) | plg_user_joomla (3.0.0) | Xmap - SobiPro Plugin (2.0.2) | Xmap - Virtuemart Plugin (2.0.1) | Xmap - Kunena Plugin (2.0.3) | Xmap - Content Plugin (2.0.4) | Xmap - WebLinks Plugin (2.0.1) | XMAP_PLUGIN_K2 (1.3) | Xmap - Mosets Tree Plugin (2.0.2) | plg_editors-xtd_readmore (3.0.0) | plg_editors-xtd_pagebreak (3.0.0) | plg_editors-xtd_module (3.5.0) | plg_editors-xtd_image (3.0.0) | Button - JA Amazon S3 (1.0.1) | plg_editors-xtd_modulesanywher (6.0.1) | plg_editors-xtd_sourcerer (6.2.1) | plg_editors-xtd_article (3.0.0) | PLG_AOEDITOR_TITLE (1.0.6) | plg_editors_codemirror (5.17.0) | plg_editors_tinymce (4.4.0) | PLG_SYSTEM_JCH_OPTIMIZE (5.0.5) | System - Admin Forever (0.9.2) | plg_system_updatenotification (3.5.0) | System - obRSS (3.1.0) | plg_system_cdnforjoomla (5.2.2PRO) | plg_system_languagefilter (3.0.0) | System - Admin Tools (4.0.1) | plg_system_autotweetautomator (6.6.1) | JotCache (5.2.1) | plg_system_sef (3.0.0) | plg_system_logout (3.0.0) | System - JB Library (2.1.4) | System - Woopra 4 Joomla (1.0) | plg_system_cache (3.0.0) | System - JA Amazon S3 (2.5.7) | plg_system_redirect (3.0.0) | System - RokBooster (1.1.15) | plg_system_modulesanywhere (6.0.1) | T3 Framework (2.0.2) | plg_system_rereplacer (7.1.3) | plg_system_cachecleaner (5.2.0) | plg_system_nnframework (16.6.1) | plg_system_log (3.0.0) | plg_system_debug (3.0.0) | plg_system_favicon (1.16) | plg_system_sourcerer (6.2.1) | plg_system_p3p (3.0.0) | plg_system_remember (3.0.0) | PLG_SYS_SESSIONKEEPER (1.1) | plg_system_regularlabs (16.9.1281) | plg_system_redj (1.7.10) | JotMarker (5.2.1) | System - DISQUS Comments for J (3.4) | PLG_SYS_ADMINEXILE (2.3.6) | System - Centrora Security Act (6.0.0) | plg_system_advancedmodules (6.2.4) | plg_system_languagecode (3.0.0) | System - JSE Mega Menu Framewo (3.0.3) | plg_system_highlight (3.0.0) | System - Ads Starter Elite Plu (3.10.0) | plg_system_autotweetcontent (6.5.1) | plg_system_stats (3.5.0) | PLG_CANONICAL (1.4) | plg_autotweet_autotweetpost (6.4.0) | Crawler (5.2.1) | Recache (5.2.1) | Crawler Extended (5.2.1) | plg_captcha_recaptcha (3.4.0) | plg_content_loadmodule (3.0.0) | plg_content_emailcloak (3.0.0) | [youtube] Plugin (1.1) | Content - JA Bookmark (2.5.1) | Content - JA Disqus Debate Ech (2.5.3) | plg_content_pagebreak (3.0.0) | Content - ContentAds (1.0.4) | PLG_CONTENT_AUTOREADMORE_TITLE (4.0.7) | GJFields - a set of additional (1.0.27) | Content - Load obRSS (3.1.0) | plg_content_finder (3.0.0) | AllVideos (by JoomlaWorks) (4.5.0) | AllVideos (by JoomlaWorks) (4.5.0) | Content - Ads Elite (3.10.0) | Content - AdSection Elite (3.10.0) | gnosisplg (1.0.9b) | plg_content_pagenavigation (3.0.0) | Content - [youtube] Gallery (3.5.1) | plg_content_vote (3.0.0) | DISQUS Comments for Joomla! (b (3.4) | AddThis - Bookmark and Sharing (2.0.0) | plg_content_joomla (3.0.0) | plg_content_autotweetweblinks (6.4.0) |Templates Discovered :: wrote:Templates :: SITE :: beez3 (3.1.0) | ja_t3_blank (2.5.7) | ja_argo (1.0.3) | protostar (1.0) |
Templates :: ADMIN :: isis (1.0) | hathor (3.0.0) |