Hacked Site spamming mail

Discussion regarding Joomla! 3.x security issues.

Moderators: mandville, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Windows Defender SmartScreen Issues <-- please read this if using Windows 10.
Locked
FuriousGeorge
Joomla! Fledgling
Joomla! Fledgling
Posts: 4
Joined: Wed Nov 19, 2014 12:56 am

Hacked Site spamming mail

Post by FuriousGeorge » Fri Nov 20, 2015 9:37 am

So far, I've scanned the webroot with clamAV and removed some viruses.

I've checked permissions, and fixed them if they were broken (i suspect this was the cause).

I've verified the cause is not a compromised shell account.

I've looked in Joomla logs for anything suspicious (though I'm not an expert).

I've updated Joomla to the latest version.

I will have everyone change their passwords when they get in tomorrow.

Forum Post Assistant (v1.2.4) : 20th November 2015 wrote:
Basic Environment :: wrote:Joomla! Instance :: Joomla! 3.4.5-Stable (Ember) 22-October-2015
Joomla! Platform :: Joomla Platform 13.1.0-Stable (Curiosity) 24-Apr-2013
Joomla! Configured :: Yes | Read-Only (644) | Owner: 0 (uid: /gid: ) | Group: 1003 (gid: ) | Valid For: 1.5
Configuration Options :: Offline: 0 | SEF: 1 | SEF Suffix: 0 | SEF ReWrite: 0 | .htaccess/web.config: Yes | GZip: 0 | Cache: 0 | FTP Layer: 0 | SSL: 0 | Error Reporting: none | Site Debug: 0 | Language Debug: 0 | Default Access: N/A | Unicode Slugs: N/A | Database Credentials Present: Yes

Host Configuration :: OS: Linux | OS Version: 3.10.0-123.20.1.el7.x86_64 | Technology: x86_64 | Web Server: Apache/2.4.6 (CentOS) PHP/5.4.16 | Encoding: gzip, deflate | Doc Root: /var/www/www.mmdevelopmentllc.com/ | System TMP Writable: Yes

PHP Configuration :: Version: 5.4.16 | PHP API: apache2handler | Session Path Writable: Yes | Display Errors: | Error Reporting: 22527 | Log Errors To: | Last Known Error: | Register Globals: | Magic Quotes: | Safe Mode: | Open Base: | Uploads: 1 | Max. Upload Size: 2M | Max. POST Size: 8M | Max. Input Time: 60 | Max. Execution Time: 30 | Memory Limit: 128M

MySQL Configuration :: Version: 5.6.24 (Client:5.6.24) | Host: --protected-- (--protected--) | Collation: latin1_swedish_ci (Character Set: latin1) | Database Size: 12.67 MiB | #of Tables:  121
Detailed Environment :: wrote:PHP Extensions :: Core (5.4.16) | date (5.4.16) | ereg () | libxml () | openssl () | pcre () | zlib (2.0) | bz2 () | calendar () | ctype () | hash (1.0) | filter (0.11.0) | ftp () | gettext () | gmp () | SPL (0.2) | iconv () | Reflection ($Id: 6c4d8062369898a397e4b128348042f5c01b4427 $) | session () | standard (5.4.16) | shmop () | SimpleXML (0.1) | sockets () | exif (1.4 $Id$) | tokenizer (0.1) | xml () | apache2handler () | curl () | dba () | fileinfo (1.0.5) | gd () | json (1.2.1) | mysql (1.0) | mysqli (0.1) | PDO (1.0.4dev) | pdo_mysql (1.0.2) | pdo_sqlite (1.0.1) | Phar (2.0.1) | sqlite3 (0.7) | zip (1.11.0) | mhash () | Zend Engine (2.4.0) |
Potential Missing Extensions :: mbstring | mcrypt | suhosin |

Switch User Environment (Experimental) :: PHP CGI: No | Server SU: No | PHP SU: No | Custom SU (LiteSpeed/Cloud/Grid): Yes
Potential Ownership Issues: No

Apache Modules :: core | mod_so | http_core | mod_access_compat | mod_actions | mod_alias | mod_allowmethods | mod_auth_basic | mod_auth_digest | mod_authn_anon | mod_authn_core | mod_authn_dbd | mod_authn_dbm | mod_authn_file | mod_authn_socache | mod_authz_core | mod_authz_dbd | mod_authz_dbm | mod_authz_groupfile | mod_authz_host | mod_authz_owner | mod_authz_user | mod_autoindex | mod_cache | mod_cache_disk | mod_data | mod_dbd | mod_deflate | mod_dir | mod_dumpio | mod_echo | mod_env | mod_expires | mod_ext_filter | mod_filter | mod_headers | mod_include | mod_info | mod_log_config | mod_logio | mod_mime_magic | mod_mime | mod_negotiation | mod_remoteip | mod_reqtimeout | mod_rewrite | mod_setenvif | mod_slotmem_plain | mod_slotmem_shm | mod_socache_dbm | mod_socache_memcache | mod_socache_shmcb | mod_status | mod_substitute | mod_suexec | mod_unique_id | mod_unixd | mod_userdir | mod_version | mod_vhost_alias | mod_dav | mod_dav_fs | mod_dav_lock | mod_lua | prefork | mod_proxy | mod_lbmethod_bybusyness | mod_lbmethod_byrequests | mod_lbmethod_bytraffic | mod_lbmethod_heartbeat | mod_proxy_ajp | mod_proxy_balancer | mod_proxy_connect | mod_proxy_express | mod_proxy_fcgi | mod_proxy_fdpass | mod_proxy_ftp | mod_proxy_http | mod_proxy_scgi | mod_systemd | mod_cgi | mod_php5 | Apache/2.4.6 (CentOS) PHP/5.4.16 |
Potential Missing Modules :: mod_security | mod_evasive | mod_dosevasive | mod_ssl | mod_qos | mod_userdir |
Folder Permissions :: wrote:Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) |

Elevated Permissions (First 10) :: fpa/ForumPostAssistant-FPA-c6863cd/ (775) | fpa/ForumPostAssistant-FPA-c6863cd/Documentation/ (775) | fpa/ForumPostAssistant-FPA-c6863cd/Documentation/images/ (775) |
Extensions Discovered :: wrote:Components :: SITE :: com_mailto (3.0.0) | com_wrapper (3.0.0) |
Components :: ADMIN :: RSForm! (1.50.7) | com_menus (3.0.0) | com_categories (3.0.0) | com_tags (3.1.0) | com_languages (3.0.0) | com_checkin (3.0.0) | com_postinstall (3.2.0) | com_redirect (3.0.0) | com_admin (3.0.0) | com_plugins (3.0.0) | com_messages (3.0.0) | mod_k2_comments (-) | mod_k2_comments (-) | COM_K2 (2.6.8) | com_banners (3.0.0) | com_login (3.0.0) | com_cache (3.0.0) | com_finder (3.0.0) | com_media (3.0.0) | com_phocagallery (4.1.2) | com_templates (3.0.0) | com_installer (3.0.0) | com_joomlaupdate (3.0.0) | com_weblinks (3.0.0) | com_config (3.0.0) | com_modules (3.0.0) | com_users (3.0.0) | com_newsfeeds (3.0.0) | com_content (3.0.0) | com_search (3.0.0) | com_cpanel (3.0.0) | com_contenthistory (3.2.0) | com_ajax (3.2.0) |

Modules :: SITE :: mod_st_slider (1.3) | mod_phocagallery_image (4.0.0) | K2 Content (2.6.8) | mod_st_promo_image (1.0) | K2 Users (2.6.8) | mod_st_newsflash (1.0) | mod_feed (3.0.0) | mod_wrapper (3.0.0) | mod_login (3.0.0) | mod_tags_popular (3.1.0) | K2 Comments (2.6.8) | mod_footer (3.0.0) | mod_articles_news (3.0.0) | mod_languages (3.0.0) | mod_menu (3.0.0) | mod_syndicate (3.0.0) | mod_random_image (3.0.0) | mod_whosonline (3.0.0) | K2 User (2.6.8) | mod_search (3.0.0) | mod_articles_category (3.0.0) | mod_custom (3.0.0) | mod_stats (3.0.0) | mod_weblinks (3.0.0) | mod_articles_archive (3.0.0) | mod_breadcrumbs (3.0.0) | mod_banners (3.0.0) | mod_articles_latest (3.0.0) | mod_tags_similar (3.1.0) | K2 Tools (2.6.8) | mod_finder (3.0.0) | mod_articles_categories (3.0.0) | mod_users_latest (3.0.0) | mod_articles_popular (3.0.0) | mod_related_items (3.0.0) |
Modules :: ADMIN :: mod_version (3.0.0) | K2 Quick Icons (admin) (2.6.8) | mod_multilangstatus (3.0.0) | mod_feed (3.0.0) | mod_login (3.0.0) | mod_menu (3.0.0) | mod_stats_admin (3.0.0) | mod_quickicon (3.0.0) | K2 Stats (admin) (2.6.8) | mod_status (3.0.0) | mod_logged (3.0.0) | mod_toolbar (3.0.0) | mod_title (3.0.0) | mod_submenu (3.0.0) | mod_custom (3.0.0) | mod_popular (3.0.0) | mod_latest (3.0.0) |

Plugins :: SITE :: AllVideos (by JoomlaWorks) (4.5.0) | AllVideos (by JoomlaWorks) (4.5.0) | plg_content_geshi (3.0.0) | plg_content_pagenavigation (3.0.0) | plg_content_joomla (3.0.0) | plg_content_loadmodule (3.0.0) | plg_content_vote (3.0.0) | plg_content_emailcloak (3.0.0) | plg_content_finder (3.0.0) | plg_content_pagebreak (3.0.0) | System - RSForm! Pro reCAPTCHA (1.4.0) | plg_system_languagecode (3.0.0) | PLG_SYSTEM_NNFRAMEWORK (15.1.2) | PLG_SYSTEM_ARTICLESANYWHERE (3.7.3FREE) | System - K2 (2.6.8) | plg_system_highlight (3.0.0) | plg_system_p3p (3.0.0) | plg_system_debug (3.0.0) | PLG_SYSTEM_MODULESANYWHERE (3.6.3FREE) | plg_system_remember (3.0.0) | plg_system_redirect (3.0.0) | plg_system_languagefilter (3.0.0) | plg_system_logout (3.0.0) | plg_system_cache (3.0.0) | plg_system_sef (3.0.0) | plg_system_log (3.0.0) | PLG_SYS_ADMINEXILE (2.3.6) | Josetta - K2 Items (2.6.8) | Josetta - K2 Categories (2.6.8) | plg_user_profile (3.0.0) | User - K2 (2.6.8) | plg_user_joomla (3.0.0) | plg_user_contactcreator (3.0.0) | plg_twofactorauth_yubikey (3.2.0) | plg_twofactorauth_totp (3.2.0) | plg_authentication_joomla (3.0.0) | plg_authentication_gmail (3.0.0) | plg_authentication_cookie (3.0.0) | plg_authentication_ldap (3.0.0) | plg_editors_codemirror (5.6) | plg_editors_tinymce (4.1.7) | plg_extension_joomla (3.0.0) | plg_quickicon_joomlaupdate (3.0.0) | plg_quickicon_extensionupdate (3.0.0) | plg_finder_tags (3.0.0) | plg_finder_k2 (2.6.8) | plg_finder_weblinks (3.0.0) | plg_finder_contacts (3.0.0) | plg_finder_categories (3.0.0) | plg_finder_newsfeeds (3.0.0) | plg_finder_content (3.0.0) | plg_captcha_recaptcha (3.4.0) | PLG_EDITORS-XTD_ARTICLESANYWHE (3.7.3FREE) | plg_editors-xtd_image (3.0.0) | plg_editors-xtd_readmore (3.0.0) | PLG_EDITORS-XTD_MODULESANYWHER (3.6.3FREE) | plg_editors-xtd_pagebreak (3.0.0) | plg_editors-xtd_article (3.0.0) | plg_search_tags (3.0.0) | Search - K2 (2.6.8) | plg_search_weblinks (3.0.0) | plg_search_contacts (3.0.0) | plg_search_categories (3.0.0) | plg_search_newsfeeds (3.0.0) | plg_search_content (3.0.0) |
Templates Discovered :: wrote:Templates :: SITE :: HLI (1.2) | beez3 (3.1.0) | protostar (1.0) |
Templates :: ADMIN :: isis (1.0) | hathor (3.0.0) |


This site is not mine. I'm not a web dev. It belongs to a company with a fired web dev, and I am hosting it temporarily. I don't know much about Joomla, but I feel confident I can learn enough to resolve this issue.

There are 40K+ files in there and I'd rather not have to use process of elimination.
Last edited by mandville on Fri Nov 20, 2015 12:27 pm, edited 1 time in total.
Reason: disabled smilies for clarity.
Top
User avatar
darb
Joomla! Hero
Joomla! Hero
Posts: 2042
Joined: Thu Jul 06, 2006 12:57 pm
Location: Stockholm Sweden

Re: Hacked Site spamming mail

Post by darb » Fri Nov 20, 2015 10:26 am

sorry posted wrong :(
Top
User avatar
Rondeb
Joomla! Guru
Joomla! Guru
Posts: 623
Joined: Mon Dec 02, 2013 12:14 pm
Location: Meschede - Germany
Contact:
Contact Rondeb

Re: Hacked Site spamming mail

Post by Rondeb » Fri Nov 20, 2015 1:02 pm

Look at this.
http://www.spamhaus.org/dbl/removal/rec ... entllc.com

Greatings Ron ;D
Top
FuriousGeorge
Joomla! Fledgling
Joomla! Fledgling
Posts: 4
Joined: Wed Nov 19, 2014 12:56 am

Re: Hacked Site spamming mail

Post by FuriousGeorge » Mon Nov 30, 2015 5:15 pm

Rondeb wrote:Look at this.
http://www.spamhaus.org/dbl/removal/rec ... entllc.com

Greatings Ron ;D

Fortunately the domain and the IP are not listed.

Unfortunately, I'm not any closer to finding the offending code than with OP :/
Top
FuriousGeorge
Joomla! Fledgling
Joomla! Fledgling
Posts: 4
Joined: Wed Nov 19, 2014 12:56 am

Re: Hacked Site spamming mail

Post by FuriousGeorge » Tue Dec 01, 2015 7:13 pm

Rondeb wrote:Look at this.
http://www.spamhaus.org/dbl/removal/rec ... entllc.com

Greatings Ron ;D

I went to the link a second time, and it said the site was black listed, and even identified the offending file.

Went through the security checklist again, and everything appears good.

Thanks so much for that.

Wish I could edit original post to mark it solved, as that will surely be useful to someone.

It should be on the hacked site checklist page too.
Top
Locked

Return to “Security in Joomla! 3.x”