Xmap v1.2.10 download package is currently infected

Discussion regarding Joomla! 1.5 security issues.
Joomla! Vulnerable Extensions: http://feeds.joomla.org/JoomlaSecurityV ... Extensions

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Locked
User avatar
kenmcd
Joomla! Champion
Joomla! Champion
Posts: 5672
Joined: Thu Aug 18, 2005 2:09 am
Location: California
Contact:

Xmap v1.2.10 download package is currently infected

Post by kenmcd » Wed Feb 23, 2011 2:31 pm

.
The Xmap 1.2.10 download file is currently infected.
See discussion here: http://forum.joomla.org/viewtopic.php?p ... 0#p2421860

It appears the Xmap website has been compromised.
The current v1.2.10 file is infected. (Xmap_1.2.10-UNZIP-First.zip)
I compared the current file downloaded today to the same file I downloaded on 2010-12-28.

There is now base64 encoded trojan code at the top of the install.xmap.php file:
Xmap_1.2.10-UNZIP-First_2011-02-23\com_xmap-1.2.10.zip\install.xmap.php

And there is an extra file (theme.php) with trojan code here:
Xmap_1.2.10-UNZIP-First_2011-02-23\com_xmap-1.2.10.zip\front\cache\theme.php
This file appears to be used for sending emails.

Also found base64 encoded code in slider.css.php here:
Xmap_1.2.10-UNZIP-First_2011-02-23_INFECTED\com_xmap-1.2.10\front\css\slider.css.php
Looks like that is another added emailer file which should not be there at all.


Two users have reported this in the Xmap forum - no response yet.
Virus detected in xmap!
http://joomla.vargas.co.cr/en/forum?vie ... f=5&t=3410
VIRUS found in Xmap 1.2.10
http://joomla.vargas.co.cr/en/forum?vie ... f=5&t=3409


Reported the extension on the JED.
People should not be downloading this file.


I would expect some users showing up in this forum looking to fix this infection.
.
██ LibreTraining

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15002
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Xmap v1.2.10 download package is currently infected

Post by mandville » Wed Feb 23, 2011 3:11 pm

Thank you.,
the extension has been added to the VEL http://docs.joomla.org/Vulnerable_Exten ... map_1.2.10 and the main entry for the JED unpublished.

The entry on the JED was for the beta version, but for user safety and those who are concerned about using beta versions, it was unpublished
The developer has been informed by the JED.
External developers (JED entries) exploits should be notified to the developer and VEL team and not the JSST (Joomla core issues only)
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15002
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Xmap v1.2.10 download package is currently infected

Post by mandville » Wed Feb 23, 2011 4:17 pm

Update, the developer has disabled site downloads while fixing the issue
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15002
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Xmap v1.2.10 download package is currently infected

Post by mandville » Thu Feb 24, 2011 1:00 pm

Topic being discussed in http://forum.joomla.org/viewtopic.php?f=471&t=596871
topic locked until developer has update
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

guilleva
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 122
Joined: Thu Nov 17, 2005 12:31 am
Contact:

Re: Xmap v1.2.10 download package is currently infected

Post by guilleva » Sat Feb 26, 2011 9:32 pm

Hi all, thanks for everything, I have cleaned the site and the affected installation package.

Please read more about this on my site:
http://joomla.vargas.co.cr/en/news/4-xm ... ity-notice

Regards,

Guillermo

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15002
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Xmap v1.2.10 download package is currently infected

Post by mandville » Sat Feb 26, 2011 10:35 pm

guilleva wrote:Hi all, thanks for everything, I have cleaned the site and the affected installation package.
thank you for your prompt investigation on this.
Item marked as resolved on the VEL
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 20243
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ UK/ S'pore/Jakarta/ North America
Contact:

Re: Xmap v1.2.10 download package is currently infected

Post by leolam » Sun Feb 27, 2011 5:18 pm

guilleva wrote:I have cleaned the site and the affected installation package.
Important to know though is how the distro got infected in the first place and what was done to protect us, users from recurrent events?

Leo 8)
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
#Joomla Webmaster Services: gws-webmaster.services

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 20243
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ UK/ S'pore/Jakarta/ North America
Contact:

Re: Xmap v1.2.11 package Xmap

Post by leolam » Wed Mar 02, 2011 8:21 am

1.2.11 runs well...Good job Guillermo!

Leo 8)
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
#Joomla Webmaster Services: gws-webmaster.services


Locked

Return to “Security in Joomla! 1.5”