Compromised CMS and Outbound Spam

Discussion regarding Joomla! 2.5 security issues.

Moderators: Bernard T, mandville, PhilD, fcoulter, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
mjguo
Joomla! Fledgling
Joomla! Fledgling
Posts: 3
Joined: Fri Apr 03, 2015 4:56 pm

Compromised CMS and Outbound Spam

Postby mjguo » Fri Apr 03, 2015 5:01 pm

Our website has been compromised out bound spam.

/home/justcha/public_html/components/com_imageshow/views/list/footer.php: Php.Trojan.StopPost FOUND
/home/justcha/public_html/components/com_xmap/views/html/template.php: Php.Trojan.StopPost FOUND
/home/justcha/public_html/components/com_contact/router.php: Php.Trojan.StopPost FOUND
/home/justcha/public_html/components/com_users/controllers/remind.php: Php.Trojan.StopPost FOUND
/home/justcha/public_html/images/jsn_is_thumbs/images/Metal/sql.php: Php.Trojan.StopPost FOUND
/home/justcha/public_html/language/pt-BR/cache.php: Php.Trojan.StopPost FOUND
/home/justcha/public_html/libraries/joomla/database/exception.php: Php.Trojan.StopPost FOUND
/home/justcha/public_html/libraries/phputf8/utils/bad.php: Php.Trojan.StopPost FOUND
/home/justcha/public_html/libraries/phpmailer/language/blog.php: {HEX}php.base64.v23au.184.UNOFFICIAL FOUND
/home/justcha/public_html/modules/mod_syndicate/tmpl/error.php: Php.Trojan.StopPost FOUND
/home/justcha/public_html/modules/mod_djmenu/assets/css/file.php: Php.Trojan.StopPost FOUND
/home/justcha/public_html/modules/mod_araticlws/mod_araticlws.php: {HEX}php.cmdshell.unclassed.357.UNOFFICIAL FOUND
/home/justcha/public_html/modules/mod_araticlws/session.php: Php.Trojan.StopPost FOUND
/home/justcha/public_html/plugins/acymailing/tagcontent/global.php: Php.Trojan.StopPost FOUND
/home/justcha/public_html/plugins/josetta_ext/k2category/utf.php: Php.Trojan.StopPost FOUND
/home/justcha/public_html/plugins/system/sef/option.php: {HEX}php.base64.v23au.184.UNOFFICIAL FOUND
/home/justcha/public_html/plugins/captcha/.test.php: {HEX}php.base64.v23au.184.UNOFFICIAL FOUND
/home/justcha/public_html/plugins/jsnimageshow/themeclassic/defines.php: Php.Malware.Mailbot-1 FOUND
/home/justcha/public_html/plugins/jsnimageshow/themestrip/search.php: Php.Trojan.StopPost FOUND
/home/justcha/public_html/plugins/content/finder/options.php: Php.Trojan.StopPost FOUND
/home/justcha/public_html/tmp/install_538fc513d1496/options.php: {HEX}php.base64.v23au.184.UNOFFICIAL FOUND
/home/justcha/public_html/crm/include/session.php: Php.Trojan.StopPost FOUND
CT-160095bash-3.2# exim -Mvh 1YciEX-0005w7-37; exim -Mvb 1YciEX-0005w7-37
1YciEX-0005w7-37-H
justcha 512 32002
<lucas_wagner@justchair.com>
1427754757 0
-ident justcha
-received_protocol local
-body_linecount 42
-max_received_linelength 167
-auth_id justcha
-auth_sender justcha@server.mjwic.com
-allow_unqualified_recipient
-allow_unqualified_sender
-local
-sender_set_untrusted
XX
1
kasun-lakmal@blokspot.com

197P Received: from justcha by server.mjwic.com with local (Exim 4.82)
(envelope-from <lucas_wagner@.com>)
id 1YciEX-0005w7-37
for kasun-lakmal@blokspot.com; Mon, 30 Mar 2015 18:32:37 -0400
030T To: kasun-lakmal@blokspot.com
046 Subject: Secret of slenderness without hunger
038 Date: Mon, 30 Mar 2015 17:32:37 -0500
048F From: Lucas Wagner <lucas_wagner@.com>
061I Message-ID: <916dc61bafa84f2876dd513c8d189da8@justchair.com>
014 X-Priority: 3
068 X-Mailer: PHPMailer 5.2.9 (https://github.com/PHPMailer/PHPMailer/)
018 MIME-Version: 1.0
085 Content-Type: multipart/alternative;
boundary="b1_916dc61bafa84f2876dd513c8d189da8"
032 Content-Transfer-Encoding: 8bit
1YciEX-0005w7-37-D

Hi.

No need to change the way you eat.

hXXp://ipasticcidellacuoca.it/press.php?e=8 Read more right now.

Problem Description :: Forum Post Assistant (v1.2.4) : 3rd April 2015 wrote:Compromised CMS and Outbound Spam
Log/Error Message :: Forum Post Assistant (v1.2.4) : 3rd April 2015 wrote:no error message
Last PHP Error(s) Reported :: Forum Post Assistant (v1.2.4) : 3rd April 2015 wrote:[31-Dec-2014 19:01:21 America/Chicago] PHP Strict Standards: Only variables should be assigned by reference in /home/justcha/public_html/plugins/system/webfonts/helpers/head.php on line 26
Forum Post Assistant (v1.2.4) : 3rd April 2015 wrote:
Basic Environment :: wrote:Joomla! Instance :: Joomla! 2.5.11-Stable (Ember) 26-April-2013
Joomla! Platform :: Joomla Platform 11.4.0-Stable (Brian Kernighan) 03-Jan-2012
Joomla! Configured :: Yes | Read-Only (444) | Owner: justcha (uid: 1/gid: 1) | Group: justcha (gid: 1) | Valid For: 2.5
Configuration Options :: Offline: 1 | SEF: 1 | SEF Suffix: 1 | SEF ReWrite: 1 | .htaccess/web.config: Yes | GZip: 0 | Cache: 0 | FTP Layer: 0 | SSL: 0 | Error Reporting: none | Site Debug: 0 | Language Debug: 0 | Default Access: 1 | Unicode Slugs: 1 | Database Credentials Present: Yes

Host Configuration :: OS: Linux | OS Version: 2.6.32-042stab094.8 | Technology: i686 | Web Server: Apache | Encoding: gzip, deflate | Doc Root: /home/justcha/public_html | System TMP Writable: Yes

PHP Configuration :: Version: 5.4.38 | PHP API: apache2handler | Session Path Writable: Yes | Display Errors: 1 | Error Reporting: 24567 | Log Errors To: error_log | Last Known Error: 31st December 2014 19:01:21. | Register Globals: | Magic Quotes: | Safe Mode: | Open Base: /home/justcha:/usr/lib/php:/usr/local/lib/php:/tmp | Uploads: 1 | Max. Upload Size: 1024M | Max. POST Size: 260M | Max. Input Time: 80 | Max. Execution Time: 18000 | Memory Limit: 256M

MySQL Configuration :: Version: 5.5.40-cll (Client:5.5.40) | Host: --protected-- (--protected--) | Collation: latin1_swedish_ci (Character Set: latin1) | Database Size: 14.20 MiB | #of Tables: 227
Detailed Environment :: wrote:PHP Extensions :: Core (5.4.38) | date (5.4.38) | ereg () | libxml () | openssl () | pcre () | sqlite3 (0.7) | zlib (2.0) | bcmath () | calendar () | ctype () | curl () | dom (20031129) | filter (0.11.0) | ftp () | gd () | gettext () | gmp () | hash (1.0) | iconv () | SPL (0.2) | json (1.2.1) | mbstring () | mcrypt () | session () | mysql (1.0) | mysqli (0.1) | standard (5.4.38) | Phar (2.0.1) | posix () | Reflection ($Id: f6367cdb4e3f392af4a6d441a6641de87c2e50c4 $) | mysqlnd (mysqlnd 5.0.10 - 20111026 - $Id: c85105d7c6f7d70d609bb4c000257868a40840ab $) | SimpleXML (0.1) | sockets () | imap () | tokenizer (0.1) | xml () | xmlreader (0.1) | xmlwriter (0.1) | zip (1.11.0) | apache2handler () | PDO (1.0.4dev) | pdo_sqlite (1.0.1) | pdo_mysql (1.0.2) | ionCube Loader () | Zend Guard Loader () | Zend Engine (2.4.0) |
Potential Missing Extensions :: suhosin |

Switch User Environment (Experimental) :: PHP CGI: No | Server SU: No | PHP SU: No | Custom SU (LiteSpeed/Cloud/Grid): Yes
Potential Ownership Issues: No

Apache Modules :: core | mod_authn_file | mod_authn_default | mod_authz_host | mod_authz_groupfile | mod_authz_user | mod_authz_default | mod_auth_basic | mod_include | mod_filter | mod_deflate | mod_log_config | mod_logio | mod_env | mod_expires | mod_headers | mod_unique_id | mod_setenvif | mod_version | mod_proxy | mod_proxy_connect | mod_proxy_ftp | mod_proxy_http | mod_proxy_scgi | mod_proxy_ajp | mod_proxy_balancer | mod_ssl | itk | http_core | mod_mime | mod_status | mod_autoindex | mod_asis | mod_info | mod_suexec | mod_cgi | mod_negotiation | mod_dir | mod_actions | mod_userdir | mod_alias | mod_rewrite | mod_so | mod_disable_suexec | mod_bwlimited | mod_php5 | Apache |
Potential Missing Modules :: mod_security | mod_evasive | mod_dosevasive | mod_qos | mod_userdir |
Folder Permissions :: wrote:Core Folders :: images/ (777) | components/ (777) | modules/ (777) | plugins/ (777) | language/ (777) | templates/ (777) | cache/ (777) | logs/ (777) | tmp/ (777) | administrator/components/ (777) | administrator/modules/ (777) | administrator/language/ (777) | administrator/templates/ (777) |

Elevated Permissions (First 10) :: administrator/ (777) | administrator/cache/ (777) | administrator/components/ (777) | administrator/help/ (777) | administrator/includes/ (777) | administrator/language/ (777) | administrator/manifests/ (777) | administrator/modules/ (777) | administrator/modules/mod_imageshow_quickicon/ (777) | administrator/templates/ (777) |
Extensions Discovered :: wrote:Components :: SITE :: com_mailto (2.5.0) | WF_LINK_SEARCH_TITLE (2.3.1) | [youtube] (2.3.1) | WF_AGGREGATOR_VIMEO_TITLE (2.3.1) | WF_AGGREGATOR_GOOGLEMAPS_TITLE (2.3.1) | WF_MEDIAPLAYER_JCEPLAYER_TITLE (2.3.1) | WF_LINKS_JOOMLALINKS_TITLE (2.3.1) | WF_FILESYSTEM_JOOMLA_TITLE (2.3.1) | WF_POPUPS_JCEMEDIABOX_TITLE (2.3.1) | WF_POPUPS_WINDOW_TITLE (2.3.1) | WF_POPUPS_WIDGETKIT_TITLE (2.0.3) | WF_POPUPS_ROKBOX_TITLE (2.0.0) | WF_FULLSCREEN_TITLE (2.3.1) | WF_CONTEXTMENU_TITLE (2.3.1) | WF_SEARCHREPLACE_TITLE (2.3.1) | WF_ANCHOR_TITLE (2.3.1) | WF_IFRAME_TITLE (2.0.1) | WF_BROWSER_TITLE (2.3.1) | WF_NONBREAKING_TITLE (2.3.1) | WF_XHTMLXTRAS_TITLE (2.3.1) | WF_STYLE_TITLE (2.3.1) | WF_TEXTCASE_TITLE (2.3.1) | [Do not buy our kitchens!] (2.3.1) | WF_TABLE_TITLE (2.3.1) | WF_PREVIEW_TITLE (2.3.1) | WF_LAYER_TITLE (2.3.1) | WF_AUTOSAVE_TITLE (2.3.1) | WF_IMGMANAGER_EXT_TITLE (2.0.13) | WF_CAPTION_TITLE (2.0.3) | WF_ARTICLE_TITLE (2.3.1) | WF_MEDIAMANAGER_TITLE (2.0.8) | WF_SPELLCHECKER_TITLE (2.3.1) | WF_VISUALCHARS_TITLE (2.3.1) | WF_INLINEPOPUPS_TITLE (2.3.1) | WF_TEMPLATEMANAGER_TITLE (2.0.4) | WF_LISTS_TITLE (2.3.1) | WF_EMOTIONS_TITLE (2.0.2) | WF_SOURCE_TITLE (2.3.1) | WF_LINK_TITLE (2.3.1) | WF_CLEANUP_TITLE (2.3.1) | WF_FULLPAGE_TITLE (2.0.2) | WF_FILEMANAGER_TITLE (2.1.5) | WF_VISUALBLOCKS_TITLE (2.3.1) | WF_MEDIA_TITLE (2.3.1) | WF_CLIPBOARD_TITLE (2.3.1) | WF_IMGMANAGER_TITLE (2.3.1) | WF_DIRECTIONALITY_TITLE (2.3.1) | WF_PRINT_TITLE (2.3.1) | com_wrapper (2.5.0) | spambotcheck (1.0.1) |
Components :: ADMIN :: AcyMailing Tag : Manage the Su (3.7.0) | AcyMailing table of contents g (1.0.0) | AcyMailing Manage text (1.0.0) | AcyMailing Tag : Date / Time (3.7.0) | AcyMailing : share on social n (1.0.0) | AcyMailing : Statistics Plugin (3.7.0) | AcyMailing Tag : content inser (3.7.0) | AcyMailing : Handle Click trac (3.7.0) | AcyMailing Module (3.7.0) | AcyMailing : (auto)Subscribe d (3.7.0) | AcyMailing Tag : CB User infor (3.7.0) | AcyMailing Template Class Repl (3.7.0) | AcyMailing Tag : Joomla User I (3.7.0) | AcyMailing : trigger Joomla Co (3.7.0) | AcyMailing Tag : Website links (3.7.0) | AcyMailing Tag : VirtueMart in (1.2.1) | AcyMailing Tag : Insert a Modu (3.7.0) | AcyMailing Tag : Subscriber in (3.7.0) | AcyMailing (4.1.0) | com_weblinks (2.5.0) | com_messages (2.5.0) | com_modules (2.5.0) | com_config (2.5.0) | com_newsfeeds (2.5.0) | com_cache (2.5.0) | VIRTUEMART (-) | ECB Currency Converter (1.0) | com_banners (2.5.0) | com_content (2.5.0) | com_checkin (2.5.0) | ImageShow (4.7.0) | ImageShow (4.7.0) | com_redirect (2.5.0) | com_xmap (2.3.2) | com_media (2.5.0) | com_installer (2.5.0) | com_joomlaupdate (2.5.0) | com_cpanel (2.5.0) | com_languages (2.5.0) | CSVI (5.5) | JCE (2.3.1) | Unknown (-) | Editor - JCE (2.3.1) | Editor - JCE (2.3.1) | plg_quickicon_jcefilebrowser (2.5.0) | JCE File Browser (2.3.1) | VirtueMart_allinone (2.0.20b) | Magic Zoom Plus module for Joo (v4.4.57 [v1.2) | Magic Zoom Plus (v4.4.57 [v1.2) | com_search (2.5.0) | com_users (2.5.0) | com_plugins (2.5.0) | com_admin (2.5.0) | ChronoForms (4.0 RC3.5.1) | com_finder (2.5.0) | com_menus (2.5.0) | com_categories (2.5.0) | com_login (2.5.0) | COM_K2 (2.6.9) | mod_k2_comments (-) | mod_k2_comments (-) | com_templates (2.5.0) | COM_WEBFONTS (2.0.7) | COM_IJOOMLA_SEO (3.1.5) | sales (1.0.0) |

Modules :: SITE :: mod_users_latest (2.5.0) | K2 Comments (2.6.9) | mod_articles_latest (2.5.0) | TCVN VM Dropdown Category (1.0) | mod_virtuemart_product (2.0.20b) | mod_virtuemart_currencies (2.0.20b) | mod_finder (2.5.0) | K2 Users (2.6.9) | mod_virtuemart_manufacturer (2.0.20b) | mod_related_items (2.5.0) | mod_footer (2.5.0) | mod_menu (2.5.0) | mod_weblinks (2.5.0) | mod_syndicate (2.5.0) | DJ-Menu (1.7.4) | mod_virtuemart_category (2.0.20b) | mod_wrapper (2.5.0) | mod_articles_news (2.5.0) | mod_articles_popular (2.5.0) | mod_random_image (2.5.0) | mod_breadcrumbs (2.5.0) | Custom Banner (for Joomla 2.) | ChronoForms (V4 RC3.0) | AcyMailing Module (3.7.0) | mod_custom (2.5.0) | DJ-Menu (1.7.4) | mod_articles_category (2.5.0) | mod_articles_archive (2.5.0) | mod_login (2.5.0) | mod_stats (2.5.0) | mod_whosonline (2.5.0) | Magic Zoom Plus module for Joo (v4.4.57 [v1.2) | K2 User (2.6.9) | JSN ImageShow (4.7.0) | K2 Content (2.6.9) | mod_search (2.5.0) | mod_articles_categories (2.5.0) | mod_banners (2.5.0) | K2 Tools (2.6.9) | mod_feed (2.5.0) | mod_languages (2.5.0) | mod_virtuemart_search (2.0.20b) | VirtueMart Shopping Cart (2.0.20b) | Full Slider (1.0) | System (1.0.0) |
Modules :: ADMIN :: JSN ImageShow Quick Icons (4.7.0) | mod_submenu (2.5.0) | mod_toolbar (2.5.0) | mod_menu (2.5.0) | mod_logged (2.5.0) | mod_multilangstatus (2.5.0) | mod_popular (2.5.0) | mod_latest (2.5.0) | mod_custom (2.5.0) | mod_status (2.5.0) | mod_login (2.5.0) | K2 Stats (admin) (2.6.9) | mod_quickicon (2.5.0) | mod_feed (2.5.0) | K2 Quick Icons (admin) (2.6.9) | mod_title (2.5.0) | mod_version (2.5.0) |

Plugins :: SITE :: plg_extension_joomla (2.5.0) | plg_search_contacts (2.5.0) | plg_search_weblinks (2.5.0) | Search - K2 (2.6.9) | plg_search_virtuemart (2.0.20b) | plg_search_content (2.5.0) | plg_search_categories (2.5.0) | plg_search_newsfeeds (2.5.0) | plg_editors-xtd_pagebreak (2.5.0) | plg_editors-xtd_image (2.5.0) | plg_editors-xtd_article (2.5.0) | Button - ImageShow (4.7.0) | plg_editors-xtd_readmore (2.5.0) | plg_user_contactcreator (2.5.0) | plg_user_joomla (2.5.0) | plg_user_profile (2.5.0) | User - K2 (2.6.9) | User - SpambotCheck (1.1.12) | plg_authentication_ldap (2.5.0) | plg_authentication_joomla (2.5.0) | plg_authentication_gmail (2.5.0) | plg_editors_codemirror (1.0) | Editor - JCE (2.3.1) | plg_editors_tinymce (3.5.4.1) | Xmap - WebLinks Plugin (2.0.1) | Xmap - Virtuemart Plugin (2.0.1) | Xmap - Content Plugin (2.0.4) | VM - Calculation Avalara Tax (2.0.18b) | AcyMailing : trigger Joomla Co (3.7.0) | AcyMailing Tag : Insert a Modu (3.7.0) | AcyMailing Tag : Website links (3.7.0) | AcyMailing : Handle Click trac (3.7.0) | AcyMailing Manage text (1.0.0) | AcyMailing Tag : Joomla User I (3.7.0) | AcyMailing : Statistics Plugin (3.7.0) | AcyMailing Tag : Date / Time (3.7.0) | AcyMailing : share on social n (1.0.0) | AcyMailing Tag : CB User infor (3.7.0) | AcyMailing Tag : content inser (3.7.0) | AcyMailing Tag : Subscriber in (3.7.0) | AcyMailing Tag : VirtueMart in (1.2.1) | AcyMailing table of contents g (1.0.0) | AcyMailing Template Class Repl (3.7.0) | AcyMailing Tag : Manage the Su (3.7.0) | plg_quickicon_extensionupdate (2.5.0) | plg_quickicon_jcefilebrowser (2.5.0) | plg_quickicon_joomlaupdate (2.5.0) | Josetta - K2 Items (2.6.9) | Josetta - K2 Categories (2.6.9) | VMPAYMENT_STANDARD (2.0.20b) | Vm Payment plugin Moneybookers (2.0.6) | Vm Payment plugin Moneybookers (2.0.6) | Vm Payment plugin Moneybookers (2.0.6) | Vm Payment plugin Moneybookers (2.0.6) | VM Payment - authorize.net AIM (2.0.20b) | Vm Payment plugin Moneybookers (2.0.6) | Vm Payment plugin Moneybookers (2.0.6) | VM - Payment, Systempay (2.0.8c) | Vm Payment plugin Moneybookers (2.0.6) | Vm Payment plugin Moneybookers (2.0.6) | VMPAYMENT_HEIDELPAY (12.09) | VM - Payment, Klarna (2.0.20b) | VMPAYMENT_MONEYBOOKERS (2.0.6) | VMPAYMENT_PAYPAL (2.0.20b) | VM - Payment, PayZen (2.0.8c) | AcyMailing : (auto)Subscribe d (3.7.0) | plg_system_remember (2.5.0) | plg_system_sef (2.5.0) | Google Maps (2.18) | plg_system_log (2.5.0) | System - JCE MediaBox (1.1.6) | plg_system_debug (2.5.0) | plg_system_languagefilter (2.5.0) | System - JSN ImageShow (4.7.0) | plg_system_redirect (2.5.0) | plg_system_languagecode (2.5.0) | System - K2 (2.6.9) | plg_system_logout (2.5.0) | plg_system_jsnframework (1.2.13) | plg_system_cache (2.5.0) | plg_system_highlight (2.5.0) | plg_system_p3p (2.5.0) | PLG_WEBFONTS (2.0.2) | System - Google Analytics Free (4.1) | System - iJSEO (3.0.0) | iJoomla News (1.0.0) | iJoomlaUpgradeAlert (1.0) | Webmaster Site Verification (1.0) | plg_system_titlemanager (3.0) | System - jQuery Easy (1.5.6) | VMSHIPMENT_WEIGHT_COUNTRIES (2.0.20b) | plg_captcha_recaptcha (2.5.0) | plg_finder_contacts (2.5.0) | plg_finder_weblinks (2.5.0) | plg_finder_k2 (2.6.9) | plg_finder_content (2.5.0) | plg_finder_categories (2.5.0) | plg_finder_newsfeeds (2.5.0) | Source Picasa (1.1.4) | Theme Classic (1.2.3) | Source Instagram (1.0.0) | Source Joomgallery (1.0.2) | Theme Carousel (1.0.6) | Theme Flow (1.0.4) | Theme Grid (1.0.9) | Theme Slider (1.1.5) | Theme Strip (1.0.5) | plg_content_loadmodule (2.5.0) | plg_content_pagebreak (2.5.0) | plg_content_geshi (2.5.0) | plg_content_pagenavigation (2.5.0) | plg_content_joomla (2.5.0) | Content - JSN ImageShow (4.7.0) | plg_content_emailcloak (2.5.0) | chronoforms (V4 RC3.0) | plg_content_finder (2.5.0) | plg_content_vote (2.5.0) | ijseo_plugin (3.0.0) |
Templates Discovered :: wrote:Templates :: SITE :: atomic (2.5.0) | Just Chair (2.5.0) |
Templates :: ADMIN :: hathor (2.5.0) | bluestork (2.5.0) |

User avatar
dhuelsmann
Joomla! Master
Joomla! Master
Posts: 19627
Joined: Sun Oct 02, 2005 12:50 am
Location: Omaha, NE
Contact:

Re: Compromised CMS and Outbound Spam

Postby dhuelsmann » Fri Apr 03, 2015 5:49 pm

There are probably a lot more problems then the simply obvious:

1. Most recent version of the 2.5.x series is 2.5.28 and you are running 2.5.11 or 17 versions behind.
2. All of your folders are 777. 777 (and it's ugly cousin 666) allow Read and Write permissions (and in the event of 777 execute) to other. For Other you give any user the ability to edit and manipulate those files and folders. Typically, as you can imagine, this is bad for security. Use 644 permissions for files and 755 permissions for folders...
Regards, Dave
Past Treasurer Open Source Matters, Inc.
Past Global Moderator
http://www.kiwaniswest.org

mjguo
Joomla! Fledgling
Joomla! Fledgling
Posts: 3
Joined: Fri Apr 03, 2015 4:56 pm

Re: Compromised CMS and Outbound Spam

Postby mjguo » Fri Apr 03, 2015 8:30 pm

thank you dhuelsmann.
i just did the update and fix the permissions problem. is there anything else i can do ?

root64
Joomla! Fledgling
Joomla! Fledgling
Posts: 2
Joined: Fri Apr 03, 2015 8:24 pm
Location: USA
Contact:

Re: Compromised CMS and Outbound Spam

Postby root64 » Fri Apr 03, 2015 8:32 pm

Hello,

Please also make sure that you are not using any Nulled plugin for your web site.

Good post by Leo
viewtopic.php?f=714&t=784055

User avatar
dhuelsmann
Joomla! Master
Joomla! Master
Posts: 19627
Joined: Sun Oct 02, 2005 12:50 am
Location: Omaha, NE
Contact:

Re: Compromised CMS and Outbound Spam

Postby dhuelsmann » Fri Apr 03, 2015 9:17 pm

mjguo wrote:thank you dhuelsmann.
i just did the update and fix the permissions problem. is there anything else i can do ?


Yes follow ALL of these steps:http://forum.joomla.org/viewtopic.php?f=621&t=582854
Regards, Dave
Past Treasurer Open Source Matters, Inc.
Past Global Moderator
http://www.kiwaniswest.org

mjguo
Joomla! Fledgling
Joomla! Fledgling
Posts: 3
Joined: Fri Apr 03, 2015 4:56 pm

Re: Compromised CMS and Outbound Spam

Postby mjguo » Mon Apr 06, 2015 2:44 pm

How to check if the website plug-in is nulled or not nulled?

Valery
Joomla! Fledgling
Joomla! Fledgling
Posts: 3
Joined: Fri May 20, 2016 2:02 pm

Re: Compromised CMS and Outbound Spam

Postby Valery » Fri May 20, 2016 2:19 pm

mjguo, REMOVE acymailing component and any other software from ACYBA!
In February 2016, the antivirus (NOD32) has issued an alert to the auto-update acymailing component - detected the content "Trojan". Now, in May, hosting where I administer the site was forced to block the postal service, because of spam - site was compromised. I had to re-reinstall the entire SMS, to carry out the analysis of logs and more.
Moreover, the previously reported compromise of the component - in 2012, "virus in backend" - http://www.acyba.com/forum/2-acymailing ... ckend.html

Alert from ESET NOD32 (quarantine mode):

"29.02.16 http://www.acyba.com/component/updateme ... wnload.zip
- JS/ScrInject.B - trojan program"

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 14325
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Compromised CMS and Outbound Spam

Postby mandville » Fri May 20, 2016 6:38 pm

Valery wrote:mjguo, REMOVE acymailing component and any other software from ACYBA!
In February 2016, the antivirus (NOD32) has issued an alert to the auto-update acymailing component -
if you are concerned over an extension please refere to vel.joomla.org

please provide proof of you allegations eg link to the antivirus alert post. linking to a 4year post doesnt contribute really when you are posting to a year old topic .
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

Valery
Joomla! Fledgling
Joomla! Fledgling
Posts: 3
Joined: Fri May 20, 2016 2:02 pm

Re: Compromised CMS and Outbound Spam

Postby Valery » Fri May 20, 2016 7:43 pm

mandville wrote:
Valery wrote:mjguo, REMOVE acymailing component and any other software from ACYBA!
In February 2016, the antivirus (NOD32) has issued an alert to the auto-update acymailing component -
if you are concerned over an extension please refere to vel.joomla.org

please provide proof of you allegations eg link to the antivirus alert post. linking to a 4year post doesnt contribute really when you are posting to a year old topic .



Ок, here is another link - the screenshot.
What do you say to that?

http://postimg.org/image/4896ra2o1/

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 14325
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Compromised CMS and Outbound Spam

Postby mandville » Sat May 21, 2016 1:46 am

Valery wrote:Ок, here is another link - the screenshot.
What do you say to that?

http://postimg.org/image/4896ra2o1/

its in russian, non speific , if you are concerned over an extension please refer to vel.joomla.org

Scan Execution Time: 17.699
File Size: 1,983,472 bytes

FILE IS CLEAN!
Clamav

----------- SCAN SUMMARY -----------
Infected files: 0
Total errors: 1
Time: 0.000 sec (0 m 0 s)


FILE IS CLEAN!
F-Prot
Results:
Files: 1
Objects scanned: 920
Infected objects: 0
Files with errors: 0
Running time: 00:01


FILE IS CLEAN!
AntiVir

------ scan results ------
file:
scanned files: 844
alerts: 0
suspicious: 0
scan time: 00:00:01


FILE IS CLEAN!
AVG
Scanned: 844 files
Infections: 0
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

Valery
Joomla! Fledgling
Joomla! Fledgling
Posts: 3
Joined: Fri May 20, 2016 2:02 pm

Re: Compromised CMS and Outbound Spam

Postby Valery » Sat May 21, 2016 6:10 am

mandville wrote:
Valery wrote:Ок, here is another link - the screenshot.
What do you say to that?

http://postimg.org/image/4896ra2o1/

its in russian, non speific , if you are concerned over an extension please refer to vel.joomla.org

Scan Execution Time: 17.699
File Size: 1,983,472 bytes

FILE IS CLEAN!
Clamav

----------- SCAN SUMMARY -----------
Infected files: 0
Total errors: 1
Time: 0.000 sec (0 m 0 s)


FILE IS CLEAN!
F-Prot
Results:
Files: 1
Objects scanned: 920
Infected objects: 0
Files with errors: 0
Running time: 00:01


FILE IS CLEAN!
AntiVir

------ scan results ------
file:
scanned files: 844
alerts: 0
suspicious: 0
scan time: 00:00:01


FILE IS CLEAN!
AVG
Scanned: 844 files
Infections: 0




File is clean? Really ?!
I have several times specified date - on February 19. What file you scanned? :)

And how many administrators of the websites with the installed acymailing (in February) carried out autoupdating - how many the websites were compromised to that moment?

I have specified the fact that at least once from the website acyba.com instead of a component there was a distribution of a trojan.
The mechanism more than is simple - SOMETIMES, at the time of a release of the new version of a component the code is modified - and the trojan extends. After that the trojan is replaced with a legitimate code.
What idiot will constantly post hacker software known to antiviruses on the website?
You represent as anti-virus scanners work? Two or three days - and the website will get to anti-virus blocking and all learn about it.
And this situation - is extremely dangerous instead of laboriously cracking the websites on the Internet, it is enough to replace with small time a popular component on compromised - and everything, a huge profit - thousands and hundreds of thousands of servers will be at your disposal.

And one more... NOT always the antivirus can define infection, in my case - only 4 of the 67th online of the scanner carried my website to the "malware site" type. And spam existed. Any antivirus can detect only that code which is known to him (signature).
The code of mail services is most difficult for antiviruses - the heuristic analysis in this case is inapplicable (And in general the heuristics in antiviruses is more advertizing than concrete result). The elementary example - I can take any virus known to antiviruses and just process it the packer - and practically any antivirus doesn't detect him - until this "just packed virus" is processed in anti-virus laboratory, his new signature and so forth will be revealed...
And yes, at me it is kept full dump my compromised website - the antivirus didn't reveal in him the "infected" files - for the above described reason. FOR antiviruses there everything is good - and you need only to watch how your business is turned off.

P.S.
I ask to excuse for my English - I consider that it is important to administrators to know about the developing situation - this new vector of attacks - not the websites are cracked,not the CMS Joomla, BUT components are cracked and then they extend in the regular way - through autoupdating. There is no protection against it, all of us are vulnerable before it.

P.P.S.
"its in russian, non speific" - probably, "non speCific" ?
In that case - whether I can ask a question?
You really consider that there is a difference in work of an antivurus for the English and Russian languages and this difference is specific??

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 14325
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Compromised CMS and Outbound Spam

Postby mandville » Sat May 21, 2016 11:16 am

what is the actual file that is vulnerable. did you inform the developer
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}


Return to “Security in Joomla! 2.5”

Who is online

Users browsing this forum: No registered users and 2 guests