Malware attack by suspect.globals.eval ; suspect.crypted.globals & php.base64.v23au.185

Discussion regarding Joomla! 2.5 security issues.

Moderators: mandville, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Locked
vortx
Joomla! Apprentice
Joomla! Apprentice
Posts: 5
Joined: Wed Aug 10, 2011 8:01 am

Malware attack by suspect.globals.eval ; suspect.crypted.globals & php.base64.v23au.185

Post by vortx » Sun Aug 28, 2016 2:06 am

Have been trying to locate the source of this attack/hack. Have deleted the infected files a few times using ISPProtect to locate them. They keep coming back though. Any hints on where to look will be greatly appreciated. Below is the result of the FPA.

Thanks in advance
Problem Description :: Forum Post Assistant (v1.2.7) : 28th August 2016 wrote:Hacked - suspect.globals.eval ; suspect.crypted.globals & php.base64.v23au.185
Log/Error Message :: Forum Post Assistant (v1.2.7) : 28th August 2016 wrote:email spam
Log/Error Message :: Forum Post Assistant (v1.2.7) : 28th August 2016 wrote:27 Aug 2016
Actions Taken To Resolve by Forum Post Assistant (v1.2.7) 28th August 2016 wrote:Used ISPScan to locate and delete. They keep coming back and I want to find the source.
Forum Post Assistant (v1.2.7) : 28th August 2016 wrote:
Basic Environment :: wrote:Joomla! Instance :: Joomla! 2.5.28-Stable (Ember) 10-December-2014
Joomla! Platform :: Joomla Platform 11.4.0-Stable (Brian Kernighan) 03-Jan-2012
Joomla! Configured :: Yes | Read-Only (444) | Owner: www-data (uid: 1/gid: 1) | Group: webuser (gid: 1) | Valid For: 1.5
Configuration Options :: Offline: 0 | SEF: 1 | SEF Suffix: 0 | SEF ReWrite: 1 | .htaccess/web.config: Yes | GZip: 0 | Cache: 0 | FTP Layer: 0 | SSL: 0 | Error Reporting: default | Site Debug: 0 | Language Debug: 0 | Default Access: N/A | Unicode Slugs: N/A | Database Credentials Present: Yes

Host Configuration :: OS: Linux | OS Version: 3.13.0-34-generic | Technology: x86_64 | Web Server: Apache | Encoding: gzip, deflate | Doc Root: /var/www/html/vortex.com.au | System TMP Writable: Yes

PHP Configuration :: Version: 5.5.9-1ubuntu4.19 | PHP API: apache2handler | Session Path Writable: Yes | Display Errors: | Error Reporting: 22527 | Log Errors To: syslog | Last Known Error: | Register Globals: | Magic Quotes: | Safe Mode: | Open Base: | Uploads: 1 | Max. Upload Size: 20M | Max. POST Size: 20M | Max. Input Time: 60 | Max. Execution Time: 30 | Memory Limit: 256M

MySQL Configuration :: Version: 5.5.50-0ubuntu0.14.04.1 (Client:5.5.50) | Host: --protected-- (--protected--) | Collation: latin1_swedish_ci (Character Set: latin1) | Database Size: 2.95 MiB | #of Tables:  82
Detailed Environment :: wrote:PHP Extensions :: Core (5.5.9-1ubuntu4.19) | date (5.5.9-1ubuntu4.19) | ereg () | libxml () | openssl () | pcre () | zlib (2.0) | bcmath () | bz2 () | calendar () | ctype () | dba () | dom (20031129) | hash (1.0) | fileinfo (1.0.5-dev) | filter (0.11.0) | ftp () | gettext () | SPL (0.2) | iconv () | mbstring () | session () | posix () | Reflection ($Id: 31d836a7ac92a37b5c580836d91ad4736fe2f376 $) | standard (5.5.9-1ubuntu4.19) | shmop () | SimpleXML (0.1) | soap () | sockets () | Phar (2.0.2) | exif (1.4 $Id$) | sysvmsg () | sysvsem () | sysvshm () | tokenizer (0.1) | wddx () | xml () | xmlreader (0.1) | xmlwriter (0.1) | zip (1.11.0) | apache2handler () | PDO (1.0.4dev) | apcu (4.0.2) | curl () | gd () | imap () | intl (1.1.0) | json (1.3.2) | mcrypt () | mysql (1.0) | mysqli (0.1) | pdo_mysql (1.0.2) | readline (5.5.9-1ubuntu4.19) | ssh2 (0.12) | xmlrpc (0.51) | mhash () | apc (4.0.2) | Zend OPcache (7.0.3FE) | Zend Engine (2.5.0) |
Potential Missing Extensions :: suhosin |

Switch User Environment (Experimental) :: PHP CGI: No | Server SU: No | PHP SU: No | Custom SU (LiteSpeed/Cloud/Grid): No
Potential Ownership Issues: Maybe

Apache Modules :: core | mod_so | mod_watchdog | http_core | mod_log_config | mod_logio | mod_version | mod_unixd | mod_access_compat | mod_alias | mod_auth_basic | mod_auth_mysql | mod_authn_core | mod_authn_dbd | mod_authn_file | mod_authz_core | mod_authz_host | mod_authz_user | mod_autoindex | mod_cgi | mod_dbd | mod_deflate | mod_dir | mod_env | mod_filter | mod_mime | prefork | mod_negotiation | mod_php5 | mod_rewrite | mod_setenvif | mod_socache_shmcb | mod_ssl | mod_status | Apache |
Potential Missing Modules :: mod_expires | mod_security | mod_evasive | mod_dosevasive | mod_qos | mod_userdir |
Folder Permissions :: wrote:Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) |

Elevated Permissions (First 10) ::
Extensions Discovered :: wrote:Components :: SITE :: com_mailto (2.5.0) | WF_MEDIAPLAYER_JCEPLAYER_TITLE (2.5.8) | WF_LINK_SEARCH_TITLE (2.5.8) | WF_POPUPS_JCEMEDIABOX_TITLE (2.5.8) | WF_POPUPS_WINDOW_TITLE (2.5.8) | WF_LINKS_JOOMLALINKS_TITLE (2.5.8) | WF_AGGREGATOR_VIMEO_TITLE (2.5.8) | WF_AGGREGATOR_[youtube]_TITLE (2.5.8) | WF_AGGREGATOR_VINE_TITLE (2.5.8) | WF_AGGREGATOR_DAILYMOTION_TITL (2.5.8) | WF_FILESYSTEM_JOOMLA_TITLE (2.5.8) | WF_PREVIEW_TITLE (2.5.8) | WF_XHTMLXTRAS_TITLE (2.5.8) | WF_IMGMANAGER_TITLE (2.5.8) | WF_DIRECTIONALITY_TITLE (2.5.8) | WF_ARTICLE_TITLE (2.5.8) | WF_FULLSCREEN_TITLE (2.5.8) | WF_STYLESELECT_TITLE (2.5.8) | WF_CHARMAP_TITLE (2.5.8) | WF_VISUALBLOCKS_TITLE (2.5.8) | WF_STYLE_TITLE (2.5.8) | WF_FONTSIZESELECT_TITLE (2.5.8) | WF_MEDIA_TITLE (2.5.8) | WF_NONBREAKING_TITLE (2.5.8) | WF_CONTEXTMENU_TITLE (2.5.8) | WF_CLIPBOARD_TITLE (2.5.8) | WF_CLEANUP_TITLE (2.5.8) | WF_FONTCOLOR_TITLE (2.5.8) | WF_VISUALCHARS_TITLE (2.5.8) | WF_KITCHENSINK_TITLE (2.5.8) | WF_PRINT_TITLE (2.5.8) | WF_BROWSER_TITLE (2.5.8) | WF_LISTS_TITLE (2.5.8) | WF_SOURCE_TITLE (2.5.8) | WF_FONTSELECT_TITLE (2.5.8) | WF_LAYER_TITLE (2.5.8) | WF_FORMATSELECT_TITLE (2.5.8) | WF_AUTOSAVE_TITLE (2.5.8) | WF_TEXTCASE_TITLE (2.5.8) | WF_SPELLCHECKER_TITLE (2.5.8) | WF_LINK_TITLE (2.5.8) | WF_ANCHOR_TITLE (2.5.8) | WF_SEARCHREPLACE_TITLE (2.5.8) | WF_TABLE_TITLE (2.5.8) | WF_INLINEPOPUPS_TITLE (2.5.8) | com_wrapper (2.5.0) |
Components :: ADMIN :: com_messages (2.5.0) | com_newsfeeds (2.5.0) | com_menus (2.5.0) | com_languages (2.5.0) | com_admin (2.5.0) | com_content (2.5.0) | com_checkin (2.5.0) | com_login (2.5.0) | com_joomlaupdate (2.5.0) | com_templates (2.5.0) | com_plugins (2.5.0) | com_categories (2.5.0) | com_redirect (2.5.0) | com_media (2.5.0) | com_banners (2.5.0) | com_cache (2.5.0) | com_cpanel (2.5.0) | com_finder (2.5.0) | com_modules (2.5.0) | com_installer (2.5.0) | JCE (2.5.8) | Unknown (-) | com_config (2.5.0) | com_users (2.5.0) | COM_FOXCONTACT (2.5.26) | com_search (2.5.0) |

Modules :: SITE :: DJ-Image Slider (1.3 RC4) | mod_custom (2.5.0) | mod_banners (2.5.0) | MOD_FOXCONTACT (2.5.26) | mod_syndicate (2.5.0) | mod_articles_category (2.5.0) | mod_languages (2.5.0) | mod_search (2.5.0) | mod_breadcrumbs (2.5.0) | mod_users_latest (2.5.0) | mod_menu (2.5.0) | mod_stats (2.5.0) | mod_articles_news (2.5.0) | mod_feed (2.5.0) | J - Google AdSense (3.3) | mod_articles_latest (2.5.0) | mod_articles_popular (2.5.0) | mod_finder (2.5.0) | mod_articles_categories (2.5.0) | mod_related_items (2.5.0) | mod_whosonline (2.5.0) | mod_random_image (2.5.0) | mod_articles_archive (2.5.0) | mod_wrapper (2.5.0) | mod_login (2.5.0) | mod_footer (2.5.0) |
Modules :: ADMIN :: mod_custom (2.5.0) | mod_latest (2.5.0) | mod_toolbar (2.5.0) | mod_popular (2.5.0) | mod_menu (2.5.0) | mod_logged (2.5.0) | mod_online (1.6.0) | mod_feed (2.5.0) | mod_status (2.5.0) | mod_version (2.5.0) | mod_unread (1.6.0) | mod_multilangstatus (2.5.0) | mod_title (2.5.0) | mod_submenu (2.5.0) | mod_quickicon (2.5.0) | mod_login (2.5.0) |

Plugins :: SITE :: plg_user_contactcreator (2.5.0) | plg_user_joomla (2.5.0) | plg_user_profile (2.5.0) | plg_authentication_gmail (2.5.0) | plg_authentication_ldap (2.5.0) | plg_authentication_joomla (2.5.0) | plg_editors-xtd_article (2.5.0) | plg_editors-xtd_image (2.5.0) | plg_editors-xtd_pagebreak (2.5.0) | plg_editors-xtd_readmore (2.5.0) | plg_editors_jce (2.5.8) | plg_editors_codemirror (1.0) | plg_editors_tinymce (3.5.11) | plg_search_newsfeeds (2.5.0) | plg_search_contacts (2.5.0) | plg_search_categories (2.5.0) | plg_search_content (2.5.0) | plg_finder_newsfeeds (2.5.0) | plg_finder_contacts (2.5.0) | plg_finder_categories (2.5.0) | plg_finder_content (2.5.0) | plg_system_redirect (2.5.0) | plg_system_jce (2.5.8) | plg_system_languagefilter (2.5.0) | plg_system_logout (2.5.0) | plg_system_cache (2.5.0) | PLG_SYS_ADMINEXILE (1.4) | plg_system_highlight (2.5.0) | plg_system_log (2.5.0) | plg_system_languagecode (2.5.0) | System - Admin Forever (0.9.2) | plg_system_sef (2.5.0) | plg_system_remember (2.5.0) | plg_system_debug (2.5.0) | plg_system_p3p (2.5.0) | PLG_EOSNOTIFY (2.5.0) | plg_quickicon_jcefilebrowser (2.5.8) | plg_quickicon_joomlaupdate (2.5.0) | plg_quickicon_extensionupdate (2.5.0) | plg_extension_joomla (2.5.0) | plg_captcha_recaptcha (2.5.0) | plg_content_vote (2.5.0) | plg_content_geshi (2.5.0) | plg_content_foxcontact (2.5.26) | plg_content_pagenavigation (2.5.0) | plg_content_joomla (2.5.0) | plg_content_finder (2.5.0) | Content - SocialShareButtons (1.3.0) | plg_content_pagebreak (2.5.0) | plg_content_loadmodule (2.5.0) | Content - J - Google AdSense (3.3) | PLG_CONTENT_EXTRAVOTE (1.6.0) | plg_content_emailcloak (2.5.0) |
Templates Discovered :: wrote:Templates :: SITE :: Vortex_5 (1.0) |
Templates :: ADMIN :: bluestork (2.5.0) | hathor (2.5.0) |

User avatar
dhuelsmann
Joomla! Master
Joomla! Master
Posts: 19659
Joined: Sun Oct 02, 2005 12:50 am
Location: Omaha, NE
Contact:

Re: Malware attack by suspect.globals.eval ; suspect.crypted.globals & php.base64.v23au.185

Post by dhuelsmann » Sun Aug 28, 2016 4:36 pm

Besides the fact that you have a completely outdated site - the 2.5.x versions reached end of life on December 31, 2014. You will likely never find all the back doors likely placed on your site from the original and subsequent hacks.I suggest you closely follow this tried and true method to cleanse your site and then upgrade to 3.6.2 http://forum.joomla.org/viewtopic.php?f=621&t=582854
Regards, Dave
Past Treasurer Open Source Matters, Inc.
Past Global Moderator
http://www.kiwaniswest.org

vortx
Joomla! Apprentice
Joomla! Apprentice
Posts: 5
Joined: Wed Aug 10, 2011 8:01 am

Re: Malware attack by suspect.globals.eval ; suspect.crypted.globals & php.base64.v23au.185

Post by vortx » Sun Aug 28, 2016 9:27 pm

Thanks Dave, much appreciated. Using 2.5 because we have a legacy extension that was written for us and isn't compatible with the latest version. Will go with your suggestion and report back. Cheers, Greg

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 20652
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ Germany/ S'pore/Bogor/ North America
Contact:

Re: Malware attack by suspect.globals.eval ; suspect.crypted.globals & php.base64.v23au.185

Post by leolam » Mon Aug 29, 2016 5:40 am

Well than you need to have this extension rewritten or upgraded to Joomla 3.x. Their are enough coders or companies like mine me who can do that for you see http://resources.joomla.org/en/

You are limiting yourself to an old version and you get whacked because of that and will get whacked ongoing in the future. You will need to take the steps want it or not but you see here what it means for you so you have actually no choice since as soon as you have cleansed all it will return since something is vulnerable. You are obliged to your users and clients and towards your own (vortex) company. You only damage your ranking and as a Web Developer and SEO specialist you should know better. How can you justify to your clients that you are using completely outdated software and a free + infected template?

Leo 8)
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -

vortx
Joomla! Apprentice
Joomla! Apprentice
Posts: 5
Joined: Wed Aug 10, 2011 8:01 am

Re: Malware attack by suspect.globals.eval ; suspect.crypted.globals & php.base64.v23au.185

Post by vortx » Mon Aug 29, 2016 6:10 am

Thanks for the feedback Leo, you are correct. However we need to get the site clean and operational, then we will get the extension updated. Already been in touch with the developer. As it turns out the malware was hidden in files from an server relocation and unfortunately not picked up at the time. A lot has been learned in the process and implemented since and the owner is aware of the issues that are being attended to.

Cheers, Greg

vortx
Joomla! Apprentice
Joomla! Apprentice
Posts: 5
Joined: Wed Aug 10, 2011 8:01 am

[SOLVED] Re: Malware attack by suspect.globals.eval ; suspect.crypted.globals & php.base64.v23au.185

Post by vortx » Sat Sep 10, 2016 11:41 pm

Updating as promised. Have removed the back door (no issues for 2 weeks now) and hardened the server to resist future attempts. Also have rebuilt the website in question. Thanks for the assistance. I found using ISPProtect was a life saver for this task.

Oh, just one thing... Leo I was of the understanding this forum was a place to put forward problems with a hope of getting a solution. It's don't believe it's a place to put somebody down and perhaps push them away from asking help in future. You probably won't know the whole story anyway, so perhaps you can lay off the lecturing and criticism to focus on the poster's issue in your future posts???

Cheers, Greg

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 20652
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ Germany/ S'pore/Bogor/ North America
Contact:

Re: Malware attack by suspect.globals.eval ; suspect.crypted.globals & php.base64.v23au.185

Post by leolam » Tue Sep 13, 2016 7:45 am

I know criticism is sometimes hard to digest. I simply told you the truth and you did listen since you did rebuild the site as you mention. Job well done (note you mentioned that I was right in the earlier)

Cheers and good luck with your business!

Leo 8)
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -

vortx
Joomla! Apprentice
Joomla! Apprentice
Posts: 5
Joined: Wed Aug 10, 2011 8:01 am

Re: Malware attack by suspect.globals.eval ; suspect.crypted.globals & php.base64.v23au.185

Post by vortx » Tue Sep 13, 2016 11:54 am

8)


Locked

Return to “Security in Joomla! 2.5”